Category Archives: Security

Warning: Using a weak encryption method; see :help ‘cm’

Came across this warning editing an old file with vim 8.0.707

Seems I had missed that the original vim “blowfish” crypto method had an initialization vector bug meaning that whilst “blowfish” is a fine method you need to use “blowfish2” to avoid the vim specific implementation issue.

However to confuse things further “vim” produces the same warning if you edit a file with a strong crypto method if the default crypto method that would have been used is a weak method (e.g. is it would have used pkzip or blowfish) and you include a “-x” on the command line. It also prompts for the key twice if you include the “-x” but it does preserve the current crypto method on the file. Thus you see the warning even if only strong crypto is in use if you specify “-x“.

So I learnt…

You really need the single quotes when doing the help command 😉

Add a line reading “set cm=blowfish2” to ~/.vimrc

Add it to the system wide vimrc if others are likely to use vim encryption.

Know that the crypto method “blowfish2” shows at the start of a file as “VimCrypt-03!”
e.g.

$ strings well-encrypted-file.txt | head -1
VimCrypt~03!

Don’t use “-x” except for when you create an encrypted file.

Consider not using vim encryption. The history of vim encryption is not great, but I tend to the view that the built-in encryption at least offers the editor a chance to understand about issues like backup and paging and do the right thing. Some plugins allow editing of files using gnupg transparently, but have to set a bunch of options to avoid leaking the content by accident. Gnupg may be a better crypto implementation but it is unclear if second guessing the editor is the safest approach to using it.