# derivepassphrase(1)
## NAME
derivepassphrase – derive a strong passphrase, deterministically, from a master secret
## SYNOPSIS
````
derivepassphrase SUBCOMMAND_ARGS ...
````
## DESCRIPTION
Using a master secret, derive a passphrase for a named service, subject to constraints e.g. on passphrase length, allowed characters, etc.
The exact derivation depends on the selected derivation scheme.
Each scheme derives *strong* passphrases by design: the derived passphrases have as much entropy as permitted by the master secret and the passphrase constraints (whichever is more restrictive), and even if multiple derived passphrases are compromised, the master secret remains cryptographically difficult to discern from those compromised passphrases.
The derivations are also deterministic, given the same inputs, thus the resulting passphrases need not be stored explicitly.
The service name and constraints themselves also generally need not be kept secret, depending on the scheme.
## SUBCOMMANDS
[<b>export</b>][EXPORT_SUBCMD]
: Export a foreign configuration to standard output.
[<b>vault</b>][VAULT_SUBCMD]
: Derive a passphrase using the <i>vault</i>(1) derivation scheme.
If no subcommand is given, we default to <b>vault</b>.
## OPTIONS
<b>-</b><b>-debug</b>
: Emit all diagnostic information to standard error, including progress, warning and error messages.
Cancels the effect of any previous <b>-</b><b>-quiet</b> or <b>-</b><b>-verbose</b> options.
Also applies to subcommands.
<b>-v</b>, <b>-</b><b>-verbose</b>
: Emit extra/progress information to standard error, on top of warning and error messages.
Cancels the effect of any previous <b>-</b><b>-debug</b> or <b>-</b><b>-quiet</b> options.
Also applies to subcommands.
<b>-q</b>, <b>-</b><b>-quiet</b>
: Suppress all other diagnostic output to standard error, except error messages.
This includes warning messages.
Cancels the effect of any previous <b>-</b><b>-debug</b> or <b>-</b><b>-verbose</b> options.
Also applies to subcommands.
