Skip to content

derivepassphrase-vault(1)

NAME

derivepassphrase-vault – derive a passphrase using the vault(1) derivation scheme

SYNOPSIS

derivepassphrase vault [OPTIONS] [SERVICE]

DESCRIPTION

Using a master passphrase or a master SSH key, derive a passphrase for SERVICE, subject to length, character and character repetition constraints. The derivation is cryptographically strong, meaning that even if a single passphrase is compromised, guessing the master passphrase or a different service’s passphrase is computationally infeasible. The derivation is also deterministic, given the same inputs, thus the resulting passphrase need not be stored explicitly. The service name and constraints themselves also need not be kept secret; the latter are usually stored in a world-readable file.

If operating on global settings, or importing/exporting settings, then SERVICE must be omitted. Otherwise it is required.

OPTIONS

Password generation

-p, --phrase
prompts you for your passphrase
-k, --key
uses your SSH private key to generate passwords
-l, --length NUMBER
emits password of length NUMBER
-r, --repeat NUMBER
allows maximum of NUMBER repeated adjacent chars
--lower NUMBER
includes at least NUMBER lowercase letters
--upper NUMBER
includes at least NUMBER uppercase letters
--number NUMBER
includes at least NUMBER digits
--space NUMBER
includes at least NUMBER spaces
--dash NUMBER
includes at least NUMBER - or _
--symbol NUMBER
includes at least NUMBER symbol chars

Use NUMBER=0, e.g. --symbol 0, to exclude a character type from the output.

Configuration

-n, --notes
spawn an editor to edit notes for SERVICE
-c, --config
saves the given settings for SERVICE or global
-x, --delete
deletes settings for SERVICE
--delete-globals
deletes the global shared settings
-X, --clear
deletes all settings

Use $VISUAL or $EDITOR to configure the spawned editor.

Storage management

-e, --export PATH
export all saved settings into file PATH
-i, --import PATH
import saved settings from file PATH

Using - as PATH for standard input/standard output is supported.

Other Options

–version
Show the version and exit.
-h, --help
Show this message and exit.

WARNINGS

There is no way to retrieve the generated passphrases if the master passphrase, the SSH key, or the exact passphrase settings are lost, short of trying out all possible combinations. You are strongly advised to keep independent backups of the settings and the SSH key, if any.

The configuration is not encrypted, and you are strongly discouraged from using a stored passphrase.

SEE ALSO

derivepassphrase(1), vault(1)