git.schokokeks.org
Repositories
Help
Report an Issue
derivepassphrase.git
Code
Commits
Branches
Tags
Suche
Strukturansicht:
38270c4
Branches
Tags
documentation-tree
master
unstable/modularize-and-refactor-test-machinery
unstable/ssh-agent-socket-providers
wishlist
0.1.0
0.1.1
0.1.2
0.1.3
0.2.0
0.3.0
0.3.1
0.3.2
0.3.3
0.4.0
0.5.1
0.5.2
derivepassphrase.git
0.x
reference
derivepassphrase.exporter
index.html
Deployed ee6f43b6be48 to 0.x with MkDocs 1.6.1 and mike 2.1.3
Marco Ricci
commited
38270c4
at 2025-06-24 22:13:29
index.html
Blame
History
Raw
<!doctype html> <html lang="en" class="no-js"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width,initial-scale=1"> <meta name="description" content="An almost faithful Python reimplementation of James Coglan's vault."> <meta name="author" content="Marco Ricci"> <link rel="canonical" href="https://the13thletter.info/derivepassphrase/0.x/reference/derivepassphrase.exporter/"> <link rel="prev" href="../derivepassphrase.cli/"> <link rel="next" href="../derivepassphrase.sequin/"> <link rel="icon" href="../../assets/images/favicon.png"> <meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.6.14"> <title>Subpackage exporter - derivepassphrase</title> <link rel="stylesheet" href="../../assets/stylesheets/main.342714a4.min.css"> <style>:root{--md-text-font:"Noto Sans";--md-code-font:"Noto Mono"}</style> <link rel="stylesheet" href="../../assets/_mkdocstrings.css"> <link rel="stylesheet" href="../../mkdocstrings_recommended_styles.css"> <link rel="stylesheet" href="../../wishlist_styling.css"> </head> <body dir="ltr"> <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off"> <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off"> <label class="md-overlay" for="__drawer"></label> <div data-md-component="skip"> <a href="#derivepassphrase.exporter" class="md-skip"> Skip to content </a> </div> <div data-md-component="announce"> </div> <div data-md-color-scheme="default" data-md-component="outdated" hidden> </div> <div class="md-container" data-md-component="container"> <nav class="md-tabs" aria-label="Tabs" data-md-component="tabs"> <div class="md-grid"> <ul class="md-tabs__list"> <li class="md-tabs__item"> <a href="../.." class="md-tabs__link"> Overview </a> </li> <li class="md-tabs__item"> <a href="../../tutorials/" class="md-tabs__link"> Tutorials & Examples </a> </li> <li class="md-tabs__item"> <a href="../../how-tos/" class="md-tabs__link"> How-Tos </a> </li> <li class="md-tabs__item md-tabs__item--active"> <a href="../" class="md-tabs__link"> Reference </a> </li> <li class="md-tabs__item"> <a href="../../explanation/" class="md-tabs__link"> Design & Background </a> </li> <li class="md-tabs__item"> <a href="../../changelog/" class="md-tabs__link"> Changelog </a> </li> <li class="md-tabs__item"> <a href="../../wishlist/" class="md-tabs__link"> Wishlist </a> </li> </ul> </div> </nav> <main class="md-main" data-md-component="main"> <div class="md-main__inner md-grid"> <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0"> <label class="md-nav__title" for="__drawer"> <a href="../.." title="derivepassphrase" class="md-nav__button md-logo" aria-label="derivepassphrase" data-md-component="logo"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg> </a> derivepassphrase </label> <div class="md-nav__source"> <a href="https://git.schokokeks.org/derivepassphrase.git" title="Go to repository" class="md-source" data-md-component="source"> <div class="md-source__icon md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.7.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81"/></svg> </div> <div class="md-source__repository"> the-13th-letter/derivepassphrase </div> </a> </div> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../.." class="md-nav__link"> <span class="md-ellipsis"> Overview </span> </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_2" > <div class="md-nav__link md-nav__container"> <a href="../../tutorials/" class="md-nav__link "> <span class="md-ellipsis"> Tutorials & Examples </span> </a> <label class="md-nav__link " for="__nav_2" id="__nav_2_label" tabindex="0"> <span class="md-nav__icon md-icon"></span> </label> </div> <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_2"> <span class="md-nav__icon md-icon"></span> Tutorials & Examples </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../tutorials/basic-setup-passphrase/" class="md-nav__link"> <span class="md-ellipsis"> Setting up derivepassphrase vault for three accounts, with a master passphrase </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3" > <div class="md-nav__link md-nav__container"> <a href="../../how-tos/" class="md-nav__link "> <span class="md-ellipsis"> How-Tos </span> </a> <label class="md-nav__link " for="__nav_3" id="__nav_3_label" tabindex="0"> <span class="md-nav__icon md-icon"></span> </label> </div> <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_3"> <span class="md-nav__icon md-icon"></span> How-Tos </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../how-tos/ssh-key/" class="md-nav__link"> <span class="md-ellipsis"> How to set up derivepassphrase vault with an SSH key </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" checked> <div class="md-nav__link md-nav__container"> <a href="../" class="md-nav__link "> <span class="md-ellipsis"> Reference </span> </a> <label class="md-nav__link " for="__nav_4" id="__nav_4_label" tabindex=""> <span class="md-nav__icon md-icon"></span> </label> </div> <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="true"> <label class="md-nav__title" for="__nav_4"> <span class="md-nav__icon md-icon"></span> Reference </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_2" > <label class="md-nav__link" for="__nav_4_2" id="__nav_4_2_label" tabindex=""> <span class="md-ellipsis"> Man pages </span> <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_2_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_4_2"> <span class="md-nav__icon md-icon"></span> Man pages </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../derivepassphrase.1/" class="md-nav__link"> <span class="md-ellipsis"> derivepassphrase(1) </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase-vault.1/" class="md-nav__link"> <span class="md-ellipsis"> derivepassphrase-vault(1) </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase-export.1/" class="md-nav__link"> <span class="md-ellipsis"> derivepassphrase-export(1) </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase-export-vault.1/" class="md-nav__link"> <span class="md-ellipsis"> derivepassphrase-export-vault(1) </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_3" checked> <label class="md-nav__link" for="__nav_4_3" id="__nav_4_3_label" tabindex=""> <span class="md-ellipsis"> API docs: Module derivepassphrase </span> <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_3_label" aria-expanded="true"> <label class="md-nav__title" for="__nav_4_3"> <span class="md-nav__icon md-icon"></span> API docs: Module derivepassphrase </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../derivepassphrase.cli/" class="md-nav__link"> <span class="md-ellipsis"> Submodule cli </span> </a> </li> <li class="md-nav__item md-nav__item--active"> <input class="md-nav__toggle md-toggle" type="checkbox" id="__toc"> <label class="md-nav__link md-nav__link--active" for="__toc"> <span class="md-ellipsis"> Subpackage exporter </span> <span class="md-nav__icon md-icon"></span> </label> <a href="./" class="md-nav__link md-nav__link--active"> <span class="md-ellipsis"> Subpackage exporter </span> </a> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.NotAVaultConfigError" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-class"></code> NotAVaultConfigError </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.ExportVaultConfigDataFunction" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-class"></code> ExportVaultConfigDataFunction </span> </a> <nav class="md-nav" aria-label=" ExportVaultConfigDataFunction"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.ExportVaultConfigDataFunction.__call__" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> __call__ </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.get_vault_key" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> get_vault_key </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.get_vault_path" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> get_vault_path </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.find_vault_config_data_handlers" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> find_vault_config_data_handlers </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.export_vault_config_data" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> export_vault_config_data </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.storeroom" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-module"></code> storeroom </span> </a> <nav class="md-nav" aria-label=" storeroom"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.storeroom.export_storeroom_data" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> export_storeroom_data </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.storeroom._derive_master_keys_keys" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> _derive_master_keys_keys </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.storeroom._decrypt_master_keys_data" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> _decrypt_master_keys_data </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.storeroom._decrypt_session_keys" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> _decrypt_session_keys </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.storeroom._decrypt_contents" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> _decrypt_contents </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.storeroom._decrypt_bucket_item" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> _decrypt_bucket_item </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.storeroom._decrypt_bucket_file" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> _decrypt_bucket_file </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-module"></code> vault_native </span> </a> <nav class="md-nav" aria-label=" vault_native"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-class"></code> VaultNativeConfigParser </span> </a> <nav class="md-nav" aria-label=" VaultNativeConfigParser"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser.__call__" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> __call__ </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._pbkdf2" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _pbkdf2 </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._parse_contents" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _parse_contents </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._derive_keys" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _derive_keys </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._generate_keys" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _generate_keys </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._check_signature" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _check_signature </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._hmac_input" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _hmac_input </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._decrypt_payload" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _decrypt_payload </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._make_decryptor" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _make_decryptor </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-class"></code> VaultNativeV03ConfigParser </span> </a> <nav class="md-nav" aria-label=" VaultNativeV03ConfigParser"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser.KEY_SIZE" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-attribute"></code> KEY_SIZE </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser._generate_keys" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _generate_keys </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser._hmac_input" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _hmac_input </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser._make_decryptor" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _make_decryptor </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-class"></code> VaultNativeV02ConfigParser </span> </a> <nav class="md-nav" aria-label=" VaultNativeV02ConfigParser"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser._parse_contents" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _parse_contents </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser._generate_keys" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _generate_keys </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser._hmac_input" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _hmac_input </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser._evp_bytestokey_md5_one_iteration_no_salt" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _evp_bytestokey_md5_one_iteration_no_salt </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser._make_decryptor" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _make_decryptor </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.export_vault_native_data" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> export_vault_native_data </span> </a> </li> </ul> </nav> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../derivepassphrase.sequin/" class="md-nav__link"> <span class="md-ellipsis"> Submodule sequin </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase.ssh_agent/" class="md-nav__link"> <span class="md-ellipsis"> Submodule ssh_agent </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase._types/" class="md-nav__link"> <span class="md-ellipsis"> Submodule _types </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase.vault/" class="md-nav__link"> <span class="md-ellipsis"> Submodule vault </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_4" > <label class="md-nav__link" for="__nav_4_4" id="__nav_4_4_label" tabindex=""> <span class="md-ellipsis"> Technical prerequisites </span> <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_4_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_4_4"> <span class="md-nav__icon md-icon"></span> Technical prerequisites </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../prerequisites-ssh-key/" class="md-nav__link"> <span class="md-ellipsis"> Using derivepassphrase vault with an SSH key </span> </a> </li> </ul> </nav> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5" > <div class="md-nav__link md-nav__container"> <a href="../../explanation/" class="md-nav__link "> <span class="md-ellipsis"> Design & Background </span> </a> <label class="md-nav__link " for="__nav_5" id="__nav_5_label" tabindex="0"> <span class="md-nav__icon md-icon"></span> </label> </div> <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_5"> <span class="md-nav__icon md-icon"></span> Design & Background </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../explanation/faq-altered-versions/" class="md-nav__link"> <span class="md-ellipsis"> "altered versions" license requirement </span> </a> </li> <li class="md-nav__item"> <a href="../../explanation/faq-vault-interchangable-passphrases/" class="md-nav__link"> <span class="md-ellipsis"> "interchangable passphrases" in vault </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_6" > <label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0"> <span class="md-ellipsis"> Changelog </span> <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_6"> <span class="md-nav__icon md-icon"></span> Changelog </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../changelog/" class="md-nav__link"> <span class="md-ellipsis"> Changelog </span> </a> </li> <li class="md-nav__item"> <a href="../../upgrade-notes/" class="md-nav__link"> <span class="md-ellipsis"> Upgrade notes </span> </a> </li> <li class="md-nav__item"> <a href="../../pycompatibility/" class="md-nav__link"> <span class="md-ellipsis"> Python compatibility </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7" > <div class="md-nav__link md-nav__container"> <a href="../../wishlist/" class="md-nav__link "> <span class="md-ellipsis"> Wishlist </span> </a> </div> <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_7_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_7"> <span class="md-nav__icon md-icon"></span> Wishlist </label> <ul class="md-nav__list" data-md-scrollfix> </ul> </nav> </li> </ul> </nav> </div> </div> </div> <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.NotAVaultConfigError" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-class"></code> NotAVaultConfigError </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.ExportVaultConfigDataFunction" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-class"></code> ExportVaultConfigDataFunction </span> </a> <nav class="md-nav" aria-label=" ExportVaultConfigDataFunction"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.ExportVaultConfigDataFunction.__call__" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> __call__ </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.get_vault_key" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> get_vault_key </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.get_vault_path" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> get_vault_path </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.find_vault_config_data_handlers" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> find_vault_config_data_handlers </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.export_vault_config_data" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> export_vault_config_data </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.storeroom" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-module"></code> storeroom </span> </a> <nav class="md-nav" aria-label=" storeroom"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.storeroom.export_storeroom_data" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> export_storeroom_data </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.storeroom._derive_master_keys_keys" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> _derive_master_keys_keys </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.storeroom._decrypt_master_keys_data" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> _decrypt_master_keys_data </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.storeroom._decrypt_session_keys" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> _decrypt_session_keys </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.storeroom._decrypt_contents" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> _decrypt_contents </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.storeroom._decrypt_bucket_item" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> _decrypt_bucket_item </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.storeroom._decrypt_bucket_file" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> _decrypt_bucket_file </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-module"></code> vault_native </span> </a> <nav class="md-nav" aria-label=" vault_native"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-class"></code> VaultNativeConfigParser </span> </a> <nav class="md-nav" aria-label=" VaultNativeConfigParser"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser.__call__" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> __call__ </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._pbkdf2" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _pbkdf2 </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._parse_contents" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _parse_contents </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._derive_keys" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _derive_keys </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._generate_keys" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _generate_keys </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._check_signature" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _check_signature </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._hmac_input" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _hmac_input </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._decrypt_payload" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _decrypt_payload </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._make_decryptor" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _make_decryptor </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-class"></code> VaultNativeV03ConfigParser </span> </a> <nav class="md-nav" aria-label=" VaultNativeV03ConfigParser"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser.KEY_SIZE" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-attribute"></code> KEY_SIZE </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser._generate_keys" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _generate_keys </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser._hmac_input" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _hmac_input </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser._make_decryptor" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _make_decryptor </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-class"></code> VaultNativeV02ConfigParser </span> </a> <nav class="md-nav" aria-label=" VaultNativeV02ConfigParser"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser._parse_contents" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _parse_contents </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser._generate_keys" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _generate_keys </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser._hmac_input" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _hmac_input </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser._evp_bytestokey_md5_one_iteration_no_salt" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _evp_bytestokey_md5_one_iteration_no_salt </span> </a> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser._make_decryptor" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-method"></code> _make_decryptor </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#derivepassphrase.exporter.vault_native.export_vault_native_data" class="md-nav__link"> <span class="md-ellipsis"> <code class="doc-symbol doc-symbol-toc doc-symbol-function"></code> export_vault_native_data </span> </a> </li> </ul> </nav> </li> </ul> </nav> </div> </div> </div> <div class="md-content" data-md-component="content"> <article class="md-content__inner md-typeset"> <a href="https://git.schokokeks.org/derivepassphrase.git/raw/master/docs/reference/derivepassphrase.exporter.md" title="View source of this page" class="md-content__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 18c.56 0 1 .44 1 1s-.44 1-1 1-1-.44-1-1 .44-1 1-1m0-3c-2.73 0-5.06 1.66-6 4 .94 2.34 3.27 4 6 4s5.06-1.66 6-4c-.94-2.34-3.27-4-6-4m0 6.5a2.5 2.5 0 0 1-2.5-2.5 2.5 2.5 0 0 1 2.5-2.5 2.5 2.5 0 0 1 2.5 2.5 2.5 2.5 0 0 1-2.5 2.5M9.27 20H6V4h7v5h5v4.07c.7.08 1.36.25 2 .49V8l-6-6H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h4.5a8.2 8.2 0 0 1-1.23-2"/></svg> </a> <div class="doc doc-object doc-module"> <h1 id="derivepassphrase.exporter" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-module"></code> <span class="doc doc-object-name doc-module-name">derivepassphrase.exporter</span> <a href="#derivepassphrase.exporter" class="headerlink" title="Permanent link">¶</a></h1> <div class="doc doc-contents first"> <p>Foreign configuration exporter for derivepassphrase.</p> <div class="doc doc-children"> <div class="doc doc-object doc-class"> <h2 id="derivepassphrase.exporter.NotAVaultConfigError" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-class"></code> <span class="doc doc-object-name doc-class-name">NotAVaultConfigError</span> <a href="#derivepassphrase.exporter.NotAVaultConfigError" class="headerlink" title="Permanent link">¶</a></h2> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">NotAVaultConfigError</span><span class="p">(</span> <span class="n">path</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></span> <span class="o">|</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a></span> <span class="o">|</span> <span class="n"><a class="autorefs autorefs-external" title="os.PathLike" href="https://docs.python.org/3/library/os.html#os.PathLike">PathLike</a></span><span class="p">,</span> <span class="nb">format</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></span> <span class="o">|</span> <span class="kc">None</span> <span class="o">=</span> <span class="kc">None</span> <span class="p">)</span> </code></pre></div> <div class="doc doc-contents "> <p class="doc doc-class-bases"> Bases: <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#ValueError">ValueError</a></code></p> <p>The <code>path</code> does not hold a <code>format</code>-type vault configuration.</p> <div class="doc doc-children"> </div> </div> </div> <div class="doc doc-object doc-class"> <h2 id="derivepassphrase.exporter.ExportVaultConfigDataFunction" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-class"></code> <span class="doc doc-object-name doc-class-name">ExportVaultConfigDataFunction</span> <a href="#derivepassphrase.exporter.ExportVaultConfigDataFunction" class="headerlink" title="Permanent link">¶</a></h2> <div class="doc doc-contents "> <p class="doc doc-class-bases"> Bases: <code><a class="autorefs autorefs-external" title="typing.Protocol" href="https://docs.python.org/3/library/typing.html#typing.Protocol">Protocol</a></code></p> <p>Typing protocol for vault config data export handlers.</p> <div class="doc doc-children"> <div class="doc doc-object doc-function"> <h3 id="derivepassphrase.exporter.ExportVaultConfigDataFunction.__call__" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-method"></code> <span class="doc doc-object-name doc-function-name">__call__</span> <a href="#derivepassphrase.exporter.ExportVaultConfigDataFunction.