derivepassphrase.git

1) .Dd 2025-01-07

2) .Dt DERIVEPASSPHRASE-VAULT 1
3) .Os derivepassphrase 0.4.0
4) .
5) .Sh NAME
6) .
7) .Nm derivepassphrase-vault
8) .Nd derive a passphrase using the vault derivation scheme
9) .
10) .Sh SYNOPSIS
11) .
12) .Bd -ragged
13) .Nm derivepassphrase vault
14) .Op Fl \-phrase | Fl \-key
15) .Op Fl \-length Ar n
16) .Op Fl \-repeat Ar n
17) .Op Fl \-lower Ar n
18) .Op Fl \-upper Ar n
19) .Op Fl \-number Ar n
20) .Op Fl \-space Ar n
21) .Op Fl \-dash Ar n
22) .Op Fl \-symbol Ar n
23) .Ar SERVICE
24) .
25) .Nm derivepassphrase vault
26) .Brq Fl \-phrase | \-key | No .\|.\|. | Fl \-symbol Ar n
27) .No .\|.\|.
28) .Fl \-config
29) .Op Fl \-unset Ar setting No .\|.\|.
30) .Op Fl \-overwrite\-existing | Fl \-merge\-existing
31) .Op Ar SERVICE
32) .
33) .Nm derivepassphrase vault
34) .Bro
35) .Fl \-notes
36) .Ar SERVICE
37) |
38) .Fl \-delete
39) .Ar SERVICE
40) |
41) .Fl \-delete\-globals
42) |
43) .Fl \-clear
44) .Brc
45) .
46) .Nm derivepassphrase vault
47) .Op Fl \-export\-as Brq Li json | sh
48) .Brq Fl \-import Ar PATH | Fl \-export Ar PATH
49) .Ed
50) .
51) .Sh DESCRIPTION
52) .

53) Using a master passphrase, derive a passphrase for

54) .Ar SERVICE ,
55) subject to length, character and character repetition constraints, in a
56) manner compatible with James Coglan's
57) .Xr vault 1 .
58) .Pp
59) .

60) The derivation is
61) .Em strong :
62) derived passphrases have as much entropy as permitted by the master
63) passphrase and the passphrase constraints (whichever is more restrictive),
64) and even if multiple derived passphrases are compromised, the master
65) passphrase remains cryptographically difficult to discern from theses
66) compromised passphrases.
67) The derivation is also
68) .Em deterministic ,
69) given the same inputs, thus the resulting passphrase need not be stored
70) explicitly.

71) .Pp
72) .
73) The service name and constraints themselves also need not be kept secret;

74) the latter are usually stored in a world-readable file to ease repeated
75) entry of passphrase constraints.
76) .Pp
77) .
78) In lieu of a master passphrase, a master
79) .Tn SSH
80) key can also be used if there is a reachable, running
81) .Tn SSH
82) agent currently holding this key and if the key type is supported.
83) (See
84) .Sx "SSH KEY SUITABILITY"
85) and
86) .Sx BUGS
87) below.)
88) This too is compatible with
89) .Xr vault 1 .

