derivepassphrase.git

docs/reference/derivepassphrase-vault.1       1) .Dd 2025-01-07

docs/reference/derivepassphrase-vault.1       2) .Dt DERIVEPASSPHRASE-VAULT 1
docs/reference/derivepassphrase-vault.1       3) .Os derivepassphrase 0.4.0
docs/reference/derivepassphrase-vault.1       4) .
docs/reference/derivepassphrase-vault.1       5) .Sh NAME
docs/reference/derivepassphrase-vault.1       6) .
docs/reference/derivepassphrase-vault.1       7) .Nm derivepassphrase-vault
docs/reference/derivepassphrase-vault.1       8) .Nd derive a passphrase using the vault derivation scheme
docs/reference/derivepassphrase-vault.1       9) .
docs/reference/derivepassphrase-vault.1      10) .Sh SYNOPSIS
docs/reference/derivepassphrase-vault.1      11) .
docs/reference/derivepassphrase-vault.1      12) .Bd -ragged
docs/reference/derivepassphrase-vault.1      13) .Nm derivepassphrase vault
docs/reference/derivepassphrase-vault.1      14) .Op Fl \-phrase | Fl \-key
docs/reference/derivepassphrase-vault.1      15) .Op Fl \-length Ar n
docs/reference/derivepassphrase-vault.1      16) .Op Fl \-repeat Ar n
docs/reference/derivepassphrase-vault.1      17) .Op Fl \-lower Ar n
docs/reference/derivepassphrase-vault.1      18) .Op Fl \-upper Ar n
docs/reference/derivepassphrase-vault.1      19) .Op Fl \-number Ar n
docs/reference/derivepassphrase-vault.1      20) .Op Fl \-space Ar n
docs/reference/derivepassphrase-vault.1      21) .Op Fl \-dash Ar n
docs/reference/derivepassphrase-vault.1      22) .Op Fl \-symbol Ar n
docs/reference/derivepassphrase-vault.1      23) .Ar SERVICE
docs/reference/derivepassphrase-vault.1      24) .
docs/reference/derivepassphrase-vault.1      25) .Nm derivepassphrase vault
docs/reference/derivepassphrase-vault.1      26) .Brq Fl \-phrase | \-key | No .\|.\|. | Fl \-symbol Ar n
docs/reference/derivepassphrase-vault.1      27) .No .\|.\|.
docs/reference/derivepassphrase-vault.1      28) .Fl \-config
docs/reference/derivepassphrase-vault.1      29) .Op Fl \-unset Ar setting No .\|.\|.
docs/reference/derivepassphrase-vault.1      30) .Op Fl \-overwrite\-existing | Fl \-merge\-existing
docs/reference/derivepassphrase-vault.1      31) .Op Ar SERVICE
docs/reference/derivepassphrase-vault.1      32) .
docs/reference/derivepassphrase-vault.1      33) .Nm derivepassphrase vault
docs/reference/derivepassphrase-vault.1      34) .Bro
docs/reference/derivepassphrase-vault.1      35) .Fl \-notes
docs/reference/derivepassphrase-vault.1      36) .Ar SERVICE
docs/reference/derivepassphrase-vault.1      37) |
docs/reference/derivepassphrase-vault.1      38) .Fl \-delete
docs/reference/derivepassphrase-vault.1      39) .Ar SERVICE
docs/reference/derivepassphrase-vault.1      40) |
docs/reference/derivepassphrase-vault.1      41) .Fl \-delete\-globals
docs/reference/derivepassphrase-vault.1      42) |
docs/reference/derivepassphrase-vault.1      43) .Fl \-clear
docs/reference/derivepassphrase-vault.1      44) .Brc
docs/reference/derivepassphrase-vault.1      45) .
docs/reference/derivepassphrase-vault.1      46) .Nm derivepassphrase vault
docs/reference/derivepassphrase-vault.1      47) .Op Fl \-export\-as Brq Li json | sh
docs/reference/derivepassphrase-vault.1      48) .Brq Fl \-import Ar PATH | Fl \-export Ar PATH
docs/reference/derivepassphrase-vault.1      49) .Ed
docs/reference/derivepassphrase-vault.1      50) .
docs/reference/derivepassphrase-vault.1      51) .Sh DESCRIPTION
docs/reference/derivepassphrase-vault.1      52) .

docs/reference/derivepassphrase-vault.1      53) Using a master passphrase, derive a passphrase for

docs/reference/derivepassphrase-vault.1      54) .Ar SERVICE ,
docs/reference/derivepassphrase-vault.1      55) subject to length, character and character repetition constraints, in a
docs/reference/derivepassphrase-vault.1      56) manner compatible with James Coglan's
docs/reference/derivepassphrase-vault.1      57) .Xr vault 1 .
docs/reference/derivepassphrase-vault.1      58) .Pp
docs/reference/derivepassphrase-vault.1      59) .

docs/reference/derivepassphrase-vault.1      60) The derivation is
docs/reference/derivepassphrase-vault.1      61) .Em strong :
docs/reference/derivepassphrase-vault.1      62) derived passphrases have as much entropy as permitted by the master
docs/reference/derivepassphrase-vault.1      63) passphrase and the passphrase constraints (whichever is more restrictive),
docs/reference/derivepassphrase-vault.1      64) and even if multiple derived passphrases are compromised, the master
docs/reference/derivepassphrase-vault.1      65) passphrase remains cryptographically difficult to discern from theses
docs/reference/derivepassphrase-vault.1      66) compromised passphrases.
docs/reference/derivepassphrase-vault.1      67) The derivation is also
docs/reference/derivepassphrase-vault.1      68) .Em deterministic ,
docs/reference/derivepassphrase-vault.1      69) given the same inputs, thus the resulting passphrase need not be stored
docs/reference/derivepassphrase-vault.1      70) explicitly.

docs/reference/derivepassphrase-vault.1      71) .Pp
docs/reference/derivepassphrase-vault.1      72) .
docs/reference/derivepassphrase-vault.1      73) The service name and constraints themselves also need not be kept secret;

docs/reference/derivepassphrase-vault.1      74) the latter are usually stored in a world-readable file to ease repeated
docs/reference/derivepassphrase-vault.1      75) entry of passphrase constraints.
docs/reference/derivepassphrase-vault.1      76) .Pp
docs/reference/derivepassphrase-vault.1      77) .
docs/reference/derivepassphrase-vault.1      78) In lieu of a master passphrase, a master
docs/reference/derivepassphrase-vault.1      79) .Tn SSH
docs/reference/derivepassphrase-vault.1      80) key can also be used if there is a reachable, running
docs/reference/derivepassphrase-vault.1      81) .Tn SSH
docs/reference/derivepassphrase-vault.1      82) agent currently holding this key and if the key type is supported.
docs/reference/derivepassphrase-vault.1      83) (See
docs/reference/derivepassphrase-vault.1      84) .Sx "SSH KEY SUITABILITY"
docs/reference/derivepassphrase-vault.1      85) and
docs/reference/derivepassphrase-vault.1      86) .Sx BUGS
docs/reference/derivepassphrase-vault.1      87) below.)
docs/reference/derivepassphrase-vault.1      88) This too is compatible with
docs/reference/derivepassphrase-vault.1      89) .Xr vault 1 .