__call__" class="headerlink" title="Permanent link">¶</a></h3> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">__call__</span><span class="p">(</span> <span class="n">path</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></span> <span class="o">|</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a></span> <span class="o">|</span> <span class="n"><a class="autorefs autorefs-external" title="os.PathLike" href="https://docs.python.org/3/library/os.html#os.PathLike">PathLike</a></span> <span class="o">|</span> <span class="kc">None</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="n">key</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></span> <span class="o">|</span> <span class="n"><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></span> <span class="o">|</span> <span class="kc">None</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="o">*</span><span class="p">,</span> <span class="nb">format</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></span> <span class="p">)</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-external" title="typing.Any" href="https://docs.python.org/3/library/typing.html#typing.Any">Any</a></span> </code></pre></div> <div class="doc doc-contents "> <p>Export the full vault-native configuration stored in <code>path</code>.</p> <p><span class="doc-section-title">Parameters:</span></p> <table> <thead> <tr> <th>Name</th> <th>Type</th> <th>Description</th> <th>Default</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code>path</code> </td> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a> | <a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a> | <a class="autorefs autorefs-external" title="os.PathLike" href="https://docs.python.org/3/library/os.html#os.PathLike">PathLike</a> | None</code> </td> <td> <div class="doc-md-description"> <p>The path to the vault configuration file or directory. If not given, then query <a class="autorefs autorefs-internal" title=" get_vault_path" href="#derivepassphrase.exporter.get_vault_path"><code>get_vault_path</code></a> for the correct value.</p> </div> </td> <td> <code>None</code> </td> </tr> <tr class="doc-section-item"> <td> <code>key</code> </td> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a> | <a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a> | None</code> </td> <td> <div class="doc-md-description"> <p>Encryption key/password for the configuration file or directory, usually the username, or passed via the <code>VAULT_KEY</code> environment variable. If not given, then query <a class="autorefs autorefs-internal" title=" get_vault_key" href="#derivepassphrase.exporter.get_vault_key"><code>get_vault_key</code></a> for the value.</p> </div> </td> <td> <code>None</code> </td> </tr> <tr class="doc-section-item"> <td> <code>format</code> </td> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></code> </td> <td> <div class="doc-md-description"> <p>The format to attempt parsing as. Must be <code>v0.2</code>, <code>v0.3</code> or <code>storeroom</code>.</p> </div> </td> <td> <em>required</em> </td> </tr> </tbody> </table> <p><span class="doc-section-title">Returns:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" title="typing.Any" href="https://docs.python.org/3/library/typing.html#typing.Any">Any</a></code> </td> <td> <div class="doc-md-description"> <p>The vault configuration, as recorded in the configuration file.</p> <p>This may or may not be a valid configuration according to <code>vault</code> or <code>derivepassphrase</code>.</p> </div> </td> </tr> </tbody> </table> <p><span class="doc-section-title">Raises:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#IsADirectoryError">IsADirectoryError</a></code> </td> <td> <div class="doc-md-description"> <p>The requested format requires a configuration file, but <code>path</code> points to a directory instead.</p> </div> </td> </tr> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#NotADirectoryError">NotADirectoryError</a></code> </td> <td> <div class="doc-md-description"> <p>The requested format requires a configuration directory, but <code>path</code> points to something else instead.</p> </div> </td> </tr> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#OSError">OSError</a></code> </td> <td> <div class="doc-md-description"> <p>There was an OS error while accessing the configuration file/directory.</p> </div> </td> </tr> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#RuntimeError">RuntimeError</a></code> </td> <td> <div class="doc-md-description"> <p>Something went wrong during data collection, e.g. we encountered unsupported or corrupted data in the configuration file/directory.</p> </div> </td> </tr> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" title="json.JSONDecodeError" href="https://docs.python.org/3/library/json.html#json.JSONDecodeError">JSONDecodeError</a></code> </td> <td> <div class="doc-md-description"> <p>An internal JSON data structure failed to parse from disk. The configuration file/directory is probably corrupted.</p> </div> </td> </tr> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-internal" title=" NotAVaultConfigError (derivepassphrase.exporter.NotAVaultConfigError)" href="#derivepassphrase.exporter.NotAVaultConfigError">NotAVaultConfigError</a></code> </td> <td> <div class="doc-md-description"> <p>The file/directory contents are not in the claimed configuration format.</p> </div> </td> </tr> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#ValueError">ValueError</a></code> </td> <td> <div class="doc-md-description"> <p>The requested format is invalid.</p> </div> </td> </tr> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#ModuleNotFoundError">ModuleNotFoundError</a></code> </td> <td> <div class="doc-md-description"> <p>The requested format requires support code, which failed to load because of missing Python libraries.</p> </div> </td> </tr> </tbody> </table> </div> </div> </div> </div> </div> <div class="doc doc-object doc-function"> <h2 id="derivepassphrase.exporter.get_vault_key" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-function"></code> <span class="doc doc-object-name doc-function-name">get_vault_key</span> <a href="#derivepassphrase.exporter.get_vault_key" class="headerlink" title="Permanent link">¶</a></h2> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">get_vault_key</span><span class="p">()</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a></span> </code></pre></div> <div class="doc doc-contents "> <p>Automatically determine the vault(1) master key/password.</p> <p>Query the <code>VAULT_KEY</code>, <code>LOGNAME</code>, <code>USER</code> and <code>USERNAME</code> environment variables, in that order. This is the same algorithm that vault uses.</p> <p><span class="doc-section-title">Returns:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a></code> </td> <td> <div class="doc-md-description"> <p>The master key/password. This is generally used as input to a key-derivation function to determine the <em>actual</em> encryption and signing keys for the vault configuration.</p> </div> </td> </tr> </tbody> </table> <p><span class="doc-section-title">Raises:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#KeyError">KeyError</a></code> </td> <td> <div class="doc-md-description"> <p>We cannot find any of the named environment variables. Please set <code>VAULT_KEY</code> manually to the desired value.</p> </div> </td> </tr> </tbody> </table> </div> </div> <div class="doc doc-object doc-function"> <h2 id="derivepassphrase.exporter.get_vault_path" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-function"></code> <span class="doc doc-object-name doc-function-name">get_vault_path</span> <a href="#derivepassphrase.exporter.get_vault_path" class="headerlink" title="Permanent link">¶</a></h2> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">get_vault_path</span><span class="p">()</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-external" title="pathlib.Path" href="https://docs.python.org/3/library/pathlib.html#pathlib.Path">Path</a></span> </code></pre></div> <div class="doc doc-contents "> <p>Automatically determine the vault(1) configuration path.</p> <p>Query the <code>VAULT_PATH</code> environment variable, or default to <code>~/.vault</code>. This is the same algorithm that vault uses. If not absolute, then <code>VAULT_PATH</code> is relative to the home directory.</p> <p><span class="doc-section-title">Returns:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" title="pathlib.Path" href="https://docs.python.org/3/library/pathlib.html#pathlib.Path">Path</a></code> </td> <td> <div class="doc-md-description"> <p>The vault configuration path. Depending on the vault version, this may be a file or a directory.</p> </div> </td> </tr> </tbody> </table> <p><span class="doc-section-title">Raises:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#RuntimeError">RuntimeError</a></code> </td> <td> <div class="doc-md-description"> <p>We cannot determine the home directory. Please set <code>HOME</code> manually to the correct value.</p> </div> </td> </tr> </tbody> </table> </div> </div> <div class="doc doc-object doc-function"> <h2 id="derivepassphrase.exporter.find_vault_config_data_handlers" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-function"></code> <span class="doc doc-object-name doc-function-name">find_vault_config_data_handlers</span> <a href="#derivepassphrase.exporter.find_vault_config_data_handlers" class="headerlink" title="Permanent link">¶</a></h2> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">find_vault_config_data_handlers</span><span class="p">()</span> <span class="o">-></span> <span class="kc">None</span> </code></pre></div> <div class="doc doc-contents "> <p>Find all export handlers for vault config data.</p> <p>(This function is idempotent.)</p> <p><span class="doc-section-title">Raises:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#ModuleNotFoundError">ModuleNotFoundError</a></code> </td> <td> <div class="doc-md-description"> <p>A required module was not found.</p> </div> </td> </tr> </tbody> </table> </div> </div> <div class="doc doc-object doc-function"> <h2 id="derivepassphrase.exporter.export_vault_config_data" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-function"></code> <span class="doc doc-object-name doc-function-name">export_vault_config_data</span> <a href="#derivepassphrase.exporter.export_vault_config_data" class="headerlink" title="Permanent link">¶</a></h2> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">export_vault_config_data</span><span class="p">(</span> <span class="n">path</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></span> <span class="o">|</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a></span> <span class="o">|</span> <span class="n"><a class="autorefs autorefs-external" title="os.PathLike" href="https://docs.python.org/3/library/os.html#os.PathLike">PathLike</a></span> <span class="o">|</span> <span class="kc">None</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="n">key</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></span> <span class="o">|</span> <span class="n"><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></span> <span class="o">|</span> <span class="kc">None</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="o">*</span><span class="p">,</span> <span class="nb">format</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></span> <span class="p">)</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-external" title="typing.Any" href="https://docs.python.org/3/library/typing.html#typing.Any">Any</a></span> </code></pre></div> <div class="doc doc-contents "> <p>Export the full vault-native configuration stored in <code>path</code>.</p> <p>See <a class="autorefs autorefs-internal" title=" ExportVaultConfigDataFunction" href="#derivepassphrase.exporter.ExportVaultConfigDataFunction"><code>ExportVaultConfigDataFunction</code></a> for an explanation of the call signature, and the exceptions to expect.</p> </div> </div> </div> </div> </div> <div class="doc doc-object doc-module"> <h2 id="derivepassphrase.exporter.storeroom" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-module"></code> <span class="doc doc-object-name doc-module-name">derivepassphrase.exporter.storeroom</span> <a href="#derivepassphrase.exporter.storeroom" class="headerlink" title="Permanent link">¶</a></h2> <div class="doc doc-contents first"> <p>Exporter for the vault “storeroom” configuration format.</p> <p>The “storeroom” format is the experimental format used in alpha and beta versions of vault beyond v0.3.0. The configuration is stored as a separate directory, which acts like a hash table (i.e. has named slots) and provides an impure quasi-filesystem interface. Each hash table entry is separately encrypted and authenticated. James Coglan designed this format to avoid concurrent write issues when updating or synchronizing the vault configuration with e.g. a cloud service.</p> <p>The public interface is the <a class="autorefs autorefs-internal" title=" export_storeroom_data" href="#derivepassphrase.exporter.storeroom.export_storeroom_data"><code>export_storeroom_data</code></a> function. Multiple <em>non-public</em> functions are additionally documented here for didactical and educational reasons, but they are not part of the module API, are subject to change without notice (including removal), and should <em>not</em> be used or relied on.