Secured data has been added to WeeChat: you can now encrypt your passwords or private data in a new configuration file called "sec.conf".
This configuration file is read before any other file, and the values stored inside can be used in various WeeChat or plugins/scripts options.
To add secured data, you just have to set a passphrase (not mandatory, but recommended: this will encrypt data in sec.conf instead of plain text), and then add data, for example :
/secure passphrase this is my passphrase /secure set freenode mypassword
And then you can use that in a server password, for example :
/set irc.server.freenode.sasl_password "${sec.data.freenode}"
For more info, see /help secure
.
Options for encryption
You can use different cipher/hash algorithms, by setting following options:
- sec.crypt.hash_algo: algorithm for hash: sha224, sha256 (default), sha384, sha512
- sec.crypt.cipher: cipher: aes128, aes192, aes256 (default)
- sec.crypt.salt: use salt (recommended for maximum security)
- sec.crypt.passphrase_file: file with the passphrase (optional)
Note: the cipher block mode is CFB.
The encryption
It is done in 3 steps:
- derive a key from the passphrase (with optional salt)
- compute hash of data to encrypt
- encrypt the hash + data (output is: salt + encrypted hash/data)
The result is put as hexadecimal string in file sec.conf.
The decryption
It is done in 3 steps:
- derive a key using salt and passphrase
- decrypt hash + data
- check that decrypted hash == hash of data