90) .
91) .Sh OPTIONS
92) .
93) .Ss Passphrase generation
94) .
95) The passphrase generation options can be divided into
96) .Dq passphrase source
97) options
98) .Fl ( \-phrase , \-key )
99) and
100) .Dq passphrase constraint
101) options (all others).
102) The passphrase source options are mutually exclusive \(em you may only
103) specify one of them \(em while the passphrase constraint options may be
104) combined in any way.
105) The
106) .Ar SERVICE
107) is mandatory (see synopsis\~#1), unless the
108) .Fl \-config
109) option is specified (see synopsis\~#2).
110) All character constraints refer to ASCII printable characters only (space
111) .Pq Li U+0020
112) to tilde
113) .Pq Li U+007E ,
114) excluding the grave accent
115) .Pq Li U+0060 ) .
116) .
117) .Bl -tag -width ".Fl p , \-phrase"
118) .
119) .It Fl p , \-phrase
120) Prompt for a passphrase.
121) .Pp
122) .
123) See also
124) .Sx Configuration
125) for how this interacts with a stored passphrase or
126) .Tn SSH
127) key.
128) .
129) .It Fl k , \-key
130) Select an SSH key.
131) .Pp
132) .
133) An SSH agent such as OpenSSH's
134) .Xr ssh-agent 1
135) or PuTTY's
136) .Xr pageant 1
137) must be running and accessible, and have the desired key loaded.
138) The SSH key must also be
139) .Em suitable
140) for this purpose; see
141) .Sx SSH key suitability
142) for details.
143) .Pp
144) .
145) See also
146) .Sx Configuration
147) for how this interacts with a stored passphrase or
148) .Tn SSH
149) key.
150) .
151) .It Fl l Ar n , Fl \-length Ar n
152) Force the passphrase to have the length
153) .Ar n .
154) Defaults to the length
155) .Sy 20
156) if not specified, or if explicitly specified as
157) .Li 0 .
158) .
159) .It Fl r Ar n , Fl \-repeat Ar n
160) Permit only runs of up to
161) .Ar n
162) consecutive occurrences of the same character.
163) Alternatively, forbid immediate additional repetitions of length
164) .Ar n
165) (or more) for any character in the derived passphrase.
166) Setting
167) .Ar n No = Li 0
168) disables repetition constraints, which is the default.
169) .
170) .It Fl \-lower Ar n
171) Include at least
172) .Ar n
173) lowercase characters in the derived passphrase.
174) Setting
175) .Ar n No = Li 0
176) forbids these characters entirely.
177) The default is to not constain the occurrences in any manner.
178) .
179) .It Fl \-upper Ar n
180) Include at least
181) .Ar n
182) uppercase characters in the derived passphrase.
183) Setting
184) .Ar n No = Li 0
185) forbids these characters entirely.
186) The default is to not constain the occurrences in any manner.
187) .
188) .It Fl \-number Ar n
189) Include at least
190) .Ar n
191) digits in the derived passphrase.
192) Setting
193) .Ar n No = Li 0
194) forbids these characters entirely.
195) The default is to not constain the occurrences in any manner.
196) .
197) .It Fl \-space Ar n
198) Include at least
199) .Ar n
200) spaces in the derived passphrase.
201) Setting
202) .Ar n No = Li 0
203) forbids these characters entirely.
204) The default is to not constain the occurrences in any manner.
205) .
206) .It Fl \-dash Ar n
207) Include at least
208) .Ar n
209) .Dq dashes
210) .Li ( \-
211) or
212) .Li _ )
213) in the derived passphrase.
214) Setting
215) .Ar n No = Li 0
216) forbids these characters entirely.
217) The default is to not constain the occurrences in any manner.
218) .
219) .It Fl \-symbol Ar n
220) Include at least
221) .Ar n
222) symbols (any of
223) .Li !\[dq]#$%&\[aq]()*+,./:;<=>?@[\e]\(ha{|}\(ti\-_ )
224) in the derived passphrase.
225) Setting
226) .Ar n No = Li 0
227) forbids these characters entirely, and effectively also implies
228) .Fl \-dash Li 0 .
229) The default is to not constain the occurrences in any manner.
230) .
231) .El
232) .
233) .Ss Configuration
234) .
235) The configuration options directly modify the stored settings: default
236) settings, known services, and service-specific settings.
237) They are mutually exclusive; you may only specify one of them.
238) The
239) .Ar SERVICE
240) is mandatory for
241) .Fl \-notes
242) and
243) .Fl \-delete ,
244) optional for
245) .Fl \-config ,
246) and forbidden for
247) .Fl \-delete\-globals
248) and
249) .Fl \-clear
250) (see synopsis\~#2 and synopsis\~#3).
251) .
252) .Bl -tag -width ".Fl p , \-phrase"
253) .
254) .It Fl n , \-notes
255) Spawn an editor to edit notes for
256) .Ar SERVICE .
257) Use the
258) .Ev VISUAL
259) or
260) .Ev EDITOR
261) environment variables to configure the spawned editor.
262) .
263) .It Fl c , \-config
264) Save the given settings for
265) .Ar SERVICE
266) (if given), or save the given settings as global default settings.