docs/reference/derivepassphrase-vault.1      90) .
docs/reference/derivepassphrase-vault.1      91) .Sh OPTIONS
docs/reference/derivepassphrase-vault.1      92) .
docs/reference/derivepassphrase-vault.1      93) .Ss Passphrase generation
docs/reference/derivepassphrase-vault.1      94) .
docs/reference/derivepassphrase-vault.1      95) The passphrase generation options can be divided into
docs/reference/derivepassphrase-vault.1      96) .Dq passphrase source
docs/reference/derivepassphrase-vault.1      97) options
docs/reference/derivepassphrase-vault.1      98) .Fl ( \-phrase , \-key )
docs/reference/derivepassphrase-vault.1      99) and
docs/reference/derivepassphrase-vault.1     100) .Dq passphrase constraint
docs/reference/derivepassphrase-vault.1     101) options (all others).
docs/reference/derivepassphrase-vault.1     102) The passphrase source options are mutually exclusive \(em you may only
docs/reference/derivepassphrase-vault.1     103) specify one of them \(em while the passphrase constraint options may be
docs/reference/derivepassphrase-vault.1     104) combined in any way.
docs/reference/derivepassphrase-vault.1     105) The
docs/reference/derivepassphrase-vault.1     106) .Ar SERVICE
docs/reference/derivepassphrase-vault.1     107) is mandatory (see synopsis\~#1), unless the
docs/reference/derivepassphrase-vault.1     108) .Fl \-config
docs/reference/derivepassphrase-vault.1     109) option is specified (see synopsis\~#2).
docs/reference/derivepassphrase-vault.1     110) All character constraints refer to ASCII printable characters only (space
docs/reference/derivepassphrase-vault.1     111) .Pq Li U+0020
docs/reference/derivepassphrase-vault.1     112) to tilde
docs/reference/derivepassphrase-vault.1     113) .Pq Li U+007E ,
docs/reference/derivepassphrase-vault.1     114) excluding the grave accent
docs/reference/derivepassphrase-vault.1     115) .Pq Li U+0060 ) .
docs/reference/derivepassphrase-vault.1     116) .
docs/reference/derivepassphrase-vault.1     117) .Bl -tag -width ".Fl p , \-phrase"
docs/reference/derivepassphrase-vault.1     118) .
docs/reference/derivepassphrase-vault.1     119) .It Fl p , \-phrase
docs/reference/derivepassphrase-vault.1     120) Prompt for a passphrase.
docs/reference/derivepassphrase-vault.1     121) .Pp
docs/reference/derivepassphrase-vault.1     122) .
docs/reference/derivepassphrase-vault.1     123) See also
docs/reference/derivepassphrase-vault.1     124) .Sx Configuration
docs/reference/derivepassphrase-vault.1     125) for how this interacts with a stored passphrase or
docs/reference/derivepassphrase-vault.1     126) .Tn SSH
docs/reference/derivepassphrase-vault.1     127) key.
docs/reference/derivepassphrase-vault.1     128) .
docs/reference/derivepassphrase-vault.1     129) .It Fl k , \-key
docs/reference/derivepassphrase-vault.1     130) Select an SSH key.
docs/reference/derivepassphrase-vault.1     131) .Pp
docs/reference/derivepassphrase-vault.1     132) .
docs/reference/derivepassphrase-vault.1     133) An SSH agent such as OpenSSH's
docs/reference/derivepassphrase-vault.1     134) .Xr ssh-agent 1
docs/reference/derivepassphrase-vault.1     135) or PuTTY's
docs/reference/derivepassphrase-vault.1     136) .Xr pageant 1
docs/reference/derivepassphrase-vault.1     137) must be running and accessible, and have the desired key loaded.
docs/reference/derivepassphrase-vault.1     138) The SSH key must also be
docs/reference/derivepassphrase-vault.1     139) .Em suitable
docs/reference/derivepassphrase-vault.1     140) for this purpose; see
docs/reference/derivepassphrase-vault.1     141) .Sx SSH key suitability
docs/reference/derivepassphrase-vault.1     142) for details.
docs/reference/derivepassphrase-vault.1     143) .Pp
docs/reference/derivepassphrase-vault.1     144) .
docs/reference/derivepassphrase-vault.1     145) See also
docs/reference/derivepassphrase-vault.1     146) .Sx Configuration
docs/reference/derivepassphrase-vault.1     147) for how this interacts with a stored passphrase or
docs/reference/derivepassphrase-vault.1     148) .Tn SSH
docs/reference/derivepassphrase-vault.1     149) key.
docs/reference/derivepassphrase-vault.1     150) .
docs/reference/derivepassphrase-vault.1     151) .It Fl l Ar n , Fl \-length Ar n
docs/reference/derivepassphrase-vault.1     152) Force the passphrase to have the length
docs/reference/derivepassphrase-vault.1     153) .Ar n .
docs/reference/derivepassphrase-vault.1     154) Defaults to the length
docs/reference/derivepassphrase-vault.1     155) .Sy 20
docs/reference/derivepassphrase-vault.1     156) if not specified, or if explicitly specified as
docs/reference/derivepassphrase-vault.1     157) .Li 0 .
docs/reference/derivepassphrase-vault.1     158) .
docs/reference/derivepassphrase-vault.1     159) .It Fl r Ar n , Fl \-repeat Ar n
docs/reference/derivepassphrase-vault.1     160) Permit only runs of up to
docs/reference/derivepassphrase-vault.1     161) .Ar n
docs/reference/derivepassphrase-vault.1     162) consecutive occurrences of the same character.
docs/reference/derivepassphrase-vault.1     163) Alternatively, forbid immediate additional repetitions of length
docs/reference/derivepassphrase-vault.1     164) .Ar n
docs/reference/derivepassphrase-vault.1     165) (or more) for any character in the derived passphrase.
docs/reference/derivepassphrase-vault.1     166) Setting
docs/reference/derivepassphrase-vault.1     167) .Ar n No = Li 0
docs/reference/derivepassphrase-vault.1     168) disables repetition constraints, which is the default.
docs/reference/derivepassphrase-vault.1     169) .
docs/reference/derivepassphrase-vault.1     170) .It Fl \-lower Ar n
docs/reference/derivepassphrase-vault.1     171) Include at least
docs/reference/derivepassphrase-vault.1     172) .Ar n
docs/reference/derivepassphrase-vault.1     173) lowercase characters in the derived passphrase.
docs/reference/derivepassphrase-vault.1     174) Setting
docs/reference/derivepassphrase-vault.1     175) .Ar n No = Li 0
docs/reference/derivepassphrase-vault.1     176) forbids these characters entirely.
docs/reference/derivepassphrase-vault.1     177) The default is to not constain the occurrences in any manner.
docs/reference/derivepassphrase-vault.1     178) .
docs/reference/derivepassphrase-vault.1     179) .It Fl \-upper Ar n
docs/reference/derivepassphrase-vault.1     180) Include at least
docs/reference/derivepassphrase-vault.1     181) .Ar n
docs/reference/derivepassphrase-vault.1     182) uppercase characters in the derived passphrase.
docs/reference/derivepassphrase-vault.1     183) Setting
docs/reference/derivepassphrase-vault.1     184) .Ar n No = Li 0
docs/reference/derivepassphrase-vault.1     185) forbids these characters entirely.
docs/reference/derivepassphrase-vault.1     186) The default is to not constain the occurrences in any manner.
docs/reference/derivepassphrase-vault.1     187) .
docs/reference/derivepassphrase-vault.1     188) .It Fl \-number Ar n
docs/reference/derivepassphrase-vault.1     189) Include at least
docs/reference/derivepassphrase-vault.1     190) .Ar n
docs/reference/derivepassphrase-vault.1     191) digits in the derived passphrase.
docs/reference/derivepassphrase-vault.1     192) Setting
docs/reference/derivepassphrase-vault.1     193) .Ar n No = Li 0
docs/reference/derivepassphrase-vault.1     194) forbids these characters entirely.
docs/reference/derivepassphrase-vault.1     195) The default is to not constain the occurrences in any manner.
docs/reference/derivepassphrase-vault.1     196) .
docs/reference/derivepassphrase-vault.1     197) .It Fl \-space Ar n
docs/reference/derivepassphrase-vault.1     198) Include at least
docs/reference/derivepassphrase-vault.1     199) .Ar n
docs/reference/derivepassphrase-vault.1     200) spaces in the derived passphrase.
docs/reference/derivepassphrase-vault.1     201) Setting
docs/reference/derivepassphrase-vault.1     202) .Ar n No = Li 0
docs/reference/derivepassphrase-vault.1     203) forbids these characters entirely.
docs/reference/derivepassphrase-vault.1     204) The default is to not constain the occurrences in any manner.
docs/reference/derivepassphrase-vault.1     205) .
docs/reference/derivepassphrase-vault.1     206) .It Fl \-dash Ar n
docs/reference/derivepassphrase-vault.1     207) Include at least
docs/reference/derivepassphrase-vault.1     208) .Ar n
docs/reference/derivepassphrase-vault.1     209) .Dq dashes
docs/reference/derivepassphrase-vault.1     210) .Li ( \-
docs/reference/derivepassphrase-vault.1     211) or
docs/reference/derivepassphrase-vault.1     212) .Li _ )
docs/reference/derivepassphrase-vault.1     213) in the derived passphrase.
docs/reference/derivepassphrase-vault.1     214) Setting
docs/reference/derivepassphrase-vault.1     215) .Ar n No = Li 0
docs/reference/derivepassphrase-vault.1     216) forbids these characters entirely.
docs/reference/derivepassphrase-vault.1     217) The default is to not constain the occurrences in any manner.
docs/reference/derivepassphrase-vault.1     218) .
docs/reference/derivepassphrase-vault.1     219) .It Fl \-symbol Ar n
docs/reference/derivepassphrase-vault.1     220) Include at least
docs/reference/derivepassphrase-vault.1     221) .Ar n
docs/reference/derivepassphrase-vault.1     222) symbols (any of
