WeeChat DevCenter

Secured data

Secured data has been added to WeeChat: you can now encrypt your passwords or private data in a new configuration file called "sec.conf".

This configuration file is read before any other file, and the values stored inside can be used in various WeeChat or plugins/scripts options.

To add secured data, you just have to set a passphrase (not mandatory, but recommended: this will encrypt data in sec.conf instead of plain text), and then add data, for example :

/secure passphrase this is my passphrase
/secure set freenode mypassword

And then you can use that in a server password, for example :

/set irc.server.freenode.sasl_password "${sec.data.freenode}"

For more info, see /help secure.

Options for encryption

You can use different cipher/hash algorithms, by setting following options:

  • sec.crypt.hash_algo: algorithm for hash: sha224, sha256 (default), sha384, sha512
  • sec.crypt.cipher: cipher: aes128, aes192, aes256 (default)
  • sec.crypt.salt: use salt (recommended for maximum security)
  • sec.crypt.passphrase_file: file with the passphrase (optional)

Note: the cipher block mode is CFB.

The encryption

It is done in 3 steps:

  1. derive a key from the passphrase (with optional salt)
  2. compute hash of data to encrypt
  3. encrypt the hash + data (output is: salt + encrypted hash/data)

The result is put as hexadecimal string in file sec.conf.

The decryption

It is done in 3 steps:

  1. derive a key using salt and passphrase
  2. decrypt hash + data
  3. check that decrypted hash == hash of data