</p> <div class="doc doc-children"> <div class="doc doc-object doc-function"> <h3 id="derivepassphrase.exporter.storeroom.export_storeroom_data" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-function"></code> <span class="doc doc-object-name doc-function-name">export_storeroom_data</span> <a href="#derivepassphrase.exporter.storeroom.export_storeroom_data" class="headerlink" title="Permanent link">¶</a></h3> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">export_storeroom_data</span><span class="p">(</span> <span class="n">path</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></span> <span class="o">|</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a></span> <span class="o">|</span> <span class="n"><a class="autorefs autorefs-external" title="os.PathLike" href="https://docs.python.org/3/library/os.html#os.PathLike">PathLike</a></span> <span class="o">|</span> <span class="kc">None</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="n">key</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></span> <span class="o">|</span> <span class="n"><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></span> <span class="o">|</span> <span class="kc">None</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="o">*</span><span class="p">,</span> <span class="nb">format</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></span> <span class="o">=</span> <span class="s2">"storeroom"</span> <span class="p">)</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#dict">dict</a></span><span class="p">[</span><span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></span><span class="p">,</span> <span class="n"><a class="autorefs autorefs-external" title="typing.Any" href="https://docs.python.org/3/library/typing.html#typing.Any">Any</a></span><span class="p">]</span> </code></pre></div> <div class="doc doc-contents "> <p>Export the full configuration stored in the storeroom.</p> <p>See <a class="autorefs autorefs-internal" title=" ExportVaultConfigDataFunction" href="#derivepassphrase.exporter.ExportVaultConfigDataFunction"><code>exporter.ExportVaultConfigDataFunction</code></a> for an explanation of the call signature, and the exceptions to expect.</p> <p><span class="doc-section-title">Other Parameters:</span></p> <table> <thead> <tr> <th>Name</th> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td><code>format</code></td> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></code> </td> <td> <div class="doc-md-description"> <p>The only supported format is <code>storeroom</code>.</p> </div> </td> </tr> </tbody> </table> </div> </div> <div class="doc doc-object doc-function"> <h3 id="derivepassphrase.exporter.storeroom._derive_master_keys_keys" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-function"></code> <span class="doc doc-object-name doc-function-name">_derive_master_keys_keys</span> <a href="#derivepassphrase.exporter.storeroom._derive_master_keys_keys" class="headerlink" title="Permanent link">¶</a></h3> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_derive_master_keys_keys</span><span class="p">(</span> <span class="n">password</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></span> <span class="o">|</span> <span class="n"><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></span><span class="p">,</span> <span class="n">iterations</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/functions.html#int">int</a></span> <span class="p">)</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-internal" title=" StoreroomKeyPair (derivepassphrase._types.StoreroomKeyPair)" href="../derivepassphrase._types/#derivepassphrase._types.StoreroomKeyPair">StoreroomKeyPair</a></span> </code></pre></div> <div class="doc doc-contents "> <p>Derive encryption and signing keys for the master keys data.</p> <p>The master password is run through a key derivation function to obtain a 64-byte string, which is then split to yield two 32-byte keys. The key derivation function is PBKDF2, using HMAC-SHA1 and salted with the storeroom master keys UUID.</p> <p><span class="doc-section-title">Parameters:</span></p> <table> <thead> <tr> <th>Name</th> <th>Type</th> <th>Description</th> <th>Default</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code>password</code> </td> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a> | <a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></code> </td> <td> <div class="doc-md-description"> <p>A master password for the storeroom instance. Usually read from the <code>VAULT_KEY</code> environment variable, otherwise defaults to the username.</p> </div> </td> <td> <em>required</em> </td> </tr> <tr class="doc-section-item"> <td> <code>iterations</code> </td> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/functions.html#int">int</a></code> </td> <td> <div class="doc-md-description"> <p>A count of rounds for the underlying key derivation function. Usually stored as a setting next to the encrypted master keys data.</p> </div> </td> <td> <em>required</em> </td> </tr> </tbody> </table> <p><span class="doc-section-title">Returns:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-internal" title=" StoreroomKeyPair (derivepassphrase._types.StoreroomKeyPair)" href="../derivepassphrase._types/#derivepassphrase._types.StoreroomKeyPair">StoreroomKeyPair</a></code> </td> <td> <div class="doc-md-description"> <p>A 2-tuple of keys, the encryption key and the signing key, to decrypt and verify the master keys data with.</p> </div> </td> </tr> </tbody> </table> <details class="warning" open> <summary>Warning</summary> <p>Non-public function, provided for didactical and educational purposes only. Subject to change without notice, including removal.</p> </details> </div> </div> <div class="doc doc-object doc-function"> <h3 id="derivepassphrase.exporter.storeroom._decrypt_master_keys_data" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-function"></code> <span class="doc doc-object-name doc-function-name">_decrypt_master_keys_data</span> <a href="#derivepassphrase.exporter.storeroom._decrypt_master_keys_data" class="headerlink" title="Permanent link">¶</a></h3> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_decrypt_master_keys_data</span><span class="p">(</span> <span class="n">data</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></span><span class="p">,</span> <span class="n">keys</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-internal" title=" StoreroomKeyPair (derivepassphrase._types.StoreroomKeyPair)" href="../derivepassphrase._types/#derivepassphrase._types.StoreroomKeyPair">StoreroomKeyPair</a></span> <span class="p">)</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-internal" title=" StoreroomMasterKeys (derivepassphrase._types.StoreroomMasterKeys)" href="../derivepassphrase._types/#derivepassphrase._types.StoreroomMasterKeys">StoreroomMasterKeys</a></span> </code></pre></div> <div class="doc doc-contents "> <p>Decrypt the master keys data.</p> <p>The master keys data contains:</p> <ul> <li>a 16-byte IV,</li> <li>a 96-byte AES256-CBC-encrypted payload, plus 16 further bytes of PKCS7 padding, and</li> <li>a 32-byte MAC of the preceding 128 bytes.</li> </ul> <p>The decrypted payload itself consists of three 32-byte keys: the hashing, encryption and signing keys, in that order.</p> <p>The encrypted payload is encrypted with the encryption key, and the MAC is created based on the signing key. As per standard cryptographic procedure, the MAC can be verified before attempting to decrypt the payload.</p> <p>Because the payload size is both fixed and a multiple of the cipher blocksize, in this case, the PKCS7 padding always is <code>b'\x10' * 16</code>.</p> <p><span class="doc-section-title">Parameters:</span></p> <table> <thead> <tr> <th>Name</th> <th>Type</th> <th>Description</th> <th>Default</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code>data</code> </td> <td> <code><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></code> </td> <td> <div class="doc-md-description"> <p>The encrypted master keys data.</p> </div> </td> <td> <em>required</em> </td> </tr> <tr class="doc-section-item"> <td> <code>keys</code> </td> <td> <code><a class="autorefs autorefs-internal" title=" StoreroomKeyPair (derivepassphrase._types.StoreroomKeyPair)" href="../derivepassphrase._types/#derivepassphrase._types.StoreroomKeyPair">StoreroomKeyPair</a></code> </td> <td> <div class="doc-md-description"> <p>The encryption and signing keys for the master keys data. These should have previously been derived via the <a class="autorefs autorefs-internal" title=" _derive_master_keys_keys" href="#derivepassphrase.exporter.storeroom._derive_master_keys_keys"><code>_derive_master_keys_keys</code></a> function.</p> </div> </td> <td> <em>required</em> </td> </tr> </tbody> </table> <p><span class="doc-section-title">Returns:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-internal" title=" StoreroomMasterKeys (derivepassphrase._types.StoreroomMasterKeys)" href="../derivepassphrase._types/#derivepassphrase._types.StoreroomMasterKeys">StoreroomMasterKeys</a></code> </td> <td> <div class="doc-md-description"> <p>The master encryption, signing and hashing keys.</p> </div> </td> </tr> </tbody> </table> <p><span class="doc-section-title">Raises:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" title="cryptography.exceptions.InvalidSignature" href="https://cryptography.readthedocs.io/en/latest/exceptions/#cryptography.exceptions.InvalidSignature">InvalidSignature</a></code> </td> <td> <div class="doc-md-description"> <p>The data does not contain a valid signature under the given key.</p> </div> </td> </tr> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#ValueError">ValueError</a></code> </td> <td> <div class="doc-md-description"> <p>The format is invalid, in a non-cryptographic way. (For example, it contains an unsupported version marker, or unexpected extra contents, or invalid padding.)</p> </div> </td> </tr> </tbody> </table> <details class="warning" open> <summary>Warning</summary> <p>Non-public function, provided for didactical and educational purposes only. Subject to change without notice, including removal.</p> </details> </div> </div> <div class="doc doc-object doc-function"> <h3 id="derivepassphrase.exporter.storeroom._decrypt_session_keys" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-function"></code> <span class="doc doc-object-name doc-function-name">_decrypt_session_keys</span> <a href="#derivepassphrase.exporter.storeroom._decrypt_session_keys" class="headerlink" title="Permanent link">¶</a></h3> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_decrypt_session_keys</span><span class="p">(</span> <span class="n">data</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></span><span class="p">,</span> <span class="n">master_keys</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-internal" title=" StoreroomMasterKeys (derivepassphrase._types.StoreroomMasterKeys)" href="../derivepassphrase._types/#derivepassphrase._types.StoreroomMasterKeys">StoreroomMasterKeys</a></span> <span class="p">)</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-internal" title=" StoreroomKeyPair (derivepassphrase._types.StoreroomKeyPair)" href="../derivepassphrase._types/#derivepassphrase._types.StoreroomKeyPair">StoreroomKeyPair</a></span> </code></pre></div> <div class="doc doc-contents "> <p>Decrypt the bucket item’s session keys.</p> <p>The bucket item’s session keys are single-use keys for encrypting and signing a single item in the storage bucket. The encrypted session key data consists of:</p> <ul> <li>a 16-byte IV,</li> <li>a 64-byte AES256-CBC-encrypted payload, plus 16 further bytes of PKCS7 padding, and</li> <li>a 32-byte MAC of the preceding 96 bytes.</li> </ul> <p>The encrypted payload is encrypted with the master encryption key, and the MAC is created with the master signing key. As per standard cryptographic procedure, the MAC can be verified before attempting to decrypt the payload.</p> <p>Because the payload size is both fixed and a multiple of the cipher blocksize, in this case, the PKCS7 padding always is <code>b'\x10' * 16</code>.</p> <p><span class="doc-section-title">Parameters:</span></p> <table> <thead> <tr> <th>Name</th> <th>Type</th> <th>Description</th> <th>Default</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code>data</code> </td> <td> <code><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></code> </td> <td> <div class="doc-md-description"> <p>The encrypted bucket item session key data.</p> </div> </td> <td> <em>required</em> </td> </tr> <tr class="doc-section-item"> <td> <code>master_keys</code> </td> <td> <code><a class="autorefs autorefs-internal" title=" StoreroomMasterKeys (derivepassphrase._types.StoreroomMasterKeys)" href="../derivepassphrase._types/#derivepassphrase._types.StoreroomMasterKeys">StoreroomMasterKeys</a></code> </td> <td> <div class="doc-md-description"> <p>The master keys. Presumably these have previously been obtained via the <a class="autorefs autorefs-internal" title=" _decrypt_master_keys_data" href="#derivepassphrase.exporter.storeroom._decrypt_master_keys_data"><code>_decrypt_master_keys_data</code></a> function.