267) .Pp
268) .
269) See the
270) .Sx Passphrase generation
271) and
272) .Sx Compatibility and extension options
273) sections for other options compatible with
274) .Fl \-config .
275) .Pp
276) .
277) .Bf -symbolic
278) Do not use the
279) .Fl \-phrase
280) and
281) .Fl \-config
282) options together!
283) The configuration file is assumed to not contain sensitive contents, and is
284) not encrypted.
285) .Ef
286) .
287) .It Fl x , \-delete
288) Delete all stored settings for
289) .Ar SERVICE .
290) .
291) .It Fl \-delete\-globals
292) Delete all stored global default settings.
293) .
294) .It Fl X , \-clear
295) Delete all stored settings.
296) .
297) .El
298) .
299) .Ss Storage management
300) .
301) The storage management options deal with importing and exporting the stored
302) settings.
303) They are mutually exclusive; you may only specify one of them.
304) Using
305) .Li \-
306) as
307) .Ar PATH
308) for standard input/standard output is supported.
309) .
310) .Bl -tag -width ".Fl p , \-phrase"
311) .
312) .It Fl e Ar PATH , Fl \-export Ar PATH
313) Export all saved settings into file
314) .Ar PATH .
315) .
316) .It Fl i Ar PATH , Fl \-import Ar PATH
317) Import saved settings from file
318) .Ar PATH .
319) .
320) .El
321) .
322) .Ss Compatibility and extension options
323) .
324) By default,
325) .Nm derivepassphrase vault
326) behaves in a manner compatible with
327) .Xr vault 1 .
328) The compatibility and extension options modify the behavior to enable
329) additional functionality, or specifically to force compatibility.
330) .Pp
331) .
332) .Xr vault 1
333) supports none of these options, and behaves as if the option had not been
334) given or had been left in its default state.
335) .
336) .Bl -tag -width ".Fl p , \-phrase"
337) .
338) .It Fl \-overwrite\-existing No "" / "" Fl \-merge\-existing
339) When importing a configuration via
340) .Fl \-import ,
341) or configuring the settings via
342) .Fl \-config ,
343) overwrite or merge
344) .Em ( default )
345) the existing configuration.
346) .Pp
347) .
348) If overwriting the configuration, then the whole configuration
349) .Pq for Fl \-import
350) or the respective section
351) .Pq service-specific or global, for Fl \-config ,
352) will be written from scratch.
353) If merging, then each section
354) .Pq service-specific or global, for Fl \-import
355) or each singular setting
356) .Pq for Fl \-config
357) will be overwritten, but other unaffected settings/sections will not.
358) .Pp
359) .
360) .Xr ( vault 1
361) behaves as if
362) .Fl \-merge\-existing
363) were always given.)
364) .
365) .It Fl \-unset Ar setting
366) When configuring via
367) .Fl \-config ,
368) also unset the specified
369) .Ar setting ,
370) where
371) .Ar setting
372) is one of the passphrase generation settings
373) .Pq Li phrase , key , lower , No .\|.\|. .
374) May be specified multiple times.
375) Must not overlap with any of the settings being set afterwards.
376) .Pp
377) .
378) .Xr ( vault 1
379) does not support this option.)
380) .
381) .It Fl \-export\-as Brq Li json | sh
382) When exporting the configuration via
383) .Fl \-export ,
384) export as
385) .Tn JSON
386) (default) or as a shell script in
387) .Xr sh 1
388) format.
389) .Pp
390) .
391) The
392) .Tn JSON
393) format is compatible with
394) .Xr vault 1 .
395) For the shell script format, see the
396) .Sx SHELL SCRIPT EXPORT FORMAT
397) section for details.
398) .Pp
399) .
400) .Xr ( vault 1
401) behaves as if
402) .Fl \-export\-as Li json
403) were always given.)
404) .
405) .El
406) .
407) .Ss Other options
408) .
409) .Bl -tag -width ".Fl p , \-phrase"
410) .
411) .It Fl \-version
412) Show the version and exit.
413) .
414) .It Fl h , \-help
415) Show a help message and exit.
416) .
417) .El
418) .
419) .Sh SHELL SCRIPT EXPORT FORMAT
420) .
421) If the shell script export format is selected, the configuration will be
422) exported as a
423) .Tn POSIX
424) .Xr sh 1
425) script, containing calls to
426) .Nm derivepassphrase vault
427) to reconstruct the current configuration from scratch.
428) The script assumes a conforming
429) .Xr sh 1 ,
430) with support for
431) .Dq here
432) documents.
433) .Pp
434) .
435) .Bf -symbolic
436) Do not run these emitted shell scripts directly without double-checking
437) their output first!
438) .Ef
439) .
440) .Sh SSH KEY SUITABILITY
441) .
442) An
443) .Tn SSH
444) key is
445) .Sy suitable
446) for use with
447) .Nm derivepassphrase vault
448) if the
449) .Tn SSH
450) agent guarantees that signatures produced with this key will be
451) .Em deterministic ,
452) given the same message to be signed.
