Vault Encryption - Eugeny/terminus Wiki

Storage

The Vault is stored as a part of the YAML config file in the vault attribute. Ciphertext (base-64), IV (hex), key salt (hex) and format version are saved.

Cryptography

Vault contents are encrypted using AES-256-CBC. Key is derived from the passphrase using PBKDF2 (SHA-512, 64 bit salt). Both IV and key salt are generated from a cryptographically safe random source.

You can review the implementation here: https://github.com/Eugeny/tabby/blob/master/tabby-core/src/services/vault.service.ts#L55-L94

Config encryption

When config encryption is enabled, all config attributes except vault and encrypted are removed from the config and stored inside the vault data instead. Vault must then be decrypted at the app start to load the config.