Hi
The $9 format employ an obfuscation algorithm to map strings (weak encryption). Encoding involves a header of starting noise, followed by string encoding under essentially a Vigenère cipher.
If you want a strong encryption for your configuration secrets, you can configure a master password. The master password is used to derive an encryption key that is used with AES256-GCM to encrypt configuration secrets. This new encryption method uses the $8$ formatted strings.
The $8$-encrypted passwords have the following format:
$8$crypt-algo$hash-algo$iterations$salt$iv$tag$encrypted.
Format |
Description |
crypt-algo
|
Encryption/decryption algorithm to be used. Currently only AES256-GCM is supported.
|
hash-algo
|
Hash (prf) algorithm to be used for the PBKDF2 key derivation.
|
iterations
|
The number of iterations to use for the PBKDF2 hash function. Current iteration-count default is 100. The iteration count slows the hashing count, thus slowing attacker guesses.
|
salt
|
Sequence of ASCII64-encoded pseudorandom bytes generated during encryption that are to be used to salt(a random, but known string) the password and input to the PBKDF2 key derivation.
|
iv
|
A sequence of ASCII64-encoded pseudorandom bytes generated during encryption that are to be used as initialization vector for the AES256-GCM encryption function.
|
tag
|
ASCII64-encoded representation of the tag.
|
encrypted
|
ASCII64-encoded representation of the encrypted password.
|
Hope this helps.