docs/reference/derivepassphrase-vault.1     223) .Li !\[dq]#$%&\[aq]()*+,./:;<=>?@[\e]\(ha{|}\(ti\-_ )
docs/reference/derivepassphrase-vault.1     224) in the derived passphrase.
docs/reference/derivepassphrase-vault.1     225) Setting
docs/reference/derivepassphrase-vault.1     226) .Ar n No = Li 0
docs/reference/derivepassphrase-vault.1     227) forbids these characters entirely, and effectively also implies
docs/reference/derivepassphrase-vault.1     228) .Fl \-dash Li 0 .
docs/reference/derivepassphrase-vault.1     229) The default is to not constain the occurrences in any manner.
docs/reference/derivepassphrase-vault.1     230) .
docs/reference/derivepassphrase-vault.1     231) .El
docs/reference/derivepassphrase-vault.1     232) .
docs/reference/derivepassphrase-vault.1     233) .Ss Configuration
docs/reference/derivepassphrase-vault.1     234) .
docs/reference/derivepassphrase-vault.1     235) The configuration options directly modify the stored settings: default
docs/reference/derivepassphrase-vault.1     236) settings, known services, and service-specific settings.
docs/reference/derivepassphrase-vault.1     237) They are mutually exclusive; you may only specify one of them.
docs/reference/derivepassphrase-vault.1     238) The
docs/reference/derivepassphrase-vault.1     239) .Ar SERVICE
docs/reference/derivepassphrase-vault.1     240) is mandatory for
docs/reference/derivepassphrase-vault.1     241) .Fl \-notes
docs/reference/derivepassphrase-vault.1     242) and
docs/reference/derivepassphrase-vault.1     243) .Fl \-delete ,
docs/reference/derivepassphrase-vault.1     244) optional for
docs/reference/derivepassphrase-vault.1     245) .Fl \-config ,
docs/reference/derivepassphrase-vault.1     246) and forbidden for
docs/reference/derivepassphrase-vault.1     247) .Fl \-delete\-globals
docs/reference/derivepassphrase-vault.1     248) and
docs/reference/derivepassphrase-vault.1     249) .Fl \-clear
docs/reference/derivepassphrase-vault.1     250) (see synopsis\~#2 and synopsis\~#3).
docs/reference/derivepassphrase-vault.1     251) .
docs/reference/derivepassphrase-vault.1     252) .Bl -tag -width ".Fl p , \-phrase"
docs/reference/derivepassphrase-vault.1     253) .
docs/reference/derivepassphrase-vault.1     254) .It Fl n , \-notes
docs/reference/derivepassphrase-vault.1     255) Spawn an editor to edit notes for
docs/reference/derivepassphrase-vault.1     256) .Ar SERVICE .
docs/reference/derivepassphrase-vault.1     257) Use the
docs/reference/derivepassphrase-vault.1     258) .Ev VISUAL
docs/reference/derivepassphrase-vault.1     259) or
docs/reference/derivepassphrase-vault.1     260) .Ev EDITOR
docs/reference/derivepassphrase-vault.1     261) environment variables to configure the spawned editor.
docs/reference/derivepassphrase-vault.1     262) .
docs/reference/derivepassphrase-vault.1     263) .It Fl c , \-config
docs/reference/derivepassphrase-vault.1     264) Save the given settings for
docs/reference/derivepassphrase-vault.1     265) .Ar SERVICE
docs/reference/derivepassphrase-vault.1     266) (if given), or save the given settings as global default settings.
docs/reference/derivepassphrase-vault.1     267) .Pp
docs/reference/derivepassphrase-vault.1     268) .
docs/reference/derivepassphrase-vault.1     269) See the
docs/reference/derivepassphrase-vault.1     270) .Sx Passphrase generation
docs/reference/derivepassphrase-vault.1     271) and
docs/reference/derivepassphrase-vault.1     272) .Sx Compatibility and extension options
docs/reference/derivepassphrase-vault.1     273) sections for other options compatible with
docs/reference/derivepassphrase-vault.1     274) .Fl \-config .
docs/reference/derivepassphrase-vault.1     275) .Pp
docs/reference/derivepassphrase-vault.1     276) .
docs/reference/derivepassphrase-vault.1     277) .Bf -symbolic
docs/reference/derivepassphrase-vault.1     278) Do not use the
docs/reference/derivepassphrase-vault.1     279) .Fl \-phrase
docs/reference/derivepassphrase-vault.1     280) and
docs/reference/derivepassphrase-vault.1     281) .Fl \-config
docs/reference/derivepassphrase-vault.1     282) options together!
docs/reference/derivepassphrase-vault.1     283) The configuration file is assumed to not contain sensitive contents, and is
docs/reference/derivepassphrase-vault.1     284) not encrypted.
docs/reference/derivepassphrase-vault.1     285) .Ef
docs/reference/derivepassphrase-vault.1     286) .
docs/reference/derivepassphrase-vault.1     287) .It Fl x , \-delete
docs/reference/derivepassphrase-vault.1     288) Delete all stored settings for
docs/reference/derivepassphrase-vault.1     289) .Ar SERVICE .
docs/reference/derivepassphrase-vault.1     290) .
docs/reference/derivepassphrase-vault.1     291) .It Fl \-delete\-globals
docs/reference/derivepassphrase-vault.1     292) Delete all stored global default settings.
docs/reference/derivepassphrase-vault.1     293) .
docs/reference/derivepassphrase-vault.1     294) .It Fl X , \-clear
docs/reference/derivepassphrase-vault.1     295) Delete all stored settings.
docs/reference/derivepassphrase-vault.1     296) .
docs/reference/derivepassphrase-vault.1     297) .El
docs/reference/derivepassphrase-vault.1     298) .
docs/reference/derivepassphrase-vault.1     299) .Ss Storage management
docs/reference/derivepassphrase-vault.1     300) .
docs/reference/derivepassphrase-vault.1     301) The storage management options deal with importing and exporting the stored
docs/reference/derivepassphrase-vault.1     302) settings.
docs/reference/derivepassphrase-vault.1     303) They are mutually exclusive; you may only specify one of them.
docs/reference/derivepassphrase-vault.1     304) Using
docs/reference/derivepassphrase-vault.1     305) .Li \-
docs/reference/derivepassphrase-vault.1     306) as
docs/reference/derivepassphrase-vault.1     307) .Ar PATH
docs/reference/derivepassphrase-vault.1     308) for standard input/standard output is supported.
docs/reference/derivepassphrase-vault.1     309) .
docs/reference/derivepassphrase-vault.1     310) .Bl -tag -width ".Fl p , \-phrase"
docs/reference/derivepassphrase-vault.1     311) .
docs/reference/derivepassphrase-vault.1     312) .It Fl e Ar PATH , Fl \-export Ar PATH
docs/reference/derivepassphrase-vault.1     313) Export all saved settings into file
docs/reference/derivepassphrase-vault.1     314) .Ar PATH .
docs/reference/derivepassphrase-vault.1     315) .
docs/reference/derivepassphrase-vault.1     316) .It Fl i Ar PATH , Fl \-import Ar PATH
docs/reference/derivepassphrase-vault.1     317) Import saved settings from file
docs/reference/derivepassphrase-vault.1     318) .Ar PATH .
docs/reference/derivepassphrase-vault.1     319) .
docs/reference/derivepassphrase-vault.1     320) .El
docs/reference/derivepassphrase-vault.1     321) .
docs/reference/derivepassphrase-vault.1     322) .Ss Compatibility and extension options
docs/reference/derivepassphrase-vault.1     323) .
docs/reference/derivepassphrase-vault.1     324) By default,
docs/reference/derivepassphrase-vault.1     325) .Nm derivepassphrase vault
docs/reference/derivepassphrase-vault.1     326) behaves in a manner compatible with
docs/reference/derivepassphrase-vault.1     327) .Xr vault 1 .
docs/reference/derivepassphrase-vault.1     328) The compatibility and extension options modify the behavior to enable
docs/reference/derivepassphrase-vault.1     329) additional functionality, or specifically to force compatibility.
docs/reference/derivepassphrase-vault.1     330) .Pp
docs/reference/derivepassphrase-vault.1     331) .
docs/reference/derivepassphrase-vault.1     332) .Xr vault 1
docs/reference/derivepassphrase-vault.1     333) supports none of these options, and behaves as if the option had not been
docs/reference/derivepassphrase-vault.1     334) given or had been left in its default state.
docs/reference/derivepassphrase-vault.1     335) .
docs/reference/derivepassphrase-vault.1     336) .Bl -tag -width ".Fl p , \-phrase"
docs/reference/derivepassphrase-vault.1     337) .
docs/reference/derivepassphrase-vault.1     338) .It Fl \-overwrite\-existing No "" / "" Fl \-merge\-existing
docs/reference/derivepassphrase-vault.1     339) When importing a configuration via
docs/reference/derivepassphrase-vault.1     340) .Fl \-import ,
docs/reference/derivepassphrase-vault.1     341) or configuring the settings via
docs/reference/derivepassphrase-vault.1     342) .Fl \-config ,
docs/reference/derivepassphrase-vault.1     343) overwrite or merge
docs/reference/derivepassphrase-vault.1     344) .Em ( default )
docs/reference/derivepassphrase-vault.1     345) the existing configuration.
docs/reference/derivepassphrase-vault.1     346) .Pp
docs/reference/derivepassphrase-vault.1     347) .
docs/reference/derivepassphrase-vault.1     348) If overwriting the configuration, then the whole configuration
docs/reference/derivepassphrase-vault.1     349) .Pq for Fl \-import
docs/reference/derivepassphrase-vault.1     350) or the respective section
docs/reference/derivepassphrase-vault.1     351) .Pq service-specific or global, for Fl \-config ,
docs/reference/derivepassphrase-vault.1     352) will be written from scratch.
docs/reference/derivepassphrase-vault.1     353) If merging, then each section
docs/reference/derivepassphrase-vault.1     354) .Pq service-specific or global, for Fl \-import
