[home] [documentation] [config] [tips] [todo] [changelog] [faq] [about]

Note: this is just a draught documentation page, the feature released in v096 beta V (2025-10-11) for beta usage.

Why Master Key

If you don’t set a master key, RybaFish still encodes stored passwords — but it uses a generic encryption, meaning any RybaFish can decrypt them. If your connections.yaml file is compromised, attackers will have access to your passwords.

If you you set a master key, RybaFish derives a unique encryption key from it. Without this master key, it’s impossible to decrypt stored passwords. This sounds nice, right?

This provides a proper level of security for stored passwords. Using a master key is the recommended setup, especially in shared environments such as virtual machines or multi-user systems.

How It Works

All connection-related data is stored in the connections.yaml file.

Passwords are stored in the “pwd” field of each connection entry. In old versions this value was stored as a binary string — so if you needed to use it manually, you had to Base64-decode it. Starting with 0.96 beta V, passwords are stored as plain text (encrypted+base64 encoded, but without additional binary encoding on top).

If you choose to use a master key, connections.yaml will also contain a __salt__ value. This is a 32-byte hexadecimal string used to make the encoded passwords unique to your RybaFish instance and to make brute-force attacks much more difficult.

If you choose not to use a master key, this value will be explicitly set to an empty string.

Note: it is expected that that each encryption produces a unique ciphertext even with the same master key, salt, and password, because AES-128-CBC, relies on a random initialization vector.

How To Not Use It, Please?

Very understandable, thereare options:

• Option one is just reply “Don’t set” when RybaFish asks for master key for the first time.

• Option two is manually adjust connections.yaml and set __salt__: '' which should be equal to option one.

• Option three is set disableMasterKey: True in config.yaml (which is the default currently, oops.)

Settings

By default all this stuff is disabled but you can go disableMasterKey: False and try to use it. You can enable Encoder/Decoder dialog by setting pwdDecoder: True in config.yaml, it will be in File menu.

Note again: this is just a draught documentation page, the feature released in v096 beta V (2025-10-11) for beta usage.