Request for Encryption/Decryption Algorithm Details for Local Script Integration

[RoTorEx]

Hello,

I'm interested in using Obsidian Encrypt for managing my encrypted files locally, but I need more details about the encryption algorithm and how I can reproduce it outside of Obsidian.

I've reviewed the code and noticed that it uses AES-GCM with a fixed IV and a password-derived key. However, my attempts to decrypt data outside of Obsidian (using Python and Node.js) have failed due to authentication errors (MAC check failure).

Questions:
What exact steps does Obsidian Encrypt follow for encryption and decryption?

Key derivation method (PBKDF2 parameters, salt usage, hashing details).
How is the authentication tag stored and extracted?
Any additional transformations or encoding applied before storing?
How can I integrate this into a local script to encrypt/decrypt data for my own file management use case?

I need a way to encrypt/decrypt single strings/files, but the current full-note encryption format does not fit my needs.
Is there a minimal example available that demonstrates how to manually encrypt/decrypt a string using the same method as Obsidian Encrypt?
Any guidance would be greatly appreciated! I’d love to continue using this encryption method while managing my own file structures.

Thanks for your time and for building such a great tool!

[cfgnunes]

Hi @RoTorEx, I think you can decrypt an encrypted file outside of Obsidian using this Bash script on Linux:

#!/usr/bin/env bash

# Check for required arguments.
if [ $# -ne 3 ]; then
    echo "Usage: $0 <encrypted_base64_file> <password> <output_file>"
    exit 1
fi

encrypted_b64_file="$1"
password="$2"
output_file="$3"

# Fixed salt in hex (XHWnDAT6ehMVY2zD).
salt_hex="5848576E44543665684D5659327A44"

# Create temporary files.
temp_dir=$(mktemp -d)
trap 'rm -rf "$temp_dir"' EXIT

encrypted_bin_file="$temp_dir/encrypted.bin"
iv_file="$temp_dir/iv.bin"
ciphertext_file="$temp_dir/ciphertext.bin"
key_file="$temp_dir/key.bin"

# Decode Base64 to binary.
base64 -d "$encrypted_b64_file" >"$encrypted_bin_file" || {
    echo "Base64 decoding failed"
    exit 1
}

# Extract IV (first 16 bytes).
dd if="$encrypted_bin_file" of="$iv_file" bs=16 count=1 2>/dev/null

# Extract ciphertext_with_tag (remaining bytes).
dd if="$encrypted_bin_file" of="$ciphertext_file" bs=16 skip=1 2>/dev/null

# Derive AES key using PBKDF2 with SHA-256.
openssl kdf -keylen 32 -kdfopt digest:SHA256 -kdfopt pass:"$password" -kdfopt hexsalt:"$salt_hex" -kdfopt iter:210000 PBKDF2 -out "$key_file" || {
    echo "Key derivation failed"
    exit 1
}

# Decrypt using AES-256-GCM.
openssl enc -aes-256-gcm -d -iv "$(xxd -p -c 256 "$iv_file")" -K "$(xxd -p -c 256 "$key_file")" -in "$ciphertext_file" -out "$output_file"

# Check decryption result.
if [ $? -eq 0 ]; then
    echo "Decryption successful. Output saved to $output_file."
else
    echo "Decryption failed. Incorrect password or corrupted file."
    rm -f "$output_file"
    exit 1
fi

Usage:

./decrypt_script.sh encrypted.txt.b64 your_password decrypted.txt

Requirements:

1. OpenSSL 1.1.1 or newer must be installed (supports kdf command and AES-GCM).
2. The encrypted file must be in Base64 format (just the content of encodedData).