docs/reference/derivepassphrase-vault.1     355) or each singular setting
docs/reference/derivepassphrase-vault.1     356) .Pq for Fl \-config
docs/reference/derivepassphrase-vault.1     357) will be overwritten, but other unaffected settings/sections will not.
docs/reference/derivepassphrase-vault.1     358) .Pp
docs/reference/derivepassphrase-vault.1     359) .
docs/reference/derivepassphrase-vault.1     360) .Xr ( vault 1
docs/reference/derivepassphrase-vault.1     361) behaves as if
docs/reference/derivepassphrase-vault.1     362) .Fl \-merge\-existing
docs/reference/derivepassphrase-vault.1     363) were always given.)
docs/reference/derivepassphrase-vault.1     364) .
docs/reference/derivepassphrase-vault.1     365) .It Fl \-unset Ar setting
docs/reference/derivepassphrase-vault.1     366) When configuring via
docs/reference/derivepassphrase-vault.1     367) .Fl \-config ,
docs/reference/derivepassphrase-vault.1     368) also unset the specified
docs/reference/derivepassphrase-vault.1     369) .Ar setting ,
docs/reference/derivepassphrase-vault.1     370) where
docs/reference/derivepassphrase-vault.1     371) .Ar setting
docs/reference/derivepassphrase-vault.1     372) is one of the passphrase generation settings
docs/reference/derivepassphrase-vault.1     373) .Pq Li phrase , key , lower , No .\|.\|. .
docs/reference/derivepassphrase-vault.1     374) May be specified multiple times.
docs/reference/derivepassphrase-vault.1     375) Must not overlap with any of the settings being set afterwards.
docs/reference/derivepassphrase-vault.1     376) .Pp
docs/reference/derivepassphrase-vault.1     377) .
docs/reference/derivepassphrase-vault.1     378) .Xr ( vault 1
docs/reference/derivepassphrase-vault.1     379) does not support this option.)
docs/reference/derivepassphrase-vault.1     380) .
docs/reference/derivepassphrase-vault.1     381) .It Fl \-export\-as Brq Li json | sh
docs/reference/derivepassphrase-vault.1     382) When exporting the configuration via
docs/reference/derivepassphrase-vault.1     383) .Fl \-export ,
docs/reference/derivepassphrase-vault.1     384) export as
docs/reference/derivepassphrase-vault.1     385) .Tn JSON
docs/reference/derivepassphrase-vault.1     386) (default) or as a shell script in
docs/reference/derivepassphrase-vault.1     387) .Xr sh 1
docs/reference/derivepassphrase-vault.1     388) format.
docs/reference/derivepassphrase-vault.1     389) .Pp
docs/reference/derivepassphrase-vault.1     390) .
docs/reference/derivepassphrase-vault.1     391) The
docs/reference/derivepassphrase-vault.1     392) .Tn JSON
docs/reference/derivepassphrase-vault.1     393) format is compatible with
docs/reference/derivepassphrase-vault.1     394) .Xr vault 1 .
docs/reference/derivepassphrase-vault.1     395) For the shell script format, see the
docs/reference/derivepassphrase-vault.1     396) .Sx SHELL SCRIPT EXPORT FORMAT
docs/reference/derivepassphrase-vault.1     397) section for details.
docs/reference/derivepassphrase-vault.1     398) .Pp
docs/reference/derivepassphrase-vault.1     399) .
docs/reference/derivepassphrase-vault.1     400) .Xr ( vault 1
docs/reference/derivepassphrase-vault.1     401) behaves as if
docs/reference/derivepassphrase-vault.1     402) .Fl \-export\-as Li json
docs/reference/derivepassphrase-vault.1     403) were always given.)
docs/reference/derivepassphrase-vault.1     404) .
docs/reference/derivepassphrase-vault.1     405) .El
docs/reference/derivepassphrase-vault.1     406) .
docs/reference/derivepassphrase-vault.1     407) .Ss Other options
docs/reference/derivepassphrase-vault.1     408) .
docs/reference/derivepassphrase-vault.1     409) .Bl -tag -width ".Fl p , \-phrase"
docs/reference/derivepassphrase-vault.1     410) .
docs/reference/derivepassphrase-vault.1     411) .It Fl \-version
docs/reference/derivepassphrase-vault.1     412) Show the version and exit.
docs/reference/derivepassphrase-vault.1     413) .
docs/reference/derivepassphrase-vault.1     414) .It Fl h , \-help
docs/reference/derivepassphrase-vault.1     415) Show a help message and exit.
docs/reference/derivepassphrase-vault.1     416) .
docs/reference/derivepassphrase-vault.1     417) .El
docs/reference/derivepassphrase-vault.1     418) .
docs/reference/derivepassphrase-vault.1     419) .Sh SHELL SCRIPT EXPORT FORMAT
docs/reference/derivepassphrase-vault.1     420) .
docs/reference/derivepassphrase-vault.1     421) If the shell script export format is selected, the configuration will be
docs/reference/derivepassphrase-vault.1     422) exported as a
docs/reference/derivepassphrase-vault.1     423) .Tn POSIX
docs/reference/derivepassphrase-vault.1     424) .Xr sh 1
docs/reference/derivepassphrase-vault.1     425) script, containing calls to
docs/reference/derivepassphrase-vault.1     426) .Nm derivepassphrase vault
docs/reference/derivepassphrase-vault.1     427) to reconstruct the current configuration from scratch.
docs/reference/derivepassphrase-vault.1     428) The script assumes a conforming
docs/reference/derivepassphrase-vault.1     429) .Xr sh 1 ,
docs/reference/derivepassphrase-vault.1     430) with support for
docs/reference/derivepassphrase-vault.1     431) .Dq here
docs/reference/derivepassphrase-vault.1     432) documents.
docs/reference/derivepassphrase-vault.1     433) .Pp
docs/reference/derivepassphrase-vault.1     434) .
docs/reference/derivepassphrase-vault.1     435) .Bf -symbolic
docs/reference/derivepassphrase-vault.1     436) Do not run these emitted shell scripts directly without double-checking
docs/reference/derivepassphrase-vault.1     437) their output first!
docs/reference/derivepassphrase-vault.1     438) .Ef
docs/reference/derivepassphrase-vault.1     439) .
docs/reference/derivepassphrase-vault.1     440) .Sh SSH KEY SUITABILITY
docs/reference/derivepassphrase-vault.1     441) .
docs/reference/derivepassphrase-vault.1     442) An
docs/reference/derivepassphrase-vault.1     443) .Tn SSH
docs/reference/derivepassphrase-vault.1     444) key is
docs/reference/derivepassphrase-vault.1     445) .Sy suitable
docs/reference/derivepassphrase-vault.1     446) for use with
docs/reference/derivepassphrase-vault.1     447) .Nm derivepassphrase vault
docs/reference/derivepassphrase-vault.1     448) if the
docs/reference/derivepassphrase-vault.1     449) .Tn SSH
docs/reference/derivepassphrase-vault.1     450) agent guarantees that signatures produced with this key will be
docs/reference/derivepassphrase-vault.1     451) .Em deterministic ,
docs/reference/derivepassphrase-vault.1     452) given the same message to be signed.
docs/reference/derivepassphrase-vault.1     453) This is a property specific to the key
docs/reference/derivepassphrase-vault.1     454) .Em type ,
docs/reference/derivepassphrase-vault.1     455) and sometimes the agent used:
docs/reference/derivepassphrase-vault.1     456) .
docs/reference/derivepassphrase-vault.1     457) .Bl -bullet
docs/reference/derivepassphrase-vault.1     458) .
docs/reference/derivepassphrase-vault.1     459) .It
docs/reference/derivepassphrase-vault.1     460) .Tn RSA ,
docs/reference/derivepassphrase-vault.1     461) Ed25519 and Ed448 keys are always suitable.
docs/reference/derivepassphrase-vault.1     462) .Tn OpenSSH Ns No 's
docs/reference/derivepassphrase-vault.1     463) .Xr ssh-agent 1
docs/reference/derivepassphrase-vault.1     464) supports only these keys as suitable keys.
docs/reference/derivepassphrase-vault.1     465) .
docs/reference/derivepassphrase-vault.1     466) .It
docs/reference/derivepassphrase-vault.1     467) .Tn DSA
docs/reference/derivepassphrase-vault.1     468) and
docs/reference/derivepassphrase-vault.1     469) .Tn ECDSA
docs/reference/derivepassphrase-vault.1     470) keys are suitable if the
docs/reference/derivepassphrase-vault.1     471) .Tn SSH
docs/reference/derivepassphrase-vault.1     472) agent supports deterministic
docs/reference/derivepassphrase-vault.1     473) .Tn DSA
docs/reference/derivepassphrase-vault.1     474) signatures, e.g. by implementing
docs/reference/derivepassphrase-vault.1     475) .Tn RFC 6979 .
docs/reference/derivepassphrase-vault.1     476) .Tn PuTTY Ns No 's
docs/reference/derivepassphrase-vault.1     477) .Xr pageant 1
docs/reference/derivepassphrase-vault.1     478) supports this, in addition to the always-suitable keys mentioned above.
docs/reference/derivepassphrase-vault.1     479) .
docs/reference/derivepassphrase-vault.1     480) .El
docs/reference/derivepassphrase-vault.1     481) .
docs/reference/derivepassphrase-vault.1     482) .Sh ENVIRONMENT
docs/reference/derivepassphrase-vault.1     483) .
docs/reference/derivepassphrase-vault.1     484) .Bl -tag -width ".Fl p , \-phrase"
docs/reference/derivepassphrase-vault.1     485) .
docs/reference/derivepassphrase-vault.1     486) .It Ev VISUAL , EDITOR
docs/reference/derivepassphrase-vault.1     487) .Nm derivepassphrase vault
docs/reference/derivepassphrase-vault.1     488) uses this editor to edit service notes when called with
docs/reference/derivepassphrase-vault.1     489) .Fl \-notes .
docs/reference/derivepassphrase-vault.1     490) .Ev VISUAL
docs/reference/derivepassphrase-vault.1     491) has higher precedence than
docs/reference/derivepassphrase-vault.1     492) .Ev EDITOR .
docs/reference/derivepassphrase-vault.1     493) .
docs/reference/derivepassphrase-vault.1     494) .It Ev DERIVEPASSPHRASE_PATH
