CRYPTOGRAPHY IN VADMIN:
-----------------------

There are two ways that Vadmin uses cryptography to secure its
passwords and preference settings.  You can either have Vadmin use 
its built-in rc4 function, or you can direct it to use the algorithms 
provided by mcrypt.  However, once you have decided on one or the 
other, you can't change your mind, or all your saved preferences 
will be lost.  Using the mcrypt option is recommended for the 
stronger encryption options it offers, if you can manage the more 
complex requirements detailed below.



BUILT-IN RC4:
-------------

Just set MCRYPT_ALGO to "rc4_builtin" in the conf/apache.conf file to 
use the built-in rc4 functions (default setting).



MCRYPT:
-------

You will need to install libmcrypt and then recompile PHP with mcrypt 
support.  See http://www.php.net/mcrypt for instructions on how to get, 
compile, and install libmcrypt.  You will need libmcrypt version 2.4.x 
or newer.  After you have installed libmcrypt, recompile PHP with this 
flag: "--with-mcrypt".



CRYPTO_HASH_LINE and MCRYPT_ALGO:
---------------------------------

These are the environment variables which are set in Vadmin's apache 
include file (see SECURITY for more info).  CRYPTO_HASH_LINE can have 
any value long enough to be able to safely encrypt sensitive data, 
although you should keep in mind that depending on the algorythm you 
choose, this line may be truncated to fit the algorythm needs.

MCRYPT_ALGO is the algorythm name to be used by mcrypt.  This has to be
a symmetric algorythm and support ECB encryption mode.  For the list of 
available algorythms see your libmcrypt documentation.  The default 
setting is "blowfish", but you can and are encouraged to change it to 
some other strong algorythm to make it even harder to brute-force the
passwords.  Possible choices are:

blowfish
twofish
tripledes
gost
serpent

... and others.

If at any point you decide you wish to use a different HASH_LINE 
and/or MCRYPT_ALGO, you may do so, but all stored passwords and 
preference settings will become invalid and will be discarded the 
first time they fail.  You will have to log into each domain and make 
sure new values are stored.  This can be quite a hassle if you have a 
lot of domains, so choose wisely. 

