Diffstat (limited to 'contrib/vim/redact_pass.txt')
1 files changed, 41 insertions, 0 deletions
diff --git a/contrib/vim/redact_pass.txt b/contrib/vim/redact_pass.txt
new file mode 100644
@@ -0,0 +1,41 @@
+*redact_pass.txt* For Vim version 6.0 Last change: 2018 June 10
+This plugin switches off the 'viminfo', 'backup', 'writebackup', 'swapfile',
+and 'undofile' options globally when editing a password in `pass(1)`.
+This is to prevent anyone being able to extract passwords from your Vim cache
+files in the event of a compromise.
+You should test this after installed to ensure you see this message is printed
+whenever you `pass edit`:
+> Editing password file--disabled leaky options!
+This plugin is only available if 'compatible' is not set. It also requires the
+The options are disabled globally rather than attempting to set them local to
+the buffer only, which was the flawed approach of previous versions. This is
+mostly because of the 'viminfo' option; it's global, and there's no meaningful
+way to exclude information from the sensitive buffer from appearing in it.
+Because the typical use case for editing a password file in Vim is that you
+load and change a single short document, and then quit, it's more sensible to
+just turn the relevant options off completely, and makes what the plugin is
+doing more reliable and straightforward to understand.
+Written and maintained by Tom Ryder <email@example.com>.
+Licensed for distribution under the same terms as the pass(1) project.