docs/reference/derivepassphrase-vault.1     495) .Nm derivepassphrase
docs/reference/derivepassphrase-vault.1     496) stores its configuration files and data in this directory.
docs/reference/derivepassphrase-vault.1     497) Defaults to
docs/reference/derivepassphrase-vault.1     498) .Pa \(ti/.derivepassphrase .
docs/reference/derivepassphrase-vault.1     499) .
docs/reference/derivepassphrase-vault.1     500) .El
docs/reference/derivepassphrase-vault.1     501) .
docs/reference/derivepassphrase-vault.1     502) .Sh FILES
docs/reference/derivepassphrase-vault.1     503) .
docs/reference/derivepassphrase-vault.1     504) .Bl -tag -width ".Fl p , \-phrase"
docs/reference/derivepassphrase-vault.1     505) .
docs/reference/derivepassphrase-vault.1     506) .It Ev $DERIVEPASSPHRASE_PATH Ns Pa /vault.json
docs/reference/derivepassphrase-vault.1     507) The stored configuration for
docs/reference/derivepassphrase-vault.1     508) .Nm derivepassphrase vault :
docs/reference/derivepassphrase-vault.1     509) the default passphrase generation settings, the known service names, and the
docs/reference/derivepassphrase-vault.1     510) service-specific settings.
docs/reference/derivepassphrase-vault.1     511) This file is
docs/reference/derivepassphrase-vault.1     512) .Em not
docs/reference/derivepassphrase-vault.1     513) intended for the user to edit.
docs/reference/derivepassphrase-vault.1     514) .
docs/reference/derivepassphrase-vault.1     515) .El
docs/reference/derivepassphrase-vault.1     516) .
docs/reference/derivepassphrase-vault.1     517) .Sh SECURITY
docs/reference/derivepassphrase-vault.1     518) .
docs/reference/derivepassphrase-vault.1     519) .Bl -bullet
docs/reference/derivepassphrase-vault.1     520) .
docs/reference/derivepassphrase-vault.1     521) .It
docs/reference/derivepassphrase-vault.1     522) There is
docs/reference/derivepassphrase-vault.1     523) .Sy no way
docs/reference/derivepassphrase-vault.1     524) to retrieve the generated passphrases if the master passphrase, the SSH key,
docs/reference/derivepassphrase-vault.1     525) or the exact passphrase settings are lost, short of trying out all possible
docs/reference/derivepassphrase-vault.1     526) combinations.
docs/reference/derivepassphrase-vault.1     527) You are
docs/reference/derivepassphrase-vault.1     528) .Sy strongly
docs/reference/derivepassphrase-vault.1     529) advised to keep independent backups of the settings and the
docs/reference/derivepassphrase-vault.1     530) .Tn SSH
docs/reference/derivepassphrase-vault.1     531) key, if any.
docs/reference/derivepassphrase-vault.1     532) .
docs/reference/derivepassphrase-vault.1     533) .It
docs/reference/derivepassphrase-vault.1     534) The configuration is
docs/reference/derivepassphrase-vault.1     535) .Sy not
docs/reference/derivepassphrase-vault.1     536) encrypted, and you are
docs/reference/derivepassphrase-vault.1     537) .Sy strongly
docs/reference/derivepassphrase-vault.1     538) discouraged from using a stored passphrase.
docs/reference/derivepassphrase-vault.1     539) .
docs/reference/derivepassphrase-vault.1     540) .It
docs/reference/derivepassphrase-vault.1     541) You are
docs/reference/derivepassphrase-vault.1     542) .Sy strongly
docs/reference/derivepassphrase-vault.1     543) advised to avoid the
docs/reference/derivepassphrase-vault.1     544) .Pq shell script
docs/reference/derivepassphrase-vault.1     545) configuration export format if possible, and use the JSON format instead.
docs/reference/derivepassphrase-vault.1     546) If you
docs/reference/derivepassphrase-vault.1     547) .Em must
docs/reference/derivepassphrase-vault.1     548) use the shell script format, then
docs/reference/derivepassphrase-vault.1     549) .Sy always
docs/reference/derivepassphrase-vault.1     550) validate the export before attempting to interpret or run it.
docs/reference/derivepassphrase-vault.1     551) .
docs/reference/derivepassphrase-vault.1     552) .El
docs/reference/derivepassphrase-vault.1     553) .
docs/reference/derivepassphrase-vault.1     554) .Sh EXAMPLES
docs/reference/derivepassphrase-vault.1     555) .
docs/reference/derivepassphrase-vault.1     556) .Dl $ derivepassphrase vault \-\-phrase email
docs/reference/derivepassphrase-vault.1     557) .Pp
docs/reference/derivepassphrase-vault.1     558) Prompt for a master passphrase, then generate a standard passphrase
docs/reference/derivepassphrase-vault.1     559) .Pq length 20, no character or repetition constraints
docs/reference/derivepassphrase-vault.1     560) for the
docs/reference/derivepassphrase-vault.1     561) .Dq email
docs/reference/derivepassphrase-vault.1     562) service.
docs/reference/derivepassphrase-vault.1     563) .Pp
docs/reference/derivepassphrase-vault.1     564) .
docs/reference/derivepassphrase-vault.1     565) .Dl $ derivepassphrase vault \-\-key \-\-upper 9 \-\-lower 9 example.com
docs/reference/derivepassphrase-vault.1     566) .Pp
docs/reference/derivepassphrase-vault.1     567) .
docs/reference/derivepassphrase-vault.1     568) Select an
docs/reference/derivepassphrase-vault.1     569) .Tn SSH
docs/reference/derivepassphrase-vault.1     570) key from the available suitable
docs/reference/derivepassphrase-vault.1     571) .Tn SSH
docs/reference/derivepassphrase-vault.1     572) keys in the running
docs/reference/derivepassphrase-vault.1     573) .Tn SSH
docs/reference/derivepassphrase-vault.1     574) agent, then generate a passphrase for the
docs/reference/derivepassphrase-vault.1     575) .Li example.com
docs/reference/derivepassphrase-vault.1     576) service using the previously selected
docs/reference/derivepassphrase-vault.1     577) .Tn SSH
docs/reference/derivepassphrase-vault.1     578) key.
docs/reference/derivepassphrase-vault.1     579) The passphrase will have (standard) length 20, and at least nine characters
docs/reference/derivepassphrase-vault.1     580) will be uppercase characters and at least another nine characters will be
docs/reference/derivepassphrase-vault.1     581) lowercase characters.
docs/reference/derivepassphrase-vault.1     582) .Pp
docs/reference/derivepassphrase-vault.1     583) .
docs/reference/derivepassphrase-vault.1     584) .Dl $ derivepassphrase vault \-\-key \-\-upper 9 \-\-lower 9 \-\-number 9 example.com
docs/reference/derivepassphrase-vault.1     585) .Pp
docs/reference/derivepassphrase-vault.1     586) .
docs/reference/derivepassphrase-vault.1     587) Attempt to generate a passphrase as in the previous example.
docs/reference/derivepassphrase-vault.1     588) .Em This
docs/reference/derivepassphrase-vault.1     589) example will error out, because the passphrase constraints require at least
docs/reference/derivepassphrase-vault.1     590) 27 characters and the standard passphrase length 20 cannot accomodate this.
docs/reference/derivepassphrase-vault.1     591) .Pp
docs/reference/derivepassphrase-vault.1     592) .
docs/reference/derivepassphrase-vault.1     593) .Dl $ derivepassphrase vault \-\-key \-\-upper 9 \-\-lower 9 \-\-space 2 \-\-config
docs/reference/derivepassphrase-vault.1     594) .Pp
docs/reference/derivepassphrase-vault.1     595) .
docs/reference/derivepassphrase-vault.1     596) After selecting an
docs/reference/derivepassphrase-vault.1     597) .Tn SSH
docs/reference/derivepassphrase-vault.1     598) key, configure the default settings to use exactly nine uppercase characters,
docs/reference/derivepassphrase-vault.1     599) nine lowercase characters, and two spaces for each generated passphrase.
docs/reference/derivepassphrase-vault.1     600) (The specific service settings, or the command-line invocation, can still
docs/reference/derivepassphrase-vault.1     601) override these settings.)
docs/reference/derivepassphrase-vault.1     602) .Pp
docs/reference/derivepassphrase-vault.1     603) .
docs/reference/derivepassphrase-vault.1     604) .Dl $ derivepassphrase vault example.com
docs/reference/derivepassphrase-vault.1     605) .Pp
docs/reference/derivepassphrase-vault.1     606) .
docs/reference/derivepassphrase-vault.1     607) Because of the previous setting, the generated passphrase for the
docs/reference/derivepassphrase-vault.1     608) .Li example.com
docs/reference/derivepassphrase-vault.1     609) service will behave as if
docs/reference/derivepassphrase-vault.1     610) .Fl \-key \-upper Li 9 Fl \-lower Li 9 Fl \-space Li 2
docs/reference/derivepassphrase-vault.1     611) had been specified during invocation (with the
docs/reference/derivepassphrase-vault.1     612) .Tn SSH
docs/reference/derivepassphrase-vault.1     613) key already having been selected).
docs/reference/derivepassphrase-vault.1     614) In particular, it is neither necessary to specify
docs/reference/derivepassphrase-vault.1     615) .Fl \-phrase No or Fl \-key
docs/reference/derivepassphrase-vault.1     616) nor is it necessary to actually select an
docs/reference/derivepassphrase-vault.1     617) .Tn SSH
docs/reference/derivepassphrase-vault.1     618) key or to type in a master passphrase.
docs/reference/derivepassphrase-vault.1     619) .
docs/reference/derivepassphrase-vault.1     620) .Sh DIAGNOSTICS
docs/reference/derivepassphrase-vault.1     621) .
docs/reference/derivepassphrase-vault.1     622) .Ex -std "derivepassphrase vault"

