Vault Encryption - Eugeny/terminus Wiki
The Vault is stored as a part of the YAML config file in the
vault attribute. Ciphertext (base-64), IV (hex), key salt (hex) and format version are saved.
Vault contents are encrypted using AES-256-CBC. Key is derived from the passphrase using PBKDF2 (SHA-512, 64 bit salt). Both IV and key salt are generated from a cryptographically safe random source.
You can review the implementation here: https://github.com/Eugeny/tabby/blob/master/tabby-core/src/services/vault.service.ts#L55-L94
When config encryption is enabled, all config attributes except
encrypted are removed from the config and stored inside the vault data instead. Vault must then be decrypted at the app start to load the config.