====== Tabulify - Vault (Encryption / Decryption) ======


===== Vault =====
''Tabulify'' includes natively a ''vault'' functionality that lets you encrypt or decrypt ''text'' configuration parameters (mostly [[docs:connection:attribute|connection attribute]]) in order to keep sensitive information secret.


The encryption is done with approved Encryption cipher of the ''NIST'' that takes as input a ''cryptographic key'' that is generated from a [[passphrase|passphrase]]. At every encryption, a ''random salt'' is used and therefore the encrypted output is never the same. On top of this process, we use a ''mac check'' to verify the integrity of the data.

<note warning>
According to the [[wp>Kerckhoffs%27_principle|Kerckhoffs' principle]] ''only secrecy of the key provides security'', you should take great care of your [[passphrase#security considerations|passphrase]] (See [[passphrase#security considerations|passphrase security considerations]]).
</note>

===== CipherText =====

A ''text'' that has been encrypted will start with the ''vault'' prefix.

Example:
<file>
vaultQVE9PT5kclVidjZCZnYyUUtKMFBvT200UGF3PT0+SmZRZFhXU2dHWEhCZmFpe
</file>


===== Encryption / Decrption =====
  * [[docs:tabli:vault:encrypt|Encrypt]]
  * [[docs:tabli:vault:decrypt|Decrypt]] 

===== Mandatory =====

  * The [[docs:connection:password|password]] is the only mandatory encrypted attribute. Ie you can't save a [[docs:connection:password|password]] without giving a [[passphrase|passphrase]].

<note>With the [[docs:connection:attribute#automatic_encryption|automatic attribute encryption]], you can automatically encrypt other attributes.</note>

===== Technically =====

  * An approved Encryption cipher: All cipher used are approved by the Computer security division of the USA department of commerce via the National Institute of Standard and Technology) and follows the [[https://csrc.nist.gov/publications/detail/sp/800-38a/final|SP800-38A recommendations]].
  * Raw keyed encryption: Salts and Initialization Vectors (IV) have been randomized and are generated for every encryption. The same password leads even with the same [[#passphrase]] to another ciphertext.