Vault Encryption - Eugeny/terminus Wiki


The Vault is stored as a part of the YAML config file in the vault attribute. Ciphertext (base-64), IV (hex), key salt (hex) and format version are saved.


Vault contents are encrypted using AES-256-CBC. Key is derived from the passphrase using PBKDF2 (SHA-512, 64 bit salt). Both IV and key salt are generated from a cryptographically safe random source.

You can review the implementation here:

Config encryption

When config encryption is enabled, all config attributes except vault and encrypted are removed from the config and stored inside the vault data instead. Vault must then be decrypted at the app start to load the config.