See parent: pwsafe
The master passphrase is never used directly. It is stretched using SHA-256 iterated hashing (a simple PBKDF-like scheme). The number of iterations (ITER) is stored in the file and has a minimum of 262,144 (raised from 2,048 in older formats). The stretched key P' is used only to protect the actual encryption keys K and L.
Records are encrypted with TwoFish in CBC mode using a 256-bit random session key K. The key K itself is stored in the file encrypted under P' using TwoFish in ECB mode (blocks B1/B2). A separate 256-bit key L is used for the HMAC integrity check (blocks B3/B4).
Relevant source: src/core/crypto/TwoFish.cpp, src/core/PWSfileV3.cpp
The entire encrypted payload (all records and the header) is covered by an HMAC-SHA-256 keyed with L. This is checked on open, detecting truncation or tampering.
All item fields (passwords, usernames, notes, etc.) are kept encrypted in RAM at all times. Each field is encrypted with BlowFish using a per-session random key. Decryption happens only in the Get*() accessors and the result is never cached. This protects against memory-scraping attacks.
Relevant source: src/core/ItemField.cpp, src/core/Item.cpp, src/core/crypto/BlowFish.cpp
The crypto directory also contains: AES, SHA-1, SHA-256, PBKDF2, HMAC, HOTP/TOTP (for two-factor auth), and RFC4648 Base32 decoding (for TOTP secrets).
Source: src/core/crypto/