Storage
The Vault is stored as a part of the YAML config file in the vault
attribute. Ciphertext (base-64), IV (hex), key salt (hex) and format version are saved.
Cryptography
Vault contents are encrypted using AES-256-CBC. Key is derived from the passphrase using PBKDF2 (SHA-512, 64 bit salt). Both IV and key salt are generated from a cryptographically safe random source.
You can review the implementation here: https://github.com/Eugeny/tabby/blob/master/tabby-core/src/services/vault.service.ts#L55-L94
Config encryption
When config encryption is enabled, all config attributes except vault
and encrypted
are removed from the config and stored inside the vault data instead. Vault must then be decrypted at the app start to load the config.