On Tue, Sep 15, 2015 at 07:00:04PM +1000, Erik Christiansen wrote:
> On 13.09.15 12:26, mwnx wrote:
> > I created a plugin called VimCrypt to enable seamless reading and writing of
> > encrypted files in vim, which I find useful for password lists and other
> > sensitive information. Right now, it supports *openssl* and *gpg*, and can
> > be extended to support other methods.
>
> Is there any comparison documentation we can read, preferably with
> metrics, of the plugin versus simply using cryptmethod=blowfish in Vim's
> integrated encryption? Mucking with plugins does sometimes introduce
> conflicts, and the probability of that increases with the number used.
> So I'd be looking for some sort of offsetting benefit.
>
> Erik
Not sure what kinds of metrics you're talking about. An advantage of this
plugin over vim's integrated blowfish support is that it's compatible with
standard tools, which is useful if you want to be able to read files created
by vim outside of vim, or if you want to be able to read files created by a
standard tool (gpg or openssl) inside of vim.
Also, blowfish seems to no longer be a very recommended cipher. From
wikipedia:
Blowfish is known to be susceptible to attacks on reflectively weak
keys.[8] [9] This means Blowfish users must carefully select keys as
there is a class of keys known to be weak, or switch to more modern
alternatives like the Advanced Encryption Standard, Salsa20, or
Blowfish's more modern successors Twofish and Threefish. Bruce Schneier,
Blowfish's creator, is quoted in 2007 as saying "At this point, though,
I'm amazed it's still being used. If people ask, I recommend Twofish
instead."[10] The FAQ for GnuPG (which features Blowfish as one of its
algorithms) recommends that Blowfish should not be used to encrypt files
that are larger than 4 Gb because of its small 64-bit block size.[11]
Not to mention the fact that –as far as I've surmised– vim decided to create
its own implementation of blowfish instead of using one that has already had
time to undergo public scrutiny, such as GPG's implementation.
All in all, I just don't see why I should trust using the blowfish algorithm
to encrypt sensitive information at this stage when there are much better
alternatives out there which are readily available. And I especially can't
trust any kind of in-house implementation of it.
That being said, if you're only trying to protect your password safe –which
you only open with vim anyway– from your little sister, vim's built-in
encryption will be quite sufficient. It all really just depends on your use
cases and attack models.
For more information on vimcrypt's capabilities, all the documentation is in
doc/vimcrypt.txt (https://github.com/mwnx/vimcrypt/blob/master/doc/vimcrypt.txt).
--
mwnx
GPG: AEC9 554B 07BD F60D 75A3 AF6A 44E8 E4D4 0312 C726
--
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups "vim_use" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vim_use+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment