.Dd 2025-01-11
.Dt DERIVEPASSPHRASE 1
.Os derivepassphrase 0.4.0
.
.Sh NAME
.
.Nm derivepassphrase
.Nd derive a strong passphrase, deterministically, from a master secret
.
.Sh SYNOPSIS
.
.Bd -ragged
.Nm derivepassphrase
.Ar SUBCOMMAND_ARGS No .\|.\|.
.Ed
.
.Sh DESCRIPTION
.
Using a master secret, derive a passphrase for a named service, subject to
constraints e.g.\& on passphrase length, allowed characters, etc.
The exact derivation depends on the selected derivation scheme.
Each scheme derives
.Em strong
passphrases by design:
the derived passphrases have as much entropy as permitted by the master secret
and the passphrase constraints
.Pq whichever is more restrictive ,
and even if multiple derived passphrases are compromised, the master secret
remains cryptographically difficult to discern from those compromised
passphrases.
The derivations are also deterministic, given the same inputs, thus the
resulting passphrsases need not be stored explicitly.
The service name and constraints themselves also generally need not be kept
secret, depending on the scheme.
.
.Sh SUBCOMMANDS
.
.Bl -tag -width ".Fl p , \-phrase"
.
.It Ar export
Export a foreign configuration to standard output.
.
.It Ar vault
Derive a passphrase using the
.Xr vault 1
derivation scheme.
.
.El
.Pp
.
If no subcommand is given, we default to
