Roland blogs about his GPG-encrypted password store.
When I read the title of his blog post, I thought he would be writing about the gnupg.vim Vim plugin. But he didn’t, so I’ll take care of that: The gnupg.vim plugin provides transparent editing of GPG-encrypted files. It’s as simple as vim foo.gpg, enter your GPG key if you are creating the file, and you are done.
It might be worth mentioning that gnupg.vim is in the vim-scripts package in Debian. It’s not immediately obvious via apt-cache search.
That has two downsides that I know of:
1) vim just displays the contents, which makes shoulder surfing easy. Ideally, you want to copy the password to the clipboard without displaying it, which makes it easy to use even while working with someone else.
2) vim doesn’t know to mlock its memory, and without some special care it doesn’t know to avoid temporary files as well.
@Anonymous
+ Your first point is certainly valid. And if you use simple passwords it would be pretty easy to pick a few out with a couple seconds of shoulder surfing. Using harder passwords and including decoys in the file might help with that. If you use many strong passwords, change them often, and don’t indicate which accounts they belong to I don’t think shoulder surfing would be much of an issue unless you are directly targeted.
+ As to the second point, I don’t know about mlock, but on the gnupg.vim plugin page it states that it turns off viminfo and swapfile to increase security.
Note that gedit provides the same functionality when seahorse is installed.
BTW, is there a simple way to change the set of keys used to encrypt the file for the vim plugin that does not require recreating the files ?
Actually, turning off viminfo and swapfile may help increase security, yes, but it doesn’t stop the kernel from swapping memory contents to the swap partition/disk/file/whatever. mlock prevents this by setting a flag on the memory region to prevent it from ever reaching the disk. It’s kinda critical in high security environments.