# Gavin Andresen
# 2011-12-21 00:38:40
# https://bitcointalk.org/index.php?topic=34028.msg656908#msg656908

RE: documentation about key encryption: @p{par}

See the comment at the top of crypter.h: @p{par}


Code:
Private key encryption is done based on a CMasterKey,                                                                                                    @p{brk}
which holds a salt and random encryption key.                                                                                                            @p{par}

CMasterKeys are encrypted using AES-256-CBC using a key                                                                                                  @p{brk}
derived using derivation method nDerivationMethod                                                                                                        @p{brk}
(0 == EVP_sha512()) and derivation iterations nDeriveIterations.                                                                                         @p{brk}
vchOtherDerivationParameters is provided for alternative algorithms                                                                                      @p{brk}
which may require more parameters (such as scrypt).                                                                                                      @p{par}

Wallet Private Keys are then encrypted using AES-256-CBC                                                                                                 @p{brk}
with the double-sha256 of the public key as the IV, and the                                                                                              @p{brk}
master key's key as the encryption key (see keystore.[ch]).                                                                                              @p{brk}

 @p{brk}
The way I think of it:  Take the passphrase and salt and SHA512-hash them nDerivationIterations times.  That gets you an encryption key and initialization vector. @p{par}

Use those to AES-256-decrypt the encrypted_key master key. @p{par}

Now you can AES-256-decrypt the private keys, using the master key as the key and the (double-sha256-hash) PUBLIC part of the keypair as the initialization vector. @p{par}

The "SHA-512-hash them a bunch of times" is actually done by the OpenSSL EVP_BytesToKey routine@p{--} documentation for that is here: @s{(link)} @p{par}

 @p{brk}