453) This is a property specific to the key
454) .Em type ,
455) and sometimes the agent used:
456) .
457) .Bl -bullet
458) .
459) .It
460) .Tn RSA ,
461) Ed25519 and Ed448 keys are always suitable.
462) .Tn OpenSSH Ns No 's
463) .Xr ssh-agent 1
464) supports only these keys as suitable keys.
465) .
466) .It
467) .Tn DSA
468) and
469) .Tn ECDSA
470) keys are suitable if the
471) .Tn SSH
472) agent supports deterministic
473) .Tn DSA
474) signatures, e.g. by implementing
475) .Tn RFC 6979 .
476) .Tn PuTTY Ns No 's
477) .Xr pageant 1
478) supports this, in addition to the always-suitable keys mentioned above.
479) .
480) .El
481) .
482) .Sh ENVIRONMENT
483) .
484) .Bl -tag -width ".Fl p , \-phrase"
485) .
486) .It Ev VISUAL , EDITOR
487) .Nm derivepassphrase vault
488) uses this editor to edit service notes when called with
489) .Fl \-notes .
490) .Ev VISUAL
491) has higher precedence than
492) .Ev EDITOR .
493) .
494) .It Ev DERIVEPASSPHRASE_PATH
495) .Nm derivepassphrase
496) stores its configuration files and data in this directory.
497) Defaults to
498) .Pa \(ti/.derivepassphrase .
499) .
500) .El
501) .
502) .Sh FILES
503) .
504) .Bl -tag -width ".Fl p , \-phrase"
505) .
506) .It Ev $DERIVEPASSPHRASE_PATH Ns Pa /vault.json
507) The stored configuration for
508) .Nm derivepassphrase vault :
509) the default passphrase generation settings, the known service names, and the
510) service-specific settings.
511) This file is
512) .Em not
513) intended for the user to edit.
514) .
515) .El
516) .
517) .Sh SECURITY
518) .
519) .Bl -bullet
520) .
521) .It
522) There is
523) .Sy no way
524) to retrieve the generated passphrases if the master passphrase, the SSH key,
525) or the exact passphrase settings are lost, short of trying out all possible
526) combinations.
527) You are
528) .Sy strongly
529) advised to keep independent backups of the settings and the
530) .Tn SSH
531) key, if any.
532) .
533) .It
534) The configuration is
535) .Sy not
536) encrypted, and you are
537) .Sy strongly
538) discouraged from using a stored passphrase.
539) .
540) .It
541) You are
542) .Sy strongly
543) advised to avoid the
544) .Pq shell script
545) configuration export format if possible, and use the JSON format instead.
546) If you
547) .Em must
548) use the shell script format, then
549) .Sy always
550) validate the export before attempting to interpret or run it.
551) .
552) .El
553) .
554) .Sh EXAMPLES
555) .
556) .Dl $ derivepassphrase vault \-\-phrase email
557) .Pp
558) Prompt for a master passphrase, then generate a standard passphrase
559) .Pq length 20, no character or repetition constraints
560) for the
561) .Dq email
562) service.
563) .Pp
564) .
565) .Dl $ derivepassphrase vault \-\-key \-\-upper 9 \-\-lower 9 example.com
566) .Pp
567) .
568) Select an
569) .Tn SSH
570) key from the available suitable
571) .Tn SSH
572) keys in the running
573) .Tn SSH
574) agent, then generate a passphrase for the
575) .Li example.com
576) service using the previously selected
577) .Tn SSH
578) key.
579) The passphrase will have (standard) length 20, and at least nine characters
580) will be uppercase characters and at least another nine characters will be
581) lowercase characters.
582) .Pp
583) .
584) .Dl $ derivepassphrase vault \-\-key \-\-upper 9 \-\-lower 9 \-\-number 9 example.com
585) .Pp
586) .
587) Attempt to generate a passphrase as in the previous example.
588) .Em This
589) example will error out, because the passphrase constraints require at least
590) 27 characters and the standard passphrase length 20 cannot accomodate this.
591) .Pp
592) .
593) .Dl $ derivepassphrase vault \-\-key \-\-upper 9 \-\-lower 9 \-\-space 2 \-\-config
594) .Pp
595) .
596) After selecting an
597) .Tn SSH
598) key, configure the default settings to use exactly nine uppercase characters,
599) nine lowercase characters, and two spaces for each generated passphrase.
600) (The specific service settings, or the command-line invocation, can still
601) override these settings.)
602) .Pp
603) .
604) .Dl $ derivepassphrase vault example.com
605) .Pp
606) .
607) Because of the previous setting, the generated passphrase for the
608) .Li example.com
609) service will behave as if
610) .Fl \-key \-upper Li 9 Fl \-lower Li 9 Fl \-space Li 2
611) had been specified during invocation (with the
612) .Tn SSH
613) key already having been selected).
614) In particular, it is neither necessary to specify
615) .Fl \-phrase No or Fl \-key
616) nor is it necessary to actually select an
617) .Tn SSH
618) key or to type in a master passphrase.
619) .
620) .Sh DIAGNOSTICS
621) .
622) .Ex -std "derivepassphrase vault"

623) .Pp
624) .
625) .Ss Fatal error messages on standard error
626) .
627) .Pq Li %s Ns No " indicates a variable part of the message."
628) .
629) .Bl -diag
630) .
631) .It %s is mutually exclusive with %s.
632) The two indicated options must not be used at the same time.
633) .
634) .It %s requires a SERVICE or \-\-config.
635) Using the indicated passphrase generation option requires the
636) .Ar SERVICE
637) argument or the
638) .Fl \-config
639) option.
640) .
641) .It %s requires a SERVICE.
642) Using the indicated option requires the
643) .Ar SERVICE
644) argument.
645) .
646) .It %s does not take a SERVICE argument.
647) The indicated option must not be specified together with the
648) .Ar SERVICE
649) argument.
650) .
651) .It Cannot load vault settings: %s.
652) There was a fatal problem loading the stored vault configuration data.
653) Further details are contained in the variable part of the message.
654) .
655) .It Cannot store vault settings: %s.
656) There was a fatal problem saving the vault configuration data.
657) Further details are contained in the variable part of the message.
658) .
659) .It Cannot import vault settings: %s.
660) There was a fatal problem loading the imported vault configuration data.
661) Further details are contained in the variable part of the message.
662) .
663) .It Cannot export vault settings: %s.
664) There was a fatal problem saving the exported vault configuration data.
665) Further details are contained in the variable part of the message.
666) .
667) .It Cannot load user config: %s.
668) There was a fatal problem loading the central user configuration file.
669) Further details are contained in the variable part of the message.
670) .
671) .It The user configuration file is invalid.
672) (Exactly what it says.)
673) .
674) .It No usable SSH keys were found
675) The running SSH agent does not contain any suitable SSH keys.
676) .
677) .It No valid SSH key selected
678) We requested that an SSH key be selected, but we got an invalid selection.
679) .
680) .It The requested SSH key is not loaded into the agent.
681) The running SSH agent does not contain the necessary SSH key.
682) .
683) .It Cannot find any running SSH agent because SSH_AUTH_SOCK is not set.
684) We require a running SSH agent, but cannot locate its communication channel,
685) which is normally indicated by the
686) .Ev SSH_AUTH_SOCK
687) environment variable.
688) .
689) .It Cannot connect to an SSH agent because this Python version does not support UNIX domain sockets.
690) This Python installation does not support the communication mechanism
691) necessary to talk to SSH agents.
692) .
693) .It Cannot connect to the SSH agent: %s.
694) We cannot connect to the SSH agent indicated by the
695) .Ev SSH_AUTH_SOCK
696) environment variable.
697) Further details are contained in the variable part of the message.
698) .