docs/reference/derivepassphrase-vault.1     623) .Pp
docs/reference/derivepassphrase-vault.1     624) .
docs/reference/derivepassphrase-vault.1     625) .Ss Fatal error messages on standard error
docs/reference/derivepassphrase-vault.1     626) .
docs/reference/derivepassphrase-vault.1     627) .Pq Li %s Ns No " indicates a variable part of the message."
docs/reference/derivepassphrase-vault.1     628) .
docs/reference/derivepassphrase-vault.1     629) .Bl -diag
docs/reference/derivepassphrase-vault.1     630) .
docs/reference/derivepassphrase-vault.1     631) .It %s is mutually exclusive with %s.
docs/reference/derivepassphrase-vault.1     632) The two indicated options must not be used at the same time.
docs/reference/derivepassphrase-vault.1     633) .
docs/reference/derivepassphrase-vault.1     634) .It %s requires a SERVICE or \-\-config.
docs/reference/derivepassphrase-vault.1     635) Using the indicated passphrase generation option requires the
docs/reference/derivepassphrase-vault.1     636) .Ar SERVICE
docs/reference/derivepassphrase-vault.1     637) argument or the
docs/reference/derivepassphrase-vault.1     638) .Fl \-config
docs/reference/derivepassphrase-vault.1     639) option.
docs/reference/derivepassphrase-vault.1     640) .
docs/reference/derivepassphrase-vault.1     641) .It %s requires a SERVICE.
docs/reference/derivepassphrase-vault.1     642) Using the indicated option requires the
docs/reference/derivepassphrase-vault.1     643) .Ar SERVICE
docs/reference/derivepassphrase-vault.1     644) argument.
docs/reference/derivepassphrase-vault.1     645) .
docs/reference/derivepassphrase-vault.1     646) .It %s does not take a SERVICE argument.
docs/reference/derivepassphrase-vault.1     647) The indicated option must not be specified together with the
docs/reference/derivepassphrase-vault.1     648) .Ar SERVICE
docs/reference/derivepassphrase-vault.1     649) argument.
docs/reference/derivepassphrase-vault.1     650) .
docs/reference/derivepassphrase-vault.1     651) .It Cannot load vault settings: %s.
docs/reference/derivepassphrase-vault.1     652) There was a fatal problem loading the stored vault configuration data.
docs/reference/derivepassphrase-vault.1     653) Further details are contained in the variable part of the message.
docs/reference/derivepassphrase-vault.1     654) .
docs/reference/derivepassphrase-vault.1     655) .It Cannot store vault settings: %s.
docs/reference/derivepassphrase-vault.1     656) There was a fatal problem saving the vault configuration data.
docs/reference/derivepassphrase-vault.1     657) Further details are contained in the variable part of the message.
docs/reference/derivepassphrase-vault.1     658) .
docs/reference/derivepassphrase-vault.1     659) .It Cannot import vault settings: %s.
docs/reference/derivepassphrase-vault.1     660) There was a fatal problem loading the imported vault configuration data.
docs/reference/derivepassphrase-vault.1     661) Further details are contained in the variable part of the message.
docs/reference/derivepassphrase-vault.1     662) .
docs/reference/derivepassphrase-vault.1     663) .It Cannot export vault settings: %s.
docs/reference/derivepassphrase-vault.1     664) There was a fatal problem saving the exported vault configuration data.
docs/reference/derivepassphrase-vault.1     665) Further details are contained in the variable part of the message.
docs/reference/derivepassphrase-vault.1     666) .
docs/reference/derivepassphrase-vault.1     667) .It Cannot load user config: %s.
docs/reference/derivepassphrase-vault.1     668) There was a fatal problem loading the central user configuration file.
docs/reference/derivepassphrase-vault.1     669) Further details are contained in the variable part of the message.
docs/reference/derivepassphrase-vault.1     670) .
docs/reference/derivepassphrase-vault.1     671) .It The user configuration file is invalid.
docs/reference/derivepassphrase-vault.1     672) (Exactly what it says.)
docs/reference/derivepassphrase-vault.1     673) .
docs/reference/derivepassphrase-vault.1     674) .It No usable SSH keys were found
docs/reference/derivepassphrase-vault.1     675) The running SSH agent does not contain any suitable SSH keys.
docs/reference/derivepassphrase-vault.1     676) .
docs/reference/derivepassphrase-vault.1     677) .It No valid SSH key selected
docs/reference/derivepassphrase-vault.1     678) We requested that an SSH key be selected, but we got an invalid selection.
docs/reference/derivepassphrase-vault.1     679) .
docs/reference/derivepassphrase-vault.1     680) .It The requested SSH key is not loaded into the agent.
docs/reference/derivepassphrase-vault.1     681) The running SSH agent does not contain the necessary SSH key.
docs/reference/derivepassphrase-vault.1     682) .
docs/reference/derivepassphrase-vault.1     683) .It Cannot find any running SSH agent because SSH_AUTH_SOCK is not set.
docs/reference/derivepassphrase-vault.1     684) We require a running SSH agent, but cannot locate its communication channel,
docs/reference/derivepassphrase-vault.1     685) which is normally indicated by the
docs/reference/derivepassphrase-vault.1     686) .Ev SSH_AUTH_SOCK
docs/reference/derivepassphrase-vault.1     687) environment variable.
docs/reference/derivepassphrase-vault.1     688) .
docs/reference/derivepassphrase-vault.1     689) .It Cannot connect to an SSH agent because this Python version does not support UNIX domain sockets.
docs/reference/derivepassphrase-vault.1     690) This Python installation does not support the communication mechanism
docs/reference/derivepassphrase-vault.1     691) necessary to talk to SSH agents.
docs/reference/derivepassphrase-vault.1     692) .
docs/reference/derivepassphrase-vault.1     693) .It Cannot connect to the SSH agent: %s.
docs/reference/derivepassphrase-vault.1     694) We cannot connect to the SSH agent indicated by the
docs/reference/derivepassphrase-vault.1     695) .Ev SSH_AUTH_SOCK
docs/reference/derivepassphrase-vault.1     696) environment variable.
docs/reference/derivepassphrase-vault.1     697) Further details are contained in the variable part of the message.
docs/reference/derivepassphrase-vault.1     698) .

