vi + gpg

MalcolmV8 · 12-17-2010, 11:50 PM

Hey Guys,

I'm trying to setup vi to automatically encrypt/decrypt .pgp and .asc files. The encryption part works. If I "vi testfile.gpg" it will auto encrypt it on save. However when I try and vi the encrypted file it does not prompt me for my pass phrase. I just get this

Quote:

"testfile.gpg" [noeol] 1L, 339C

You need a passphrase to unlock the secret key for
user: "malcolms <malcolm@domain.com>"
2048-bit RSA key, ID 6E336D06, created 2010-12-18 (main key ID D2AEEBC9)

Here's what I have in my ~/.vimrc file.

Quote:

" Transparent editing of GnuPG-encrypted files
augroup encrypted
au!

" First make sure nothing is written to ~/.viminfo while editing an encrypted file.
autocmd BufReadPre,FileReadPre *.gpg,*.asc set viminfo=

" We don't want a swap file, as it writes unencrypted data to disk.
autocmd BufReadPre,FileReadPre *.gpg,*.asc set noswapfile

" Switch to binary mode to read the encrypted file.
autocmd BufReadPre,FileReadPre *.gpg set bin
autocmd BufReadPre,FileReadPre *.gpg,*.asc let ch_save = &ch|set ch=2
autocmd BufReadPost,FileReadPost *.gpg,*.asc '[,']!sh -c 'gpg --decrypt 2> /dev/null'

" Switch to normal mode for editing
autocmd BufReadPost,FileReadPost *.gpg set nobin
autocmd BufReadPost,FileReadPost *.gpg,*.asc let &ch = ch_save|unlet ch_save
autocmd BufReadPost,FileReadPost *.gpg,*.asc execute ":doautocmd BufReadPost " . expand("%:r")

" Convert all text to encrypted text before writing
autocmd BufWritePre,FileWritePre *.gpg set bin
autocmd BufWritePre,FileWritePre *.gpg '[,']!sh -c 'gpg --default-recipient-self -e 2>/dev/null'
autocmd BufWritePre,FileWritePre *.asc '[,']!sh -c 'gpg --default-recipient-self -e -a 2>/dev/null'

" Undo the encryption so we are back in the normal text, directly
" after the file has been written.
autocmd BufWritePost,FileWritePost *.gpg,*.asc u

augroup END

Does anyone have this working and can tell me what I'm doing wrong?

This is on gentoo linux if it makes any difference.

Thanks
Malcolm

druuna · 12-18-2010, 04:19 AM

Hi,

Although one thing is different on my side, the above does seem to work.

The difference being: I used the default DSA/Elgamal instead of RSA (sign only) to generate a private key. If I'm not mistaken the other 2 are for signing and not for encrypting.

I could not get the vi+gpg part to work with either of the signing keys, I did have to use DSA/Elgamal.

If at all possible try generating a DSA and Elgamal private key and try that.

Hope this helps.

MalcolmV8 · 12-18-2010, 10:49 AM

Thanks for the reply. Here is my default when making keys

Quote:

$ gpg --gen-key
gpg (GnuPG) 2.0.16; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)

So I generated a new set of keys selecting option 2 this time for DSA/Elgamal. I noticed vi would still select the RSA keys by default so I deleted those keys. However still same problem just slightly different output.

Quote:

$ vi testfile.gpg
"testfile.gpg" [noeol] 4L, 605C

You need a passphrase to unlock the secret key for
user: "malcolms <malcolm@domain.com>"
2048-bit ELG key, ID 433E960A, created 2010-12-18 (main key ID 06D13759)

Also I noticed the few files I'd encrypted with the old RSA keys I deleted I can't open up any more. Is there anyway at all to do that? I thought knowing the passphrase was good enough but seems you have to have the keys too.

Thanks
Malcolm

druuna · 12-18-2010, 12:56 PM

Hi,

Both options 1 and 2 should work.

Do you get any other messages after you open an encrypted file? Does vi hang after the (half) message you posted?

Why did you throw away your "old" key? I'm not sure if, and if so how to re-create it......

You can set a specific recipient in your .vimrc file:

autocmd BufReadPost,FileReadPost *.gpg,*.asc '[,']!sh -c 'gpg --decrypt 2> /dev/null'
becomes:
autocmd BufReadPost,FileReadPost *.gpg,*.asc '[,']!sh -c 'gpg --decrypt --default-recipient "malcolms <malcolm@domain.com>" 2> /dev/null'

autocmd BufWritePre,FileWritePre *.gpg '[,']!sh -c 'gpg --default-recipient-self -e 2>/dev/null'
autocmd BufWritePre,FileWritePre *.asc '[,']!sh -c 'gpg --default-recipient-self -e -a 2>/dev/null'
becomes:
autocmd BufWritePre,FileWritePre *.gpg '[,']!sh -c 'gpg --default-recipient "malcolms <malcolm@domain.com>" -e 2>/dev/null'
autocmd BufWritePre,FileWritePre *.asc '[,']!sh -c 'gpg --default-recipient "malcolms <malcolm@domain.com>" -e -a 2>/dev/null'

You can show all your keys with: gpg --list-keys. You want all after the uid directive.

