derivepassphrase.git

1) # Some ideas for future work
2) 
3) ## Subcommands
4) 
5) (In no particular order.)
6) 
7) ### Derivation schemes
8) 
9) * `spectre` (`master-password`): derive passphrases according to the "Master Password" scheme as used by the Spectre app. ([#2])
10) 
11) ### Other functionality
12) 
13) * `explore-permitted-special-characters`: generate new configurations starting from a base configuration until one of them passes the "special characters" constraints.
14) * `rotate`: generate a new configuration suitable for passphrase rotation, compatible with the base configuration's constraints.
15) * `service-plugins`: manage plugins that automate certain tasks, as outlined in the notes of the queried service.
16) 
17)     * `load-ssh-key`: if the service uses an SSH key, autoload the key from a well-known location into the SSH agent if it isn't already loaded.
18) 
19)         `vault`-specific.
20) 
21)     * `decrypt-notes`: decrypt OpenPGP-encrypted notes with GnuPG or Sequoia `sq`.
22) 
23)         Open questions:
24) 
25)         - Use an automatic, symmetric encryption key, or rely on the standard OpenPGP key store?  (Do *not* use the derived service passphrase for this: the quality may be arbitrarily bad due to the passphrase constaints, and the service itself could compromise that passphrase.)
26) 
27)     * `generate-otp`: if the service uses two-factor authentication and the configuration contains one-time password settings, call `oathtool` to obtain one or more OTPs.
28) 
29)         May require the `decrypt-notes` plugin first.
30) 
31)     * `manage-runit-services`: if the service contains `runit` service configuration, ensure the specified `runit` services are running concurrently, and stopped after signalling.
32) 
33)         Typical use case is a service only accessible via VPN or SSH proxy, where the VPN/proxy would run as a `runit` service.
34) 
35)         Open questions:
36) 
37)         - Interface with `inotifywait` to wait for SSH control socket?
38) 
39) [#2]: https://github.com/the-13th-letter/derivepassphrase/issues/2
40) 
41) ## Documentation

42) 
43) (Categorized as per [the diataxis framework][DIATAXIS], but otherwise in no particular order.)
44) 
45) 
46) [DIATAXIS]: https://diataxis.fr
47) 

48) ### Tutorials

49) 

50) * [Setting up `derivepassphrase` from scratch for three existing accounts, with a master passphrase](tutorials/basic-setup-passphrase.md)

51) * Setting up `derivepassphrase` from scratch for three existing accounts, with a new SSH key
52) 

53) ### How-tos

54) 
55) * How to set up `derivepassphrase` with an SSH key
56) * How to choose a good service name

57) * How to edit a saved `derivepassphrase vault` configuration correctly

58) * How to deal with "supported" and "unsupported" special characters
59) * How to deal with regular passphrase rotation/rollover

60) 

61) ### Reference

62) 

63) * `derivepassphrase-vault.json`(<b>5</b>)

64) 

65) ### Explanation

66) 
67) * Security aspects and other tradeoffs when using deterministic password generators
68) * Tradeoffs between a master passphrase and a master SSH key