</p> </div> </td> <td> <em>required</em> </td> </tr> </tbody> </table> <p><span class="doc-section-title">Returns:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-internal" title=" StoreroomKeyPair (derivepassphrase._types.StoreroomKeyPair)" href="../derivepassphrase._types/#derivepassphrase._types.StoreroomKeyPair">StoreroomKeyPair</a></code> </td> <td> <div class="doc-md-description"> <p>The bucket item’s encryption and signing keys.</p> </div> </td> </tr> </tbody> </table> <p><span class="doc-section-title">Raises:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" title="cryptography.exceptions.InvalidSignature" href="https://cryptography.readthedocs.io/en/latest/exceptions/#cryptography.exceptions.InvalidSignature">InvalidSignature</a></code> </td> <td> <div class="doc-md-description"> <p>The data does not contain a valid signature under the given key.</p> </div> </td> </tr> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#ValueError">ValueError</a></code> </td> <td> <div class="doc-md-description"> <p>The format is invalid, in a non-cryptographic way. (For example, it contains an unsupported version marker, or unexpected extra contents, or invalid padding.)</p> </div> </td> </tr> </tbody> </table> <details class="warning" open> <summary>Warning</summary> <p>Non-public function, provided for didactical and educational purposes only. Subject to change without notice, including removal.</p> </details> </div> </div> <div class="doc doc-object doc-function"> <h3 id="derivepassphrase.exporter.storeroom._decrypt_contents" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-function"></code> <span class="doc doc-object-name doc-function-name">_decrypt_contents</span> <a href="#derivepassphrase.exporter.storeroom._decrypt_contents" class="headerlink" title="Permanent link">¶</a></h3> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_decrypt_contents</span><span class="p">(</span> <span class="n">data</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></span><span class="p">,</span> <span class="n">session_keys</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-internal" title=" StoreroomKeyPair (derivepassphrase._types.StoreroomKeyPair)" href="../derivepassphrase._types/#derivepassphrase._types.StoreroomKeyPair">StoreroomKeyPair</a></span> <span class="p">)</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></span> </code></pre></div> <div class="doc doc-contents "> <p>Decrypt the bucket item’s contents.</p> <p>The data consists of:</p> <ul> <li>a 16-byte IV,</li> <li>a variable-sized AES256-CBC-encrypted payload (using PKCS7 padding on the inside), and</li> <li>a 32-byte MAC of the preceding bytes.</li> </ul> <p>The encrypted payload is encrypted with the bucket item’s session encryption key, and the MAC is created with the bucket item’s session signing key. As per standard cryptographic procedure, the MAC can be verified before attempting to decrypt the payload.</p> <p><span class="doc-section-title">Parameters:</span></p> <table> <thead> <tr> <th>Name</th> <th>Type</th> <th>Description</th> <th>Default</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code>data</code> </td> <td> <code><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></code> </td> <td> <div class="doc-md-description"> <p>The encrypted bucket item payload data.</p> </div> </td> <td> <em>required</em> </td> </tr> <tr class="doc-section-item"> <td> <code>session_keys</code> </td> <td> <code><a class="autorefs autorefs-internal" title=" StoreroomKeyPair (derivepassphrase._types.StoreroomKeyPair)" href="../derivepassphrase._types/#derivepassphrase._types.StoreroomKeyPair">StoreroomKeyPair</a></code> </td> <td> <div class="doc-md-description"> <p>The bucket item’s session keys. Presumably these have previously been obtained via the <a class="autorefs autorefs-internal" title=" _decrypt_session_keys" href="#derivepassphrase.exporter.storeroom._decrypt_session_keys"><code>_decrypt_session_keys</code></a> function.</p> </div> </td> <td> <em>required</em> </td> </tr> </tbody> </table> <p><span class="doc-section-title">Returns:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></code> </td> <td> <div class="doc-md-description"> <p>The bucket item’s payload.</p> </div> </td> </tr> </tbody> </table> <p><span class="doc-section-title">Raises:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" title="cryptography.exceptions.InvalidSignature" href="https://cryptography.readthedocs.io/en/latest/exceptions/#cryptography.exceptions.InvalidSignature">InvalidSignature</a></code> </td> <td> <div class="doc-md-description"> <p>The data does not contain a valid signature under the given key.</p> </div> </td> </tr> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#ValueError">ValueError</a></code> </td> <td> <div class="doc-md-description"> <p>The format is invalid, in a non-cryptographic way. (For example, it contains an unsupported version marker, or unexpected extra contents, or invalid padding.)</p> </div> </td> </tr> </tbody> </table> <details class="warning" open> <summary>Warning</summary> <p>Non-public function, provided for didactical and educational purposes only. Subject to change without notice, including removal.</p> </details> </div> </div> <div class="doc doc-object doc-function"> <h3 id="derivepassphrase.exporter.storeroom._decrypt_bucket_item" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-function"></code> <span class="doc doc-object-name doc-function-name">_decrypt_bucket_item</span> <a href="#derivepassphrase.exporter.storeroom._decrypt_bucket_item" class="headerlink" title="Permanent link">¶</a></h3> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_decrypt_bucket_item</span><span class="p">(</span> <span class="n">bucket_item</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></span><span class="p">,</span> <span class="n">master_keys</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-internal" title=" StoreroomMasterKeys (derivepassphrase._types.StoreroomMasterKeys)" href="../derivepassphrase._types/#derivepassphrase._types.StoreroomMasterKeys">StoreroomMasterKeys</a></span> <span class="p">)</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></span> </code></pre></div> <div class="doc doc-contents "> <p>Decrypt a bucket item.</p> <p><span class="doc-section-title">Parameters:</span></p> <table> <thead> <tr> <th>Name</th> <th>Type</th> <th>Description</th> <th>Default</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code>bucket_item</code> </td> <td> <code><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></code> </td> <td> <div class="doc-md-description"> <p>The encrypted bucket item.</p> </div> </td> <td> <em>required</em> </td> </tr> <tr class="doc-section-item"> <td> <code>master_keys</code> </td> <td> <code><a class="autorefs autorefs-internal" title=" StoreroomMasterKeys (derivepassphrase._types.StoreroomMasterKeys)" href="../derivepassphrase._types/#derivepassphrase._types.StoreroomMasterKeys">StoreroomMasterKeys</a></code> </td> <td> <div class="doc-md-description"> <p>The master keys. Presumably these have previously been obtained via the <a class="autorefs autorefs-internal" title=" _decrypt_master_keys_data" href="#derivepassphrase.exporter.storeroom._decrypt_master_keys_data"><code>_decrypt_master_keys_data</code></a> function.</p> </div> </td> <td> <em>required</em> </td> </tr> </tbody> </table> <p><span class="doc-section-title">Returns:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></code> </td> <td> <div class="doc-md-description"> <p>The decrypted bucket item.</p> </div> </td> </tr> </tbody> </table> <p><span class="doc-section-title">Raises:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" title="cryptography.exceptions.InvalidSignature" href="https://cryptography.readthedocs.io/en/latest/exceptions/#cryptography.exceptions.InvalidSignature">InvalidSignature</a></code> </td> <td> <div class="doc-md-description"> <p>The data does not contain a valid signature under the given key.</p> </div> </td> </tr> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#ValueError">ValueError</a></code> </td> <td> <div class="doc-md-description"> <p>The format is invalid, in a non-cryptographic way. (For example, it contains an unsupported version marker, or unexpected extra contents, or invalid padding.)</p> </div> </td> </tr> </tbody> </table> <details class="warning" open> <summary>Warning</summary> <p>Non-public function, provided for didactical and educational purposes only. Subject to change without notice, including removal.</p> </details> </div> </div> <div class="doc doc-object doc-function"> <h3 id="derivepassphrase.exporter.storeroom._decrypt_bucket_file" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-function"></code> <span class="doc doc-object-name doc-function-name">_decrypt_bucket_file</span> <a href="#derivepassphrase.exporter.storeroom._decrypt_bucket_file" class="headerlink" title="Permanent link">¶</a></h3> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_decrypt_bucket_file</span><span class="p">(</span> <span class="n">filename</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></span> <span class="o">|</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a></span> <span class="o">|</span> <span class="n"><a class="autorefs autorefs-external" title="os.PathLike" href="https://docs.python.org/3/library/os.html#os.PathLike">PathLike</a></span><span class="p">,</span> <span class="n">master_keys</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-internal" title=" StoreroomMasterKeys (derivepassphrase._types.StoreroomMasterKeys)" href="../derivepassphrase._types/#derivepassphrase._types.StoreroomMasterKeys">StoreroomMasterKeys</a></span><span class="p">,</span> <span class="o">*</span><span class="p">,</span> <span class="n">root_dir</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></span> <span class="o">|</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a></span> <span class="o">|</span> <span class="n"><a class="autorefs autorefs-external" title="os.PathLike" href="https://docs.python.org/3/library/os.html#os.PathLike">PathLike</a></span> <span class="o">=</span> <span class="s2">"."</span> <span class="p">)</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-external" title="collections.abc.Iterator" href="https://docs.python.org/3/library/collections.abc.html#collections.abc.Iterator">Iterator</a></span><span class="p">[</span><span class="n"><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></span><span class="p">]</span> </code></pre></div> <div class="doc doc-contents "> <p>Decrypt a complete bucket.</p> <p><span class="doc-section-title">Parameters:</span></p> <table> <thead> <tr> <th>Name</th> <th>Type</th> <th>Description</th> <th>Default</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code>filename</code> </td> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a> | <a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a> | <a class="autorefs autorefs-external" title="os.PathLike" href="https://docs.python.org/3/library/os.html#os.PathLike">PathLike</a></code> </td> <td> <div class="doc-md-description"> <p>The bucket file’s filename.</p> </div> </td> <td> <em>required</em> </td> </tr> <tr class="doc-section-item"> <td> <code>master_keys</code> </td> <td> <code><a class="autorefs autorefs-internal" title=" StoreroomMasterKeys (derivepassphrase._types.StoreroomMasterKeys)" href="../derivepassphrase._types/#derivepassphrase._types.StoreroomMasterKeys">StoreroomMasterKeys</a></code> </td> <td> <div class="doc-md-description"> <p>The master keys. Presumably these have previously been obtained via the <a class="autorefs autorefs-internal" title=" _decrypt_master_keys_data" href="#derivepassphrase.exporter.storeroom._decrypt_master_keys_data"><code>_decrypt_master_keys_data</code></a> function.</p> </div> </td> <td> <em>required</em> </td> </tr> <tr class="doc-section-item"> <td> <code>root_dir</code> </td> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a> | <a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a> | <a class="autorefs autorefs-external" title="os.PathLike" href="https://docs.python.org/3/library/os.html#os.PathLike">PathLike</a></code> </td> <td> <div class="doc-md-description"> <p>The root directory of the data store. The filename is interpreted relatively to this directory.</p> </div> </td> <td> <code>'.'</code> </td> </tr> </tbody> </table> <p><span class="doc-section-title">Yields:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></code> </td> <td> <div class="doc-md-description"> <p>A decrypted bucket item.</p> </div> </td> </tr> </tbody> </table> <p><span class="doc-section-title">Raises:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" title="cryptography.exceptions.InvalidSignature" href="https://cryptography.readthedocs.io/en/latest/exceptions/#cryptography.exceptions.InvalidSignature">InvalidSignature</a></code> </td> <td> <div class="doc-md-description"> <p>The data does not contain a valid signature under the given key.</p> </div> </td> </tr> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#ValueError">ValueError</a></code> </td> <td> <div class="doc-md-description"> <p>The format is invalid, in a non-cryptographic way. (For example, it contains an unsupported version marker, or unexpected extra contents, or invalid padding.)