All this doesn't solve your problem, but might make testing a bit easier.

MalcolmV8 · 12-18-2010, 07:12 PM

Quote:

Originally Posted by druuna

Do you get any other messages after you open an encrypted file? Does vi hang after the (half) message you posted?

That error screen I show above is where it gets stuck. I then do a ctrl-c and it jumps into vi but it's just a blank new file for editing so I just quit out.

Quote:

Originally Posted by druuna

Why did you throw away your "old" key? I'm not sure if, and if so how to re-create it......

Not a big deal. I had only encrypted a few test files with the first key I had made. I was just curious if there's away to still decrypt those files after deleting those keys.

Quote:

Originally Posted by druuna

You can set a specific recipient in your .vimrc file:

autocmd BufReadPost,FileReadPost *.gpg,*.asc '[,']!sh -c 'gpg --decrypt 2> /dev/null'
becomes:
autocmd BufReadPost,FileReadPost *.gpg,*.asc '[,']!sh -c 'gpg --decrypt --default-recipient "malcolms <malcolm@domain.com>" 2> /dev/null'

autocmd BufWritePre,FileWritePre *.gpg '[,']!sh -c 'gpg --default-recipient-self -e 2>/dev/null'
autocmd BufWritePre,FileWritePre *.asc '[,']!sh -c 'gpg --default-recipient-self -e -a 2>/dev/null'
becomes:
autocmd BufWritePre,FileWritePre *.gpg '[,']!sh -c 'gpg --default-recipient "malcolms <malcolm@domain.com>" -e 2>/dev/null'
autocmd BufWritePre,FileWritePre *.asc '[,']!sh -c 'gpg --default-recipient "malcolms <malcolm@domain.com>" -e -a 2>/dev/null'

You can show all your keys with: gpg --list-keys. You want all after the uid directive.

All this doesn't solve your problem, but might make testing a bit easier.

I played around with those options but nothing changed. There's something in that syntax that vi is missing or not understanding and in turn is not prompting me for a password. I'm pretty sure that's why I get that error as vi should have asked me for a password and then passed it on to gpg right?

Thanks
Malcolm

jschiwal · 12-18-2010, 07:30 PM

Just an FYI. The passphrase will decrypt the secret key. This protects you if the private key is stolen.

druuna · 12-19-2010, 04:34 AM

Hi,

Have you already checked to see if gpg or vi is the one giving you problems?

Does this work from the command line:

Code:

$ gpg --encrypt --recipient "malcolms <malcolm@domain.com>" file.txt
$ gpg --decrypt file.txt.gpg

The encryption part should not ask for a pass phrase, the decrypt hsould. If it does you can be reasonably sure gpg isn't the problem.

Next thing you could try is running vi with a specific configuration file (an alternate .vimrc or /etc/vimrc):
1) create a file called vimrc.tst and fill it with the content shown in post #1 (nothing else, just the gpg related entries),
2) create an encrypted file and save it: vi -u vimrc.tst file.gpg (the other vimrc files are ignored this way)
3) check if file is encrypted: file file.gpg
3) open it again with vi: vi -u vimrc.tst file.gpg

If the above does work, then /etc/vimrc or ~/.vimrc could contain one or more entries that influence the way vi works.

One other thing that comes to mind: Are you sure vi is used when running vi? Slackware for instance links vi to a vi-clone (which is not 100% compatible).

Hope this helps.

MalcolmV8 · 12-19-2010, 11:28 AM

I had tested this and yes these two commands work perfectly. The first line executes without error and does not prompt me for anything. The second line prompts for my pass phrase and spits out decrypted content to the screen.

Code:

$ gpg --encrypt --recipient "malcolms <malcolm@domain.com>" testfile.txt
$ gpg --decrypt testfile.txt.gpg

I created a vimrc file in my temp directory with nothing but what you see in post one. The only other lines I had in there that I removed where these
syntax off
set t_Co=0

However it made no difference. Still the encryption part works perfect.
$ vi testfile.gpg
Will open up a new blank file and when I save it the content is encrypted. However this part still fails me when attempting to vi the previously created encrypted file.

