derivepassphrase.git

1) # derivepassphrase
2) 
3) [![PyPI - Version](https://img.shields.io/pypi/v/derivepassphrase.svg)](https://pypi.org/project/derivepassphrase)
4) [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/derivepassphrase.svg)](https://pypi.org/project/derivepassphrase)
5) 

6) An almost faithful Python reimplementation of [James Coglan's `vault`][VAULT], a deterministic password manager/generator.
7) 
8) Using a master passphrase or a master SSH key, derive a passphrase for a given named service, subject to length, character and character repetition constraints.

9) 
10) The derivation is *strong*: derived passphrases have as much entropy as permitted by the master passphrase and the passphrase constraints (whichever is more restrictive), and even if multiple derived passphrases are compromised, the master passphrase remains cryptographically difficult to discern from these compromised passphrases.
11) The derivation is also *deterministic*, given the same inputs, thus the resulting passphrase need not be stored explicitly.
12) 
13) The service name and constraints themselves also need not be kept secret; the latter are usually stored in a world-readable file to ease repeated entry of passphrase constraints.

14) 

15) [VAULT]: https://www.npmjs.com/package/vault

16) 

17) -----

18) 
19) ## Installation
20) 

21) ### With `pip`
22) 

23) (If not inside a [virtual environment][VENV], use `pip install --user` instead of plain `pip install`.)
24) 

25) ```` shell-session

26) $ pip install derivepassphrase

27) ````

28) 

29) To use the `export` subcommand, install the `export` extra:
30) 
31) ```` shell-session
32) $ pip install "derivepassphrase[export]"
33) ````
34) 
35) [VENV]: https://docs.python.org/3/library/venv.html
36) 

37) ### Manually
38) 

39) `derivepassphrase` is a pure Python package, and may be easily installed manually by placing the respective files and the package's dependencies into Python's import path.

40) `derivepassphrase` requires Python 3.9 or higher as well as the [typing-extensions package][TYPING_EXTENSIONS] for its core functionality and programmatic interface, and [`click`][CLICK] 8.1 or higher for its command-line interface.

41) On Python 3.9 and 3.10 only, `derivepassphrase` additionally requires the [tomli package][TOMLI].

42) Using the `export vault` subcommand additionally requires the [cryptography package][CRYPTOGRAPHY], version 38.0 or newer.

43) 

44) `derivepassphrase` works just fine on PyPy.
45) 

46) [TYPING_EXTENSIONS]: https://pypi.org/project/typing-extensions/

47) [CLICK]: https://pypi.org/project/click/

48) [TOMLI]: https://pypi.org/project/tomli/

49) [CRYPTOGRAPHY]: https://pypi.org/project/cryptography/

50) 
51) ## Quick Usage
52) 

53) `derivepassphrase` is designed to principally support multiple passphrase derivation schemes, but currently only the "[vault][VAULT]" scheme is implemented.
54) 
55) Using the passphrase `This passphrase is for demonstration purposes only.` when prompted:
56) 

57) ```` shell-session

58) $ derivepassphrase vault -p --length 30 --upper 3 --lower 1 --number 2 --space 0 --symbol 0 my-email-account

59) Passphrase: 

60) JKeet7GeBpxysOgdCEJo6UzmP8A0Ih

61) ````

62) 
63) Some time later…
64) 

65) ```` shell-session

66) $ derivepassphrase vault -p --length 30 --upper 3 --lower 1 --number 2 --space 0 --symbol 0 my-email-account

67) Passphrase: 

68) JKeet7GeBpxysOgdCEJo6UzmP8A0Ih

69) ````

70) 

71) ### Storing settings
72) 
73) `derivepassphrase` can store the length and character constraint settings in its configuration file so that you do not have to re-enter them each time.
74) 
75) ```` shell-session
76) $ derivepassphrase vault --config --length 30 --upper 3 --lower 1 --number 2 --space 0 --symbol 0 my-email-account
77) $ derivepassphrase vault -p my-email-account
78) Passphrase: 
79) JKeet7GeBpxysOgdCEJo6UzmP8A0Ih
80) ````
81) 
82) ### SSH agent support
83) 
84) On UNIX-like systems with OpenSSH or PuTTY installed, you can use an Ed25519, Ed448 or RSA key from the agent instead of a master passphrase.
85) ([On Windows there are problems establishing communication channels with the agent.][#13])
86) 
87) ```` shell-session
88) $ derivepassphrase vault -k my-email-account
89) Suitable SSH keys:

90) [1] ssh-rsa ...feXycsvJZ2uaYRjMdZeJGNAnHLUGLkBscw5aI8=  test key without passphrase
91) [2] ssh-ed448 ...BQ72ZgtPMckdzabiz7JbM/b0JzcRzGLMsbwA=  test key without passphrase
92) [3] ssh-ed25519 ...gJIXw//Mkhv5MEwidwcakUGCekJD/vCEml2  test key without passphrase

93) Your selection? (1-3, leave empty to abort): 1
94) oXDGCvMhLWPQyCzYtaobOq2Wh9olYj
95) ````
96) 
97) `derivepassphrase` can store the SSH key selection in its configuration file so you do not have to re-select it each time.
98) This choice can be made either specifically for the service (in this case, `my-email-account`), or globally.
99) 
100) ```` shell-session
101) $ derivepassphrase vault --config -k  # global setting
102) Suitable SSH keys:

103) [1] ssh-rsa ...feXycsvJZ2uaYRjMdZeJGNAnHLUGLkBscw5aI8=  test key without passphrase
104) [2] ssh-ed448 ...BQ72ZgtPMckdzabiz7JbM/b0JzcRzGLMsbwA=  test key without passphrase
105) [3] ssh-ed25519 ...gJIXw//Mkhv5MEwidwcakUGCekJD/vCEml2  test key without passphrase

106) Your selection? (1-3, leave empty to abort): 1
107) $ derivepassphrase vault my-email-account
108) oXDGCvMhLWPQyCzYtaobOq2Wh9olYj
109) ````
110) 
111) [#13]: https://github.com/the-13th-letter/derivepassphrase/issues/13 "Issue 13: Support PuTTY/Pageant (and maybe OpenSSH/ssh-agent) on Windows"

112) 

113) ## License
114)