AES-256-CBC (Cipher Block Chaining), the algorithm used to encrypt Vault, is a standard cryptographic algorithm and is used by the US government and other government agencies worldwide to protect top-secret data. With proper implementation and strong enough Encryption Keys (from a user’s Master Password), the AES-256-CBC algorithm is proven unbreakable.

AES-256-CBC is an encryption system using AES specifications with key $K$ of 256-bit length, and is in the CBC mode of operation. The input data is stretched and divided in to blocks $P_i$ of fixed length, then

- With block $P_1$, perform $XOR$ operation on $P_1$ with initialization vector $VI$:

${PP}_1=P_1⊕VI$

- Encrypt the result ${PP}_1$ from step 1 with $AES$ and key $K$:

$C_1=AES_E({PP}_1, K)$

- From block $P_2$ onward, $P_i$ is $XOR$-ed with the encrypted output of the previous block:

${PP}_i=P_i⊕C_{i-1}$

$C_i=AES_E({PP}_i, K)$

- The cipher text blocks $C_i$ are concatenated into the final cipher text:

$C=C_1||C_2||...$

The decryption process has a reversed flow with cipher text $C$ being divided into blocks $C_i$.

- Decrypt block $C_1$ with $AES$ and key $K$:

${PP}_1=AES_D(C_1, K)$

- Perform $XOR$ operation on ${PP}_1$ with initialization vector $VI$ to retrieve plaintext block $P_1$:

${P}_1={PP}_1⊕VI$

- From block $C_2$ onward, ${PP}_i$ is $XOR$-ed with the decrypted output of the previous block:

${PP}_i=AES_D(C_i,K)$

$P_i={PP_i}⊕C_{i-1}$

- The decrypted plaintext blocks $P_i$ are concatenated to restore the original plaintext:

$P=P_1||P_2||...$