699) .It The SSH agent failed to or refused to supply a list of loaded keys.
700) The SSH agent \(em while responsive in principle \(em did not fulfill the
701) request.
702) .
703) .It "The SSH agent failed to or refused to" "issue a signature with the selected key," "necessary for deriving a service passphrase."
704) The SSH agent \(em while responsive in principle \(em failed to cooperate with
705) deriving a service passphrase from the selected master
706) .Tn SSH
707) key.
708) .
709) .It The SSH agent contains no keys suitable for derivepassphrase.
710) .
711) None of the keys loaded into the
712) .Tn SSH
713) agent (if any) are suitable for use with
714) .Nm derivepassphrase vault .
715) See the
716) .Sx "SSH KEY SUITABILITY"
717) section for the requirements the
718) .Tn SSH
719) key and the
720) .Tn SSH
721) agent must fulfill to be suitable.

722) .
723) .It Error communicating with the SSH agent
724) There was a system error communicating with the SSH agent.
725) .

726) .It Cannot understand the SSH agent's response because it violates the communication protocol.
727) .
728) (Exactly what it says.)
729) .

730) .It Not saving any new notes: the user aborted the request.
731) (Exactly what it says.)
732) .
733) .It Cannot update %s settings without actual settings.
734) Using
735) .Fl \-config
736) requires at least one of the
737) .Fl \-phrase , \-key , \-length , No etc.\&
738) options.
739) .
740) .It Attempted to unset and set %s at the same time.
741) While handling
742) .Fl \-config ,
743) the same configuration setting was passed as an option and as an argument to
744) .Fl \-unset .
745) .
746) .It Generating a passphrase requires a SERVICE.
747) (Exactly what it says.)
748) .
749) .It No passphrase or key was given in the configuration.
750) .Nm derivepassphrase vault
751) does not know whether to use a master SSH key or a master passphrase.
752) .
753) .It No passphrase was given: the user aborted the request.
754) (Exactly what it says.)
755) .
756) .It No SSH key was selected: the user aborted the request.
757) (Exactly what it says.)
758) .
759) .El
760) .Pp
761) .
762) .Ss Non-fatal warning and info messages on standard error
763) .
764) .Pq Li %s Ns No " indicates a variable part of the message."
765) .
766) .Bl -diag
767) .
768) .It The %s passphrase is not %s-normalized.
769) The indicated passphrase \(em as a Unicode string \(em is not properly
770) normalized according to the preferred Unicode normalization form
771) .Pq as specified in the central configuration file .
772) It is therefore possible that the passphrase \(em as a byte string \(em is
773) not the same byte string as you expect it to be
774) .Pq even though it Em looks No correct ,
775) and that the derived passphrases thus do not match their expected values
776) either.
777) Please double-check.
778) .
779) .It An empty SERVICE is not supported by vault(1).
780) .Xr vault 1
781) does not support the empty string as a value for
782) .Ar SERVICE ;
783) it will treat the
784) .Ar SERVICE
785) as missing.
786) For compatibility,
787) .Nm derivepassphrase vault
788) will do the same.
789) In particular, if the empty service is imported in a configuration via
790) .Fl \-import ,
791) then this service cannot be accessed via the
792) .Nm derivepassphrase vault
793) command-line.
794) .
795) .It Replacing invalid value %s for key %s with %s.
796) When importing a configuration, the indicated invalid value has been
797) replaced with the indicated replacement value.
798) .Pq The Do interpretation Dc of the configuration doesn't change .
799) .
800) .It Removing ineffective setting %s = %s.
801) When importing a configuration, the indicated ineffective setting has been
802) removed.
803) .Pq The Do interpretation Dc of the configuration doesn't change .
804) .

805) .It "The service name %s" "contains an ASCII control character," "which is not supported" "by our shell completion code."
806) Because of limitations in the shell completion code, this specific service name
807) will not be available as a suggestion in tab completion.
808) .Po
809) This
810) .Em only
811) affects tab completion, not other functionality.
812) .Pc
813) .

814) .It Setting a %s passphrase is ineffective because a key is also set.
815) The configuration (global or key-specific) contains both a stored master
816) passphrase and an SSH key.
817) The master passphrase will not take effect.
818) .
819) .It A subcommand will be required in v1.0.
820) .Bo
821) Since v0.2.0, until v1.0.
822) .Bc
823) This command now requires a subcommand.
824) For compatibility, it currently defaults to
825) .Dq vault .
826) .
827) .It Using deprecated v0.1-style config file %s, instead of v0.2-style %s.
828) .Bo
829) Since v0.2.0, until v1.0.
830) .Bc
831) A configuration file has been renamed.
832) .Nm derivepassphrase vault
833) will attempt to rename the file itself
834) .Pq Qq Li Successfully migrated to %s. ,
835) or complain if it cannot rename it
836) .Pq Qq Li Failed to migrate to %s: %s .
837) .
838) .El