derivepassphrase-vault(1)¶
NAME¶
derivepassphrase-vault – derive a passphrase using the vault(1) derivation scheme
SYNOPSIS¶
derivepassphrase vault [OPTIONS] [SERVICE]
DESCRIPTION¶
Using a master passphrase or a master SSH key, derive a passphrase for SERVICE, subject to length, character and character repetition constraints. The derivation is cryptographically strong, meaning that even if a single passphrase is compromised, guessing the master passphrase or a different service’s passphrase is computationally infeasible. The derivation is also deterministic, given the same inputs, thus the resulting passphrase need not be stored explicitly. The service name and constraints themselves also need not be kept secret; the latter are usually stored in a world-readable file.
If operating on global settings, or importing/exporting settings, then SERVICE must be omitted. Otherwise it is required.
OPTIONS¶
Password generation¶
- -p, --phrase
- prompts you for your passphrase
- -k, --key
- uses your SSH private key to generate passwords
- -l, --length NUMBER
- emits password of length NUMBER
- -r, --repeat NUMBER
- allows maximum of NUMBER repeated adjacent chars
- --lower NUMBER
- includes at least NUMBER lowercase letters
- --upper NUMBER
- includes at least NUMBER uppercase letters
- --number NUMBER
- includes at least NUMBER digits
- --space NUMBER
- includes at least NUMBER spaces
- --dash NUMBER
- includes at least NUMBER
-
or_
- --symbol NUMBER
- includes at least NUMBER symbol chars
Use NUMBER=0, e.g. --symbol 0
, to exclude a character type from
the output.
Configuration¶
- -n, --notes
- spawn an editor to edit notes for SERVICE
- -c, --config
- saves the given settings for SERVICE or global
- -x, --delete
- deletes settings for SERVICE
- --delete-globals
- deletes the global shared settings
- -X, --clear
- deletes all settings
Use $VISUAL
or $EDITOR
to configure the spawned editor.
Storage management¶
- -e, --export PATH
- export all saved settings into file PATH
- -i, --import PATH
- import saved settings from file PATH
Using -
as PATH for standard input/standard output is supported.
Other Options¶
- –version
- Show the version and exit.
- -h, --help
- Show this message and exit.
WARNINGS¶
There is no way to retrieve the generated passphrases if the master passphrase, the SSH key, or the exact passphrase settings are lost, short of trying out all possible combinations. You are strongly advised to keep independent backups of the settings and the SSH key, if any.
The configuration is not encrypted, and you are strongly discouraged from using a stored passphrase.