docs/reference/derivepassphrase-vault.1     699) .It The SSH agent failed to or refused to supply a list of loaded keys.
docs/reference/derivepassphrase-vault.1     700) The SSH agent \(em while responsive in principle \(em did not fulfill the
docs/reference/derivepassphrase-vault.1     701) request.
docs/reference/derivepassphrase-vault.1     702) .
docs/reference/derivepassphrase-vault.1     703) .It "The SSH agent failed to or refused to" "issue a signature with the selected key," "necessary for deriving a service passphrase."
docs/reference/derivepassphrase-vault.1     704) The SSH agent \(em while responsive in principle \(em failed to cooperate with
docs/reference/derivepassphrase-vault.1     705) deriving a service passphrase from the selected master
docs/reference/derivepassphrase-vault.1     706) .Tn SSH
docs/reference/derivepassphrase-vault.1     707) key.
docs/reference/derivepassphrase-vault.1     708) .
docs/reference/derivepassphrase-vault.1     709) .It The SSH agent contains no keys suitable for derivepassphrase.
docs/reference/derivepassphrase-vault.1     710) .
docs/reference/derivepassphrase-vault.1     711) None of the keys loaded into the
docs/reference/derivepassphrase-vault.1     712) .Tn SSH
docs/reference/derivepassphrase-vault.1     713) agent (if any) are suitable for use with
docs/reference/derivepassphrase-vault.1     714) .Nm derivepassphrase vault .
docs/reference/derivepassphrase-vault.1     715) See the
docs/reference/derivepassphrase-vault.1     716) .Sx "SSH KEY SUITABILITY"
docs/reference/derivepassphrase-vault.1     717) section for the requirements the
docs/reference/derivepassphrase-vault.1     718) .Tn SSH
docs/reference/derivepassphrase-vault.1     719) key and the
docs/reference/derivepassphrase-vault.1     720) .Tn SSH
docs/reference/derivepassphrase-vault.1     721) agent must fulfill to be suitable.

