Security through obscurity is no security at all. If an application claims to store your data “securely”, it should be able to transparently describe exactly how your data is stored and encrypted and why it is secure.

When DiffPlug first runs, it creates a folder in your home directory called .diffplug. For example, if your username is testuser, the directory would be C:/Users/testuser/.diffplug. All of your DiffPlug-specific data, such as your Recents list, your preferences, and your KeyRing reside in this folder. The KeyRing’s file is named ~/.diffplug/preferences/com.diffplug.core/keyRing.prefs. Below is an example keyRing.prefs file.

<?xml version="1.0" encoding="utf-8"?>
<keyring init="true" salt="rHdZIbqw1eI=">
	<confirm pwhash="$2a$10$oCUDMTtmcCYVUXrehswiyeQConZPtLsaMtUZ1pTACnOMCD8hRXq36"/>
	<secret key="BankAccountLogin" initvec="fQ3Ko+YkipmcfBy7bZvyPQ==" safe="ZUT9LUJRfkrq/OYm7Y2Y3otYAQ9NwqF+ExqrgzMJ2IpUfwKTsqAMlMRja3NLlldd"/>
	<secret key="aws_ABC123DEF456" initvec="3875XTEIaMoafWspKDWPdw==" safe="vt9kfTsqdLngTV9ohqlFnN08fnExbSUec/8snz9uK8Q="/>

Below is a description of each and every element and attribute of this file.

Element Attribute Description
keyring init A simple flag which is “true” when the KeyRing has been setup, and “false” when it hasn’t been.
keyring salt Records the salt which is used for this KeyRing. The salt is added to the end of your password, making it longer. An attacker can easily read the salt, but it makes it much harder for her to find your password through brute-force attacks.
confirm pwhash A BCrypt hash of your password, with an additional salt encoded inside the hash. This hash is not used for encryption, it is merely used to check that you entered the password correctly for UI purposes.
secret key The “key” portion of your secret, stored as plaintext.
secret initvec The AES initialization vector for this secret. Acts as a secret-specific salt, which makes it harder for an attacker to infer anything about your secrets without knowing your password.
secret safe Your secret, encrypted by 128-bit AES using the previously mentioned keyring salt and secret initvec as well as your password, to ensure that it is extremely difficult to reveal your secrets using a brute-force attack.

Our security guarantee

The keyRing.prefs file above is a real KeyRing. If you put it into your preferences directory, DiffPlug will see the secrets and ask you for their password.

We’re so confident in the strength of our encryption that we’ll give a free lifetime supply of DiffPlug* to anyone who is able to discover the contents of the two secrets in the above KeyRing.

* You will have licenses for all of DiffPlug’s products ever released, forever. These licenses will be for your personal and professional use only, no resale or transferral is allowed. In order to receive your prize, you must tell us how you were able to crack the code, with enough detail that we are able to reproduce your exploit. This offer is only valid for the first person to submit a vulnerability, and only vulnerabilities in the latest version of DiffPlug are eligibile.