</p> </div> </td> </tr> </tbody> </table> <details class="warning" open> <summary>Warning</summary> <p>Non-public function, provided for didactical and educational purposes only. Subject to change without notice, including removal.</p> </details> </div> </div> </div> </div> </div> <div class="doc doc-object doc-module"> <h2 id="derivepassphrase.exporter.vault_native" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-module"></code> <span class="doc doc-object-name doc-module-name">derivepassphrase.exporter.vault_native</span> <a href="#derivepassphrase.exporter.vault_native" class="headerlink" title="Permanent link">¶</a></h2> <div class="doc doc-contents first"> <p>Exporter for the vault native configuration format (v0.2 or v0.3).</p> <p>The vault native formats are the configuration formats used by vault v0.2 and v0.3. The configuration is stored as a single encrypted file, which is encrypted and authenticated. v0.2 and v0.3 differ in some details concerning key derivation and expected format of internal structures, so they are <em>not</em> compatible. v0.2 additionally contains cryptographic weaknesses (API misuse of a key derivation function, and a low-entropy method of generating initialization vectors for CBC block encryption mode) and should thus be avoided if possible.</p> <p>The public interface is the <a class="autorefs autorefs-internal" title=" export_vault_native_data" href="#derivepassphrase.exporter.vault_native.export_vault_native_data"><code>export_vault_native_data</code></a> function. Multiple <em>non-public</em> classes are additionally documented here for didactical and educational reasons, but they are not part of the module API, are subject to change without notice (including removal), and should <em>not</em> be used or relied on.</p> <div class="doc doc-children"> <div class="doc doc-object doc-class"> <h3 id="derivepassphrase.exporter.vault_native.VaultNativeConfigParser" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-class"></code> <span class="doc doc-object-name doc-class-name">VaultNativeConfigParser</span> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser" class="headerlink" title="Permanent link">¶</a></h3> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">VaultNativeConfigParser</span><span class="p">(</span> <span class="n">contents</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></span><span class="p">,</span> <span class="n">password</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></span> <span class="o">|</span> <span class="n"><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></span> <span class="p">)</span> </code></pre></div> <div class="doc doc-contents "> <p class="doc doc-class-bases"> Bases: <code><a class="autorefs autorefs-external" title="abc.ABC" href="https://docs.python.org/3/library/abc.html#abc.ABC">ABC</a></code></p> <p>A base parser for vault’s native configuration format.</p> <p>Certain details are specific to the respective vault versions, and are abstracted out. This class by itself is not instantiable because of this.</p> <p><span class="doc-section-title">Parameters:</span></p> <table> <thead> <tr> <th>Name</th> <th>Type</th> <th>Description</th> <th>Default</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code>contents</code> </td> <td> <code><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></code> </td> <td> <div class="doc-md-description"> <p>The binary contents of the encrypted configuration file.</p> <p>Note: On disk, these are usually stored in base64-encoded form, not in the “raw” form as needed here.</p> </div> </td> <td> <em>required</em> </td> </tr> <tr class="doc-section-item"> <td> <code>password</code> </td> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a> | <a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></code> </td> <td> <div class="doc-md-description"> <p>The vault master key/master passphrase the file is encrypted with. Must be non-empty. See <a class="autorefs autorefs-internal" title=" get_vault_key" href="#derivepassphrase.exporter.get_vault_key"><code>exporter.get_vault_key</code></a> for details.</p> <p>If this is a text string, then the UTF-8 encoding of the string is used as the binary password.</p> </div> </td> <td> <em>required</em> </td> </tr> </tbody> </table> <p><span class="doc-section-title">Raises:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#ValueError">ValueError</a></code> </td> <td> <div class="doc-md-description"> <p>The password must not be empty.</p> </div> </td> </tr> </tbody> </table> <details class="warning" open> <summary>Warning</summary> <p>Non-public class, provided for didactical and educational purposes only. Subject to change without notice, including removal.</p> </details> <div class="doc doc-children"> <div class="doc doc-object doc-function"> <h4 id="derivepassphrase.exporter.vault_native.VaultNativeConfigParser.__call__" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-method"></code> <span class="doc doc-object-name doc-function-name">__call__</span> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser.__call__" class="headerlink" title="Permanent link">¶</a></h4> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">__call__</span><span class="p">()</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-external" title="typing.Any" href="https://docs.python.org/3/library/typing.html#typing.Any">Any</a></span> </code></pre></div> <div class="doc doc-contents "> <p>Return the decrypted and parsed vault configuration.</p> <p><span class="doc-section-title">Raises:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" title="cryptography.exceptions.InvalidSignature" href="https://cryptography.readthedocs.io/en/latest/exceptions/#cryptography.exceptions.InvalidSignature">InvalidSignature</a></code> </td> <td> <div class="doc-md-description"> <p>The encrypted configuration does not contain a valid signature.</p> </div> </td> </tr> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#ValueError">ValueError</a></code> </td> <td> <div class="doc-md-description"> <p>The format is invalid, in a non-cryptographic way. (For example, it contains an unsupported version marker, or unexpected extra contents, or invalid padding.)</p> </div> </td> </tr> </tbody> </table> </div> </div> <div class="doc doc-object doc-function"> <h4 id="derivepassphrase.exporter.vault_native.VaultNativeConfigParser._pbkdf2" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-method"></code> <span class="doc doc-object-name doc-function-name">_pbkdf2</span> <span class="doc doc-labels"> <small class="doc doc-label doc-label-staticmethod"><code>staticmethod</code></small> </span> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._pbkdf2" class="headerlink" title="Permanent link">¶</a></h4> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_pbkdf2</span><span class="p">(</span> <span class="n">password</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></span> <span class="o">|</span> <span class="n"><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></span><span class="p">,</span> <span class="n">key_size</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/functions.html#int">int</a></span><span class="p">,</span> <span class="n">iterations</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/functions.html#int">int</a></span> <span class="p">)</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a></span> </code></pre></div> <div class="doc doc-contents "> <p>Generate a key from a password.</p> <p>Uses PBKDF2 with HMAC-SHA1, with <a class="autorefs autorefs-internal" title=" UUID class-attribute instance-attribute " href="../derivepassphrase.vault/#derivepassphrase.vault.Vault.UUID">vault.Vault.UUID</a> as a fixed salt value.</p> <p><span class="doc-section-title">Parameters:</span></p> <table> <thead> <tr> <th>Name</th> <th>Type</th> <th>Description</th> <th>Default</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code>password</code> </td> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a> | <a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></code> </td> <td> <div class="doc-md-description"> <p>The password from which to derive the key.</p> </div> </td> <td> <em>required</em> </td> </tr> <tr class="doc-section-item"> <td> <code>key_size</code> </td> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/functions.html#int">int</a></code> </td> <td> <div class="doc-md-description"> <p>The size of the output string. The effective key size (in bytes) is thus half of this output string size.</p> </div> </td> <td> <em>required</em> </td> </tr> <tr class="doc-section-item"> <td> <code>iterations</code> </td> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/functions.html#int">int</a></code> </td> <td> <div class="doc-md-description"> <p>The PBKDF2 iteration count.</p> </div> </td> <td> <em>required</em> </td> </tr> </tbody> </table> <p><span class="doc-section-title">Returns:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a></code> </td> <td> <div class="doc-md-description"> <p>The PBKDF2-derived key, encoded as a lowercase ASCII hexadecimal string.</p> </div> </td> </tr> </tbody> </table> <details class="danger" open> <summary>Insecure use of cryptography</summary> <p>This function is insecure because it uses a fixed salt value, which is not secure against rainbow tables. It is further difficult to use because the effective key size is only half as large as the “size” parameter (output string size). Finally, though the use of SHA-1 in HMAC per se is not known to be insecure, SHA-1 is known not to be collision-resistant.</p> </details> </div> </div> <div class="doc doc-object doc-function"> <h4 id="derivepassphrase.exporter.vault_native.VaultNativeConfigParser._parse_contents" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-method"></code> <span class="doc doc-object-name doc-function-name">_parse_contents</span> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._parse_contents" class="headerlink" title="Permanent link">¶</a></h4> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_parse_contents</span><span class="p">()</span> <span class="o">-></span> <span class="kc">None</span> </code></pre></div> <div class="doc doc-contents "> <p>Parse the contents into IV, payload and MAC.</p> <p>This operates on, and sets, multiple internal attributes of the parser.</p> <p><span class="doc-section-title">Raises:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#ValueError">ValueError</a></code> </td> <td> <div class="doc-md-description"> <p>The configuration file contents are clearly truncated.</p> </div> </td> </tr> </tbody> </table> </div> </div> <div class="doc doc-object doc-function"> <h4 id="derivepassphrase.exporter.vault_native.VaultNativeConfigParser._derive_keys" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-method"></code> <span class="doc doc-object-name doc-function-name">_derive_keys</span> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._derive_keys" class="headerlink" title="Permanent link">¶</a></h4> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_derive_keys</span><span class="p">()</span> <span class="o">-></span> <span class="kc">None</span> </code></pre></div> <div class="doc doc-contents "> <p>Derive the signing and encryption keys.</p> <p>This is a bookkeeping method. The actual work is done in <a class="autorefs autorefs-internal" title=" _generate_keys abstractmethod " href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._generate_keys"><code>_generate_keys</code></a>.</p> </div> </div> <div class="doc doc-object doc-function"> <h4 id="derivepassphrase.exporter.vault_native.VaultNativeConfigParser._generate_keys" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-method"></code> <span class="doc doc-object-name doc-function-name">_generate_keys</span> <span class="doc doc-labels"> <small class="doc doc-label doc-label-abstractmethod"><code>abstractmethod</code></small> </span> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._generate_keys" class="headerlink" title="Permanent link">¶</a></h4> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_generate_keys</span><span class="p">()</span> <span class="o">-></span> <span class="kc">None</span> </code></pre></div> <div class="doc doc-contents "> <p>Derive the signing and encryption keys, and set the key sizes.</p> <p>Subclasses must override this, as the derivation system is version-specific. The default implementation raises an error.</p> <p><span class="doc-section-title">Raises:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#AssertionError">AssertionError</a></code> </td> <td> <div class="doc-md-description"> <p>There is no default implementation.</p> </div> </td> </tr> </tbody> </table> </div> </div> <div class="doc doc-object doc-function"> <h4 id="derivepassphrase.exporter.vault_native.VaultNativeConfigParser._check_signature" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-method"></code> <span class="doc doc-object-name doc-function-name">_check_signature</span> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._check_signature" class="headerlink" title="Permanent link">¶</a></h4> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_check_signature</span><span class="p">()</span> <span class="o">-></span> <span class="kc">None</span> </code></pre></div> <div class="doc doc-contents "> <p>Check for a valid MAC on the encrypted vault configuration.