docs/reference/derivepassphrase-vault.1     722) .
docs/reference/derivepassphrase-vault.1     723) .It Error communicating with the SSH agent
docs/reference/derivepassphrase-vault.1     724) There was a system error communicating with the SSH agent.
docs/reference/derivepassphrase-vault.1     725) .

docs/reference/derivepassphrase-vault.1     726) .It Cannot understand the SSH agent's response because it violates the communication protocol.
docs/reference/derivepassphrase-vault.1     727) .
docs/reference/derivepassphrase-vault.1     728) (Exactly what it says.)
docs/reference/derivepassphrase-vault.1     729) .

docs/reference/derivepassphrase-vault.1     730) .It Not saving any new notes: the user aborted the request.
docs/reference/derivepassphrase-vault.1     731) (Exactly what it says.)
docs/reference/derivepassphrase-vault.1     732) .

docs/reference/man/derivepassphrase-vault.1 733) .It Cannot update the %s settings without actual settings.

docs/reference/derivepassphrase-vault.1     734) Using
docs/reference/derivepassphrase-vault.1     735) .Fl \-config
docs/reference/derivepassphrase-vault.1     736) requires at least one of the
docs/reference/derivepassphrase-vault.1     737) .Fl \-phrase , \-key , \-length , No etc.\&
docs/reference/derivepassphrase-vault.1     738) options.
docs/reference/derivepassphrase-vault.1     739) .
docs/reference/derivepassphrase-vault.1     740) .It Attempted to unset and set %s at the same time.
docs/reference/derivepassphrase-vault.1     741) While handling
docs/reference/derivepassphrase-vault.1     742) .Fl \-config ,
docs/reference/derivepassphrase-vault.1     743) the same configuration setting was passed as an option and as an argument to
docs/reference/derivepassphrase-vault.1     744) .Fl \-unset .
docs/reference/derivepassphrase-vault.1     745) .
docs/reference/derivepassphrase-vault.1     746) .It Generating a passphrase requires a SERVICE.
docs/reference/derivepassphrase-vault.1     747) (Exactly what it says.)
docs/reference/derivepassphrase-vault.1     748) .
docs/reference/derivepassphrase-vault.1     749) .It No passphrase or key was given in the configuration.
docs/reference/derivepassphrase-vault.1     750) .Nm derivepassphrase vault
docs/reference/derivepassphrase-vault.1     751) does not know whether to use a master SSH key or a master passphrase.
docs/reference/derivepassphrase-vault.1     752) .
docs/reference/derivepassphrase-vault.1     753) .It No passphrase was given: the user aborted the request.
docs/reference/derivepassphrase-vault.1     754) (Exactly what it says.)
docs/reference/derivepassphrase-vault.1     755) .
docs/reference/derivepassphrase-vault.1     756) .It No SSH key was selected: the user aborted the request.
docs/reference/derivepassphrase-vault.1     757) (Exactly what it says.)
docs/reference/derivepassphrase-vault.1     758) .
docs/reference/derivepassphrase-vault.1     759) .El
docs/reference/derivepassphrase-vault.1     760) .Pp
docs/reference/derivepassphrase-vault.1     761) .
docs/reference/derivepassphrase-vault.1     762) .Ss Non-fatal warning and info messages on standard error
docs/reference/derivepassphrase-vault.1     763) .
docs/reference/derivepassphrase-vault.1     764) .Pq Li %s Ns No " indicates a variable part of the message."
docs/reference/derivepassphrase-vault.1     765) .
docs/reference/derivepassphrase-vault.1     766) .Bl -diag
docs/reference/derivepassphrase-vault.1     767) .
docs/reference/derivepassphrase-vault.1     768) .It The %s passphrase is not %s-normalized.
docs/reference/derivepassphrase-vault.1     769) The indicated passphrase \(em as a Unicode string \(em is not properly
docs/reference/derivepassphrase-vault.1     770) normalized according to the preferred Unicode normalization form
docs/reference/derivepassphrase-vault.1     771) .Pq as specified in the central configuration file .
docs/reference/derivepassphrase-vault.1     772) It is therefore possible that the passphrase \(em as a byte string \(em is
docs/reference/derivepassphrase-vault.1     773) not the same byte string as you expect it to be
docs/reference/derivepassphrase-vault.1     774) .Pq even though it Em looks No correct ,
docs/reference/derivepassphrase-vault.1     775) and that the derived passphrases thus do not match their expected values
docs/reference/derivepassphrase-vault.1     776) either.
docs/reference/derivepassphrase-vault.1     777) Please double-check.
docs/reference/derivepassphrase-vault.1     778) .
docs/reference/derivepassphrase-vault.1     779) .It An empty SERVICE is not supported by vault(1).
docs/reference/derivepassphrase-vault.1     780) .Xr vault 1
docs/reference/derivepassphrase-vault.1     781) does not support the empty string as a value for
docs/reference/derivepassphrase-vault.1     782) .Ar SERVICE ;
docs/reference/derivepassphrase-vault.1     783) it will treat the
docs/reference/derivepassphrase-vault.1     784) .Ar SERVICE
docs/reference/derivepassphrase-vault.1     785) as missing.
docs/reference/derivepassphrase-vault.1     786) For compatibility,
docs/reference/derivepassphrase-vault.1     787) .Nm derivepassphrase vault
docs/reference/derivepassphrase-vault.1     788) will do the same.
docs/reference/derivepassphrase-vault.1     789) In particular, if the empty service is imported in a configuration via
docs/reference/derivepassphrase-vault.1     790) .Fl \-import ,
docs/reference/derivepassphrase-vault.1     791) then this service cannot be accessed via the
docs/reference/derivepassphrase-vault.1     792) .Nm derivepassphrase vault
docs/reference/derivepassphrase-vault.1     793) command-line.
docs/reference/derivepassphrase-vault.1     794) .
docs/reference/derivepassphrase-vault.1     795) .It Replacing invalid value %s for key %s with %s.
docs/reference/derivepassphrase-vault.1     796) When importing a configuration, the indicated invalid value has been
docs/reference/derivepassphrase-vault.1     797) replaced with the indicated replacement value.
docs/reference/derivepassphrase-vault.1     798) .Pq The Do interpretation Dc of the configuration doesn't change .
docs/reference/derivepassphrase-vault.1     799) .
docs/reference/derivepassphrase-vault.1     800) .It Removing ineffective setting %s = %s.
docs/reference/derivepassphrase-vault.1     801) When importing a configuration, the indicated ineffective setting has been
docs/reference/derivepassphrase-vault.1     802) removed.
docs/reference/derivepassphrase-vault.1     803) .Pq The Do interpretation Dc of the configuration doesn't change .
docs/reference/derivepassphrase-vault.1     804) .

docs/reference/derivepassphrase-vault.1     805) .It "The service name %s" "contains an ASCII control character," "which is not supported" "by our shell completion code."
docs/reference/derivepassphrase-vault.1     806) Because of limitations in the shell completion code, this specific service name
docs/reference/derivepassphrase-vault.1     807) will not be available as a suggestion in tab completion.
docs/reference/derivepassphrase-vault.1     808) .Po
docs/reference/derivepassphrase-vault.1     809) This
docs/reference/derivepassphrase-vault.1     810) .Em only
docs/reference/derivepassphrase-vault.1     811) affects tab completion, not other functionality.
docs/reference/derivepassphrase-vault.1     812) .Pc
docs/reference/derivepassphrase-vault.1     813) .

docs/reference/derivepassphrase-vault.1     814) .It Setting a %s passphrase is ineffective because a key is also set.
docs/reference/derivepassphrase-vault.1     815) The configuration (global or key-specific) contains both a stored master
docs/reference/derivepassphrase-vault.1     816) passphrase and an SSH key.
docs/reference/derivepassphrase-vault.1     817) The master passphrase will not take effect.
docs/reference/derivepassphrase-vault.1     818) .
docs/reference/derivepassphrase-vault.1     819) .It A subcommand will be required in v1.0.
docs/reference/derivepassphrase-vault.1     820) .Bo
docs/reference/derivepassphrase-vault.1     821) Since v0.2.0, until v1.0.
docs/reference/derivepassphrase-vault.1     822) .Bc
docs/reference/derivepassphrase-vault.1     823) This command now requires a subcommand.
docs/reference/derivepassphrase-vault.1     824) For compatibility, it currently defaults to
docs/reference/derivepassphrase-vault.1     825) .Dq vault .
docs/reference/derivepassphrase-vault.1     826) .
docs/reference/derivepassphrase-vault.1     827) .It Using deprecated v0.1-style config file %s, instead of v0.2-style %s.
docs/reference/derivepassphrase-vault.1     828) .Bo
docs/reference/derivepassphrase-vault.1     829) Since v0.2.0, until v1.0.
docs/reference/derivepassphrase-vault.1     830) .Bc
docs/reference/derivepassphrase-vault.1     831) A configuration file has been renamed.
docs/reference/derivepassphrase-vault.1     832) .Nm derivepassphrase vault
docs/reference/derivepassphrase-vault.1     833) will attempt to rename the file itself
docs/reference/derivepassphrase-vault.1     834) .Pq Qq Li Successfully migrated to %s. ,
docs/reference/derivepassphrase-vault.1     835) or complain if it cannot rename it
docs/reference/derivepassphrase-vault.1     836) .Pq Qq Li Failed to migrate to %s: %s .
docs/reference/derivepassphrase-vault.1     837) .
docs/reference/derivepassphrase-vault.1     838) .El