Code:

$ vi testfile.gpg

"testfile.gpg" [noeol] 5L, 614C

You need a passphrase to unlock the secret key for
user: "malcolms <malcolm@domain.com>"
2048-bit ELG key, ID 433E960A, created 2010-12-18 (main key ID 06D13759)

^CCommand terminated
5 lines filtered
Press ENTER or type command to continue

As you can see above I had to hit ctrl-c at which time it prompted me to hit Enter. I hit enter and vi opens up with blank content as though you are starting a new file.

As for vi version

Code:

malcolms@cobra / $ which vi
/usr/bin/vi

malcolms@cobra / $ ls -l /usr/bin/vi
lrwxrwxrwx 1 root root 13 Oct 27  2007 /usr/bin/vi -> //usr/bin/vim

malcolms@cobra / $ ls -l /usr/bin/vim
-rwxr-xr-x 1 root root 1722396 Dec 18 00:11 /usr/bin/vim

malcolms@cobra / $ /usr/bin/vim --version
VIM - Vi IMproved 7.3 (2010 Aug 15, compiled Dec 18 2010 00:11:47)
Included patches: 1-50
Modified by Gentoo-7.3.50
Compiled by malcolms@cobra
Huge version without GUI.  Features included (+) or not (-):
+arabic +autocmd -balloon_eval -browse ++builtin_terms +byte_offset +cindent
-clientserver -clipboard +cmdline_compl +cmdline_hist +cmdline_info +comments
+conceal +cryptv -cscope +cursorbind +cursorshape +dialog_con +diff +digraphs
-dnd -ebcdic +emacs_tags +eval +ex_extra +extra_search +farsi +file_in_path
+find_in_path +float +folding -footer +fork() +gettext -hangul_input +iconv
+insert_expand +jumplist +keymap +langmap +libcall +linebreak +lispindent
+listcmds +localmap -lua +menu +mksession +modify_fname +mouse -mouseshape
+mouse_dec +mouse_gpm -mouse_jsbterm +mouse_netterm -mouse_sysmouse
+mouse_xterm +multi_byte +multi_lang -mzscheme +netbeans_intg -osfiletype
+path_extra +perl +persistent_undo +postscript +printer +profile +python
-python3 +quickfix +reltime +rightleft -ruby +scrollbind +signs +smartindent
-sniff +startuptime +statusline -sun_workshop +syntax +tag_binary
+tag_old_static -tag_any_white -tcl +terminfo +termresponse +textobjects +title
 -toolbar +user_commands +vertsplit +virtualedit +visual +visualextra +viminfo
+vreplace +wildignore +wildmenu +windows +writebackup -X11 -xfontset -xim -xsmp
 -xterm_clipboard -xterm_save
   system vimrc file: "/etc/vim/vimrc"
     user vimrc file: "$HOME/.vimrc"
      user exrc file: "$HOME/.exrc"
  fall-back for $VIM: "/usr/share/vim"
Compilation: i686-pc-linux-gnu-gcc -c -I. -Iproto -DHAVE_CONFIG_H     -O2 -march=i686 -pipe -D_FORTIFY_SOURCE=1
Linking: i686-pc-linux-gnu-gcc   -Wl,-E  -Wl,-O1 -Wl,--as-needed -L/usr/local/lib -Wl,--as-needed -o vim       -lm -lnsl   -lcurses -lacl -lattr -lgpm -ldl    -Wl,-E -Wl,-O1 -Wl,--as-needed -fstack-protector -L/usr/local/lib  -L/usr/lib/perl5/5.12.2/i686-linux/CORE -lperl -lnsl -ldl -lm -lcrypt -lutil -lc -L/usr/lib/python2.6/config -lpython2.6 -lpthread -ldl -lutil -lm -Xlinker -export-dynamic

Thanks
Malcolm

MalcolmV8 · 12-19-2010, 11:44 AM

It has to be something with gentoo linux and the way it does certain things. I just tried out this exact same setup on a Mandriva linux box I have for something else and it works perfectly.
I noticed a few differences. For example on gentoo when it prompts you for your pass phrase it takes over the whole screen. You get a pitch black screen and you enter the pass phrase in the center of the screen and then it jumps back to regular screen. On Mandriva it just prompts you in line as things go along. I bet that's breaking the vi prompting me for the pass phrase in gentoo.

druuna · 12-19-2010, 12:03 PM

Hi,

Glad to see you got an answer for your problem.

On my side it also prompts for the pass-phrase in line.

Things that you can look for on your Gentoo box:
- Is gvim also installed and could it influence vim?
- Is there a alternate vim package you could install?

And maybe you should contact Gentoo and ask about this behaviour and the reason behind it.