</p> <p>The MAC uses HMAC-SHA1, and thus is 32 bytes long, before encoding.</p> <p><span class="doc-section-title">Raises:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#ValueError">ValueError</a></code> </td> <td> <div class="doc-md-description"> <p>The MAC is invalid.</p> </div> </td> </tr> </tbody> </table> </div> </div> <div class="doc doc-object doc-function"> <h4 id="derivepassphrase.exporter.vault_native.VaultNativeConfigParser._hmac_input" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-method"></code> <span class="doc doc-object-name doc-function-name">_hmac_input</span> <span class="doc doc-labels"> <small class="doc doc-label doc-label-abstractmethod"><code>abstractmethod</code></small> </span> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._hmac_input" class="headerlink" title="Permanent link">¶</a></h4> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_hmac_input</span><span class="p">()</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a></span> </code></pre></div> <div class="doc doc-contents "> <p>Return the input the MAC is supposed to verify.</p> <p>Subclasses must override this, as the MAC-attested data is version-specific. The default implementation raises an error.</p> <p><span class="doc-section-title">Raises:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#AssertionError">AssertionError</a></code> </td> <td> <div class="doc-md-description"> <p>There is no default implementation.</p> </div> </td> </tr> </tbody> </table> </div> </div> <div class="doc doc-object doc-function"> <h4 id="derivepassphrase.exporter.vault_native.VaultNativeConfigParser._decrypt_payload" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-method"></code> <span class="doc doc-object-name doc-function-name">_decrypt_payload</span> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._decrypt_payload" class="headerlink" title="Permanent link">¶</a></h4> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_decrypt_payload</span><span class="p">()</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-external" title="typing.Any" href="https://docs.python.org/3/library/typing.html#typing.Any">Any</a></span> </code></pre></div> <div class="doc doc-contents "> <p>Return the decrypted vault configuration.</p> <p>Requires <a class="autorefs autorefs-internal" title=" _parse_contents" href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._parse_contents"><code>_parse_contents</code></a> and <a class="autorefs autorefs-internal" title=" _derive_keys" href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._derive_keys"><code>_derive_keys</code></a> to have run, and relies on <a class="autorefs autorefs-internal" title=" _check_signature" href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._check_signature"><code>_check_signature</code></a> for tampering detection.</p> </div> </div> <div class="doc doc-object doc-function"> <h4 id="derivepassphrase.exporter.vault_native.VaultNativeConfigParser._make_decryptor" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-method"></code> <span class="doc doc-object-name doc-function-name">_make_decryptor</span> <span class="doc doc-labels"> <small class="doc doc-label doc-label-abstractmethod"><code>abstractmethod</code></small> </span> <a href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._make_decryptor" class="headerlink" title="Permanent link">¶</a></h4> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_make_decryptor</span><span class="p">()</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-external" title="cryptography.hazmat.primitives.ciphers.CipherContext" href="https://cryptography.readthedocs.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.CipherContext">CipherContext</a></span> </code></pre></div> <div class="doc doc-contents "> <p>Return the cipher context object used for decryption.</p> <p>Subclasses must override this, as the cipher setup is version-specific. The default implementation raises an error.</p> <p><span class="doc-section-title">Raises:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#AssertionError">AssertionError</a></code> </td> <td> <div class="doc-md-description"> <p>There is no default implementation.</p> </div> </td> </tr> </tbody> </table> </div> </div> </div> </div> </div> <div class="doc doc-object doc-class"> <h3 id="derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-class"></code> <span class="doc doc-object-name doc-class-name">VaultNativeV03ConfigParser</span> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser" class="headerlink" title="Permanent link">¶</a></h3> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">VaultNativeV03ConfigParser</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" title="typing.Any" href="https://docs.python.org/3/library/typing.html#typing.Any">Any</a></span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" title="typing.Any" href="https://docs.python.org/3/library/typing.html#typing.Any">Any</a></span><span class="p">)</span> </code></pre></div> <div class="doc doc-contents "> <p class="doc doc-class-bases"> Bases: <code><a class="autorefs autorefs-internal" title=" VaultNativeConfigParser (derivepassphrase.exporter.vault_native.VaultNativeConfigParser)" href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser">VaultNativeConfigParser</a></code></p> <p>A parser for vault’s native configuration format (v0.3).</p> <p>This is the modern, pre-storeroom configuration format.</p> <details class="warning" open> <summary>Warning</summary> <p>Non-public class, provided for didactical and educational purposes only. Subject to change without notice, including removal.</p> </details> <div class="doc doc-children"> <div class="doc doc-object doc-attribute"> <h4 id="derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser.KEY_SIZE" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-attribute"></code> <span class="doc doc-object-name doc-attribute-name">KEY_SIZE</span> <span class="doc doc-labels"> <small class="doc doc-label doc-label-class-attribute"><code>class-attribute</code></small> <small class="doc doc-label doc-label-instance-attribute"><code>instance-attribute</code></small> </span> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser.KEY_SIZE" class="headerlink" title="Permanent link">¶</a></h4> <div class="doc-signature highlight"><pre><span></span><code><span class="n">KEY_SIZE</span> <span class="o">=</span> <span class="mi">32</span> </code></pre></div> <div class="doc doc-contents "> <p>Key size for both the encryption and the signing key, including the encoding as a hexadecimal string. (The effective cryptographic strength is half of this value.)</p> </div> </div> <div class="doc doc-object doc-function"> <h4 id="derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser._generate_keys" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-method"></code> <span class="doc doc-object-name doc-function-name">_generate_keys</span> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser._generate_keys" class="headerlink" title="Permanent link">¶</a></h4> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_generate_keys</span><span class="p">()</span> <span class="o">-></span> <span class="kc">None</span> </code></pre></div> <div class="doc doc-contents "> <p>Derive the signing and encryption keys, and set the key sizes.</p> <p>Version 0.3 vault configurations use a constant key size; see <a class="autorefs autorefs-internal" title=" KEY_SIZE class-attribute instance-attribute " href="#derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser.KEY_SIZE"><code>KEY_SIZE</code></a>. The encryption and signing keys differ in how many rounds of PBKDF2 they use (100 and 200, respectively).</p> <details class="danger" open> <summary>Insecure use of cryptography</summary> <p>This function makes use of the insecure function <a class="autorefs autorefs-internal" title=" _pbkdf2 staticmethod " href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._pbkdf2"><code>VaultNativeConfigParser._pbkdf2</code></a>, without any attempts at mitigating its insecurity. It further uses <code>_pbkdf2</code> with the low iteration count of 100 and 200 rounds, which is <em>drastically</em> insufficient to defend against password guessing attacks using GPUs or ASICs. We provide this function for the purpose of interoperability with existing vault installations. Do not rely on this system to keep your vault configuration secure against access by even moderately determined attackers!</p> </details> </div> </div> <div class="doc doc-object doc-function"> <h4 id="derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser._hmac_input" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-method"></code> <span class="doc doc-object-name doc-function-name">_hmac_input</span> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser._hmac_input" class="headerlink" title="Permanent link">¶</a></h4> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_hmac_input</span><span class="p">()</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a></span> </code></pre></div> <div class="doc doc-contents "> <p>Return the input the MAC is supposed to verify.</p> <p>This includes hexadecimal encoding of the message payload.</p> </div> </div> <div class="doc doc-object doc-function"> <h4 id="derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser._make_decryptor" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-method"></code> <span class="doc doc-object-name doc-function-name">_make_decryptor</span> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser._make_decryptor" class="headerlink" title="Permanent link">¶</a></h4> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_make_decryptor</span><span class="p">()</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-external" title="cryptography.hazmat.primitives.ciphers.CipherContext" href="https://cryptography.readthedocs.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.CipherContext">CipherContext</a></span> </code></pre></div> <div class="doc doc-contents "> <p>Return the cipher context object used for decryption.</p> <p>This is a standard AES256-CBC cipher context using the previously derived encryption key and the IV declared in the (MAC-verified) message payload.</p> </div> </div> </div> </div> </div> <div class="doc doc-object doc-class"> <h3 id="derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-class"></code> <span class="doc doc-object-name doc-class-name">VaultNativeV02ConfigParser</span> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser" class="headerlink" title="Permanent link">¶</a></h3> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">VaultNativeV02ConfigParser</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" title="typing.Any" href="https://docs.python.org/3/library/typing.html#typing.Any">Any</a></span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" title="typing.Any" href="https://docs.python.org/3/library/typing.html#typing.Any">Any</a></span><span class="p">)</span> </code></pre></div> <div class="doc doc-contents "> <p class="doc doc-class-bases"> Bases: <code><a class="autorefs autorefs-internal" title=" VaultNativeConfigParser (derivepassphrase.exporter.vault_native.VaultNativeConfigParser)" href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser">VaultNativeConfigParser</a></code></p> <p>A parser for vault’s native configuration format (v0.2).</p> <p>This is the classic configuration format. Compared to v0.3, it contains an (accidental) API misuse for the generation of the master keys, a low-entropy method of generating initialization vectors for the AES-CBC encryption step, and extra layers of base64 encoding. Because of these significantly weakened confidentiality guarantees, v0.2 configurations should be upgraded to at least v0.3 as soon as possible.</p> <details class="warning" open> <summary>Warning</summary> <p>Non-public class, provided for didactical and educational purposes only. Subject to change without notice, including removal.</p> </details> <div class="doc doc-children"> <div class="doc doc-object doc-function"> <h4 id="derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser._parse_contents" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-method"></code> <span class="doc doc-object-name doc-function-name">_parse_contents</span> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser._parse_contents" class="headerlink" title="Permanent link">¶</a></h4> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_parse_contents</span><span class="p">()</span> <span class="o">-></span> <span class="kc">None</span> </code></pre></div> <div class="doc doc-contents "> <p>Parse the contents into IV, payload and MAC.</p> <p>Like the base class implementation, this operates on, and sets, multiple internal attributes of the parser. In version 0.2 vault configurations, the payload is encoded in base64 and the message tag (MAC) is encoded in hexadecimal, so unlike the base class implementation, we additionally decode the payload and the MAC.