Vault
Tabulify includes natively a vault functionality that lets you encrypt or decrypt text configuration parameters (mostly connection attribute) in order to keep sensitive information secret.
The encryption is done with approved Encryption cipher of the NIST that takes as input a cryptographic key that is generated from a passphrase. At every encryption, a random salt is used and therefore the encrypted output is never the same. On top of this process, we use a mac check to verify the integrity of the data.
According to the Kerckhoffs' principle only secrecy of the key provides security, you should take great care of your passphrase (See passphrase security considerations).
CipherText
A text that has been encrypted will start with the vault prefix.
Example:
vaultQVE9PT5kclVidjZCZnYyUUtKMFBvT200UGF3PT0+SmZRZFhXU2dHWEhCZmFpe
Encryption / Decrption
Mandatory
- The password is the only mandatory encrypted attribute. Ie you can't save a password without giving a passphrase.
With the automatic attribute encryption, you can automatically encrypt other attributes.
Technically
- An approved Encryption cipher: All cipher used are approved by the Computer security division of the USA department of commerce via the National Institute of Standard and Technology) and follows the SP800-38A recommendations.
- Raw keyed encryption: Salts and Initialization Vectors (IV) have been randomized and are generated for every encryption. The same password leads even with the same passphrase to another ciphertext.