</p> <p><span class="doc-section-title">Raises:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/exceptions.html#ValueError">ValueError</a></code> </td> <td> <div class="doc-md-description"> <p>The configuration file contents are clearly truncated, or the payload or the message tag cannot be decoded properly.</p> </div> </td> </tr> </tbody> </table> </div> </div> <div class="doc doc-object doc-function"> <h4 id="derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser._generate_keys" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-method"></code> <span class="doc doc-object-name doc-function-name">_generate_keys</span> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser._generate_keys" class="headerlink" title="Permanent link">¶</a></h4> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_generate_keys</span><span class="p">()</span> <span class="o">-></span> <span class="kc">None</span> </code></pre></div> <div class="doc doc-contents "> <p>Derive the signing and encryption keys, and set the key sizes.</p> <p>Version 0.2 vault configurations use 8-byte encryption keys and 16-byte signing keys, including the hexadecimal encoding. They both use 16 rounds of PBKDF2. This is due to an oversight in vault, where the author mistakenly supplied the intended iteration count as the key size, and the key size as the iteration count.</p> <details class="danger" open> <summary>Insecure use of cryptography</summary> <p>This function makes use of the insecure function <a class="autorefs autorefs-internal" title=" _pbkdf2 staticmethod " href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._pbkdf2"><code>VaultNativeConfigParser._pbkdf2</code></a>, without any attempts at mitigating its insecurity. It further uses <code>_pbkdf2</code> with the low iteration count of 16 rounds, which is <em>drastically</em> insufficient to defend against password guessing attacks using GPUs or ASICs, and generates the encryption key as a truncation of the signing key. We provide this function for the purpose of interoperability with existing vault installations. Do not rely on this system to keep your vault configuration secure against access by even moderately determined attackers!</p> </details> </div> </div> <div class="doc doc-object doc-function"> <h4 id="derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser._hmac_input" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-method"></code> <span class="doc doc-object-name doc-function-name">_hmac_input</span> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser._hmac_input" class="headerlink" title="Permanent link">¶</a></h4> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_hmac_input</span><span class="p">()</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a></span> </code></pre></div> <div class="doc doc-contents "> <p>Return the input the MAC is supposed to verify.</p> <p>This includes hexadecimal encoding of the message payload.</p> </div> </div> <div class="doc doc-object doc-function"> <h4 id="derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser._evp_bytestokey_md5_one_iteration_no_salt" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-method"></code> <span class="doc doc-object-name doc-function-name">_evp_bytestokey_md5_one_iteration_no_salt</span> <span class="doc doc-labels"> <small class="doc doc-label doc-label-staticmethod"><code>staticmethod</code></small> </span> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser._evp_bytestokey_md5_one_iteration_no_salt" class="headerlink" title="Permanent link">¶</a></h4> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_evp_bytestokey_md5_one_iteration_no_salt</span><span class="p">(</span> <span class="n">data</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a></span><span class="p">,</span> <span class="n">key_size</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/functions.html#int">int</a></span><span class="p">,</span> <span class="n">iv_size</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/functions.html#int">int</a></span> <span class="p">)</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#tuple">tuple</a></span><span class="p">[</span><span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a></span><span class="p">,</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a></span><span class="p">]</span> </code></pre></div> <div class="doc doc-contents "> <p>Reimplement OpenSSL’s <code>EVP_BytesToKey</code> with fixed parameters.</p> <p><code>EVP_BytesToKey</code> in general is a key derivation function, i.e., a function that derives key material from an input byte string. <code>EVP_BytesToKey</code> conceptually splits the derived key material into an encryption key and an initialization vector (IV).</p> <details class="note" open> <summary>Algorithm description</summary> <p><code>EVP_BytesToKey</code> takes an input byte string, two output size (encryption key size and IV size), a message digest function, a salt value and an iteration count. The derived key material is calculated in blocks, each of which is the output of (iterated application of) the message digest function. The input to the message digest function is the concatenation of the previous block (if any) with the input byte string and the salt value (if any):</p> <div class="highlight"><pre><span></span><code><span class="n">data</span> <span class="o">=</span> <span class="n">block_input</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">''</span><span class="o">.</span><span class="n">join</span><span class="p">([</span><span class="n">previous_block</span><span class="p">,</span> <span class="n">input_string</span><span class="p">,</span> <span class="n">salt</span><span class="p">])</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">iteration_count</span><span class="p">):</span> <span class="n">data</span> <span class="o">=</span> <span class="n">message_digest</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="n">block</span> <span class="o">=</span> <span class="n">data</span> </code></pre></div> <p>We use as many blocks as are necessary to cover the total output byte string size. The first few bytes (dictated by the encryption key size) form the encryption key, the other bytes (dictated by the IV size) form the IV.</p> </details> <p>We implement exactly the subset of <code>EVP_BytesToKey</code> that the Node.js <code>crypto</code> library (v21 series and older) uses in its implementation of <code>crypto.createCipher("aes256", password)</code>. Specifically, the message digest function is fixed to MD5, the salt is always empty, and the iteration count is fixed at one.</p> <p><span class="doc-section-title">Returns:</span></p> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#tuple">tuple</a>[<a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a>, <a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a>]</code> </td> <td> <div class="doc-md-description"> <p>A 2-tuple containing the derived encryption key and the derived initialization vector.</p> </div> </td> </tr> </tbody> </table> <details class="danger" open> <summary>Insecure use of cryptography</summary> <p>This function reimplements the OpenSSL function <code>EVP_BytesToKey</code>, which generates cryptographically weak keys, without any attempts at mitigating its insecurity. We provide this function for the purpose of interoperability with existing vault installations. Do not rely on this system to keep your vault configuration secure against access by even moderately determined attackers!</p> </details> </div> </div> <div class="doc doc-object doc-function"> <h4 id="derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser._make_decryptor" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-method"></code> <span class="doc doc-object-name doc-function-name">_make_decryptor</span> <a href="#derivepassphrase.exporter.vault_native.VaultNativeV02ConfigParser._make_decryptor" class="headerlink" title="Permanent link">¶</a></h4> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">_make_decryptor</span><span class="p">()</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-external" title="cryptography.hazmat.primitives.ciphers.CipherContext" href="https://cryptography.readthedocs.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.CipherContext">CipherContext</a></span> </code></pre></div> <div class="doc doc-contents "> <p>Return the cipher context object used for decryption.</p> <p>This is a standard AES256-CBC cipher context. The encryption key and the IV are derived via the OpenSSL <code>EVP_BytesToKey</code> function (using MD5, no salt, and one iteration). This is what the Node.js <code>crypto</code> library (v21 series and older) used in its implementation of <code>crypto.createCipher("aes256", password)</code>.</p> <details class="danger" open> <summary>Insecure use of cryptography</summary> <p>This function makes use of (an implementation of) the OpenSSL function <code>EVP_BytesToKey</code>, which generates cryptographically weak keys, without any attempts at mitigating its insecurity. We provide this function for the purpose of interoperability with existing vault installations. Do not rely on this system to keep your vault configuration secure against access by even moderately determined attackers!</p> </details> </div> </div> </div> </div> </div> <div class="doc doc-object doc-function"> <h3 id="derivepassphrase.exporter.vault_native.export_vault_native_data" class="doc doc-heading"> <code class="doc-symbol doc-symbol-heading doc-symbol-function"></code> <span class="doc doc-object-name doc-function-name">export_vault_native_data</span> <a href="#derivepassphrase.exporter.vault_native.export_vault_native_data" class="headerlink" title="Permanent link">¶</a></h3> <div class="doc-signature highlight"><pre><span></span><code><span class="nf">export_vault_native_data</span><span class="p">(</span> <span class="n">path</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></span> <span class="o">|</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#bytes">bytes</a></span> <span class="o">|</span> <span class="n"><a class="autorefs autorefs-external" title="os.PathLike" href="https://docs.python.org/3/library/os.html#os.PathLike">PathLike</a></span> <span class="o">|</span> <span class="kc">None</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="n">key</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></span> <span class="o">|</span> <span class="n"><a class="autorefs autorefs-external" title="typing_extensions.Buffer" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer">Buffer</a></span> <span class="o">|</span> <span class="kc">None</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="o">*</span><span class="p">,</span> <span class="nb">format</span><span class="p">:</span> <span class="n"><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></span> <span class="p">)</span> <span class="o">-></span> <span class="n"><a class="autorefs autorefs-external" title="typing.Any" href="https://docs.python.org/3/library/typing.html#typing.Any">Any</a></span> </code></pre></div> <div class="doc doc-contents "> <p>Export the full configuration stored in vault native format.</p> <p>See <a class="autorefs autorefs-internal" title=" ExportVaultConfigDataFunction" href="#derivepassphrase.exporter.ExportVaultConfigDataFunction"><code>exporter.ExportVaultConfigDataFunction</code></a> for an explanation of the call signature, and the exceptions to expect.</p> <p><span class="doc-section-title">Other Parameters:</span></p> <table> <thead> <tr> <th>Name</th> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr class="doc-section-item"> <td><code>format</code></td> <td> <code><a class="autorefs autorefs-external" href="https://docs.python.org/3/library/stdtypes.html#str">str</a></code> </td> <td> <div class="doc-md-description"> <p>The only supported formats are <code>v0.2</code> and <code>v0.3</code>.</p> </div> </td> </tr> </tbody> </table> </div> </div> </div> </div> </div> </article> </div> </div> </main> <footer class="md-footer"> <nav class="md-footer__inner md-grid" aria-label="Footer" > <a href="../derivepassphrase.cli/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Submodule cli"> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg> </div> <div class="md-footer__title"> <span class="md-footer__direction"> Previous </span> <div class="md-ellipsis"> Submodule cli </div> </div> </a> <a href="../derivepassphrase.sequin/" class="md-footer__link md-footer__link--next" aria-label="Next: Submodule sequin"> <div class="md-footer__title"> <span class="md-footer__direction"> Next </span> <div class="md-ellipsis"> Submodule sequin </div> </div> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11z"/></svg> </div> </a> </nav> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class="md-copyright"> <div class="md-copyright__highlight"> Copyright © 2025 Marco Ricci (the-13th-letter) </div> Made with <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener"> Material for MkDocs </a> and <a href="https://mkdocstrings.github.io/python/" target="_blank" rel="noopener"> mkdocstrings-python </a> </div> </div> </div> </footer> </div> <div class="md-dialog" data-md-component="dialog"> <div class="md-dialog__inner md-typeset"></div> </div> </body> </html>
