git.schokokeks.org
Repositories
Help
Report an Issue
derivepassphrase.git
Code
Commits
Branches
Tags
Suche
Strukturansicht:
1bff169
Branches
Tags
documentation-tree
master
wishlist
0.1.0
0.1.1
0.1.2
0.1.3
0.2.0
0.3.0
0.3.1
0.3.2
0.3.3
0.4.0
0.5
0.5.1
0.5.2
0.6
derivepassphrase.git
0.x
tutorials
basic-setup-ssh-key
index.html
Deployed 4d028b5c74e3 to 0.x with MkDocs 1.6.1 and mike 2.1.4
Marco Ricci
commited
1bff169
at 2026-04-04 13:59:04
index.html
Blame
History
Raw
<!doctype html> <html lang="en" class="no-js"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width,initial-scale=1"> <meta name="description" content="An almost faithful Python reimplementation of James Coglan's vault."> <meta name="author" content="Marco Ricci"> <link rel="canonical" href="https://the13thletter.info/derivepassphrase/0.x/tutorials/basic-setup-ssh-key/"> <link rel="prev" href="../basic-setup-passphrase/"> <link rel="next" href="../../how-tos/"> <link rel="icon" href="../../assets/images/favicon.png"> <meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.7.6"> <title>Using a master SSH key with derivepassphrase vault on existing accounts - derivepassphrase</title> <link rel="stylesheet" href="../../assets/stylesheets/main.484c7ddc.min.css"> <style>:root{--md-text-font:"Noto Sans";--md-code-font:"Noto Mono"}</style> <link rel="stylesheet" href="../../assets/_mkdocstrings.css"> <link rel="stylesheet" href="../../mkdocstrings_recommended_styles.css"> <link rel="stylesheet" href="../../wishlist_styling.css"> </head> <body dir="ltr"> <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off"> <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off"> <label class="md-overlay" for="__drawer"></label> <div data-md-component="skip"> <a href="#using-a-master-ssh-key-with-derivepassphrase-vault-on-existing-accounts" class="md-skip"> Skip to content </a> </div> <div data-md-component="announce"> </div> <div data-md-color-scheme="default" data-md-component="outdated" hidden> </div> <div class="md-container" data-md-component="container"> <nav class="md-tabs" aria-label="Tabs" data-md-component="tabs"> <div class="md-grid"> <ul class="md-tabs__list"> <li class="md-tabs__item"> <a href="../.." class="md-tabs__link"> Overview </a> </li> <li class="md-tabs__item md-tabs__item--active"> <a href="../" class="md-tabs__link"> Tutorials & Examples </a> </li> <li class="md-tabs__item"> <a href="../../how-tos/" class="md-tabs__link"> How-Tos </a> </li> <li class="md-tabs__item"> <a href="../../reference/" class="md-tabs__link"> Reference </a> </li> <li class="md-tabs__item"> <a href="../../explanation/" class="md-tabs__link"> Design & Background </a> </li> <li class="md-tabs__item"> <a href="../../changelog/" class="md-tabs__link"> Changelog </a> </li> <li class="md-tabs__item"> <a href="../../wishlist/" class="md-tabs__link"> Wishlist </a> </li> </ul> </div> </nav> <main class="md-main" data-md-component="main"> <div class="md-main__inner md-grid"> <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0"> <label class="md-nav__title" for="__drawer"> <a href="../.." title="derivepassphrase" class="md-nav__button md-logo" aria-label="derivepassphrase" data-md-component="logo"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg> </a> derivepassphrase </label> <div class="md-nav__source"> <a href="https://git.schokokeks.org/derivepassphrase.git" title="Go to repository" class="md-source" data-md-component="source"> <div class="md-source__icon md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 7.1.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2025 Fonticons, Inc.--><path d="M439.6 236.1 244 40.5c-5.4-5.5-12.8-8.5-20.4-8.5s-15 3-20.4 8.4L162.5 81l51.5 51.5c27.1-9.1 52.7 16.8 43.4 43.7l49.7 49.7c34.2-11.8 61.2 31 35.5 56.7-26.5 26.5-70.2-2.9-56-37.3L240.3 199v121.9c25.3 12.5 22.3 41.8 9.1 55-6.4 6.4-15.2 10.1-24.3 10.1s-17.8-3.6-24.3-10.1c-17.6-17.6-11.1-46.9 11.2-56v-123c-20.8-8.5-24.6-30.7-18.6-45L142.6 101 8.5 235.1C3 240.6 0 247.9 0 255.5s3 15 8.5 20.4l195.6 195.7c5.4 5.4 12.7 8.4 20.4 8.4s15-3 20.4-8.4l194.7-194.7c5.4-5.4 8.4-12.8 8.4-20.4s-3-15-8.4-20.4"/></svg> </div> <div class="md-source__repository"> the-13th-letter/derivepassphrase </div> </a> </div> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../.." class="md-nav__link"> <span class="md-ellipsis"> Overview </span> </a> </li> <li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_2" checked> <div class="md-nav__link md-nav__container"> <a href="../" class="md-nav__link "> <span class="md-ellipsis"> Tutorials & Examples </span> </a> <label class="md-nav__link " for="__nav_2" id="__nav_2_label" tabindex=""> <span class="md-nav__icon md-icon"></span> </label> </div> <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="true"> <label class="md-nav__title" for="__nav_2"> <span class="md-nav__icon md-icon"></span> Tutorials & Examples </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../basic-setup-passphrase/" class="md-nav__link"> <span class="md-ellipsis"> Setting up derivepassphrase vault for three accounts, with a master passphrase </span> </a> </li> <li class="md-nav__item md-nav__item--active"> <input class="md-nav__toggle md-toggle" type="checkbox" id="__toc"> <label class="md-nav__link md-nav__link--active" for="__toc"> <span class="md-ellipsis"> Using a master SSH key with derivepassphrase vault on existing accounts </span> <span class="md-nav__icon md-icon"></span> </label> <a href="./" class="md-nav__link md-nav__link--active"> <span class="md-ellipsis"> Using a master SSH key with derivepassphrase vault on existing accounts </span> </a> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#the-scenario" class="md-nav__link"> <span class="md-ellipsis"> The scenario </span> </a> </li> <li class="md-nav__item"> <a href="#installing-derivepassphrase-with-ssh-key-support" class="md-nav__link"> <span class="md-ellipsis"> Installing derivepassphrase with SSH key support </span> </a> </li> <li class="md-nav__item"> <a href="#setting-up-an-ssh-agent-and-ssh-key-generator" class="md-nav__link"> <span class="md-ellipsis"> Setting up an SSH agent and SSH key generator </span> </a> </li> <li class="md-nav__item"> <a href="#generating-a-master-ssh-key-and-loading-it-into-the-agent" class="md-nav__link"> <span class="md-ellipsis"> Generating a master SSH key, and loading it into the agent </span> </a> </li> <li class="md-nav__item"> <a href="#reconfiguring-the-accounts" class="md-nav__link"> <span class="md-ellipsis"> Reconfiguring the accounts </span> </a> </li> <li class="md-nav__item"> <a href="#using-the-master-ssh-key-by-default" class="md-nav__link"> <span class="md-ellipsis"> Using the master SSH key by default </span> </a> </li> <li class="md-nav__item"> <a href="#summary" class="md-nav__link"> <span class="md-ellipsis"> Summary </span> </a> </li> </ul> </nav> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3" > <div class="md-nav__link md-nav__container"> <a href="../../how-tos/" class="md-nav__link "> <span class="md-ellipsis"> How-Tos </span> </a> <label class="md-nav__link " for="__nav_3" id="__nav_3_label" tabindex="0"> <span class="md-nav__icon md-icon"></span> </label> </div> <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_3"> <span class="md-nav__icon md-icon"></span> How-Tos </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../how-tos/ssh-key/" class="md-nav__link"> <span class="md-ellipsis"> How to set up derivepassphrase vault with an SSH key </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" > <div class="md-nav__link md-nav__container"> <a href="../../reference/" class="md-nav__link "> <span class="md-ellipsis"> Reference </span> </a> <label class="md-nav__link " for="__nav_4" id="__nav_4_label" tabindex="0"> <span class="md-nav__icon md-icon"></span> </label> </div> <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_4"> <span class="md-nav__icon md-icon"></span> Reference </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_2" > <label class="md-nav__link" for="__nav_4_2" id="__nav_4_2_label" tabindex="0"> <span class="md-ellipsis"> Man pages </span> <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_2_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_4_2"> <span class="md-nav__icon md-icon"></span> Man pages </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../reference/derivepassphrase.1/" class="md-nav__link"> <span class="md-ellipsis"> derivepassphrase(1) </span> </a> </li> <li class="md-nav__item"> <a href="../../reference/derivepassphrase-vault.1/" class="md-nav__link"> <span class="md-ellipsis"> derivepassphrase-vault(1) </span> </a> </li> <li class="md-nav__item"> <a href="../../reference/derivepassphrase-export.1/" class="md-nav__link"> <span class="md-ellipsis"> derivepassphrase-export(1) </span> </a> </li> <li class="md-nav__item"> <a href="../../reference/derivepassphrase-export-vault.1/" class="md-nav__link"> <span class="md-ellipsis"> derivepassphrase-export-vault(1) </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_3" > <label class="md-nav__link" for="__nav_4_3" id="__nav_4_3_label" tabindex="0"> <span class="md-ellipsis"> API docs: Module derivepassphrase </span> <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_3_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_4_3"> <span class="md-nav__icon md-icon"></span> API docs: Module derivepassphrase </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../reference/derivepassphrase.cli/" class="md-nav__link"> <span class="md-ellipsis"> Submodule cli </span> </a> </li> <li class="md-nav__item"> <a href="../../reference/derivepassphrase.exporter/" class="md-nav__link"> <span class="md-ellipsis"> Subpackage exporter </span> </a> </li> <li class="md-nav__item"> <a href="../../reference/derivepassphrase.sequin/" class="md-nav__link"> <span class="md-ellipsis"> Submodule sequin </span> </a> </li> <li class="md-nav__item"> <a href="../../reference/derivepassphrase.ssh_agent/" class="md-nav__link"> <span class="md-ellipsis"> Submodule ssh_agent </span> </a> </li> <li class="md-nav__item"> <a href="../../reference/derivepassphrase._types/" class="md-nav__link"> <span class="md-ellipsis"> Submodule _types </span> </a> </li> <li class="md-nav__item"> <a href="../../reference/derivepassphrase.vault/" class="md-nav__link"> <span class="md-ellipsis"> Submodule vault </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_4" > <label class="md-nav__link" for="__nav_4_4" id="__nav_4_4_label" tabindex="0"> <span class="md-ellipsis"> Technical prerequisites </span> <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_4_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_4_4"> <span class="md-nav__icon md-icon"></span> Technical prerequisites </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../reference/prerequisites-ssh-key/" class="md-nav__link"> <span class="md-ellipsis"> Using derivepassphrase vault with an SSH key </span> </a> </li> </ul> </nav> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5" > <div class="md-nav__link md-nav__container"> <a href="../../explanation/" class="md-nav__link "> <span class="md-ellipsis"> Design & Background </span> </a> <label class="md-nav__link " for="__nav_5" id="__nav_5_label" tabindex="0"> <span class="md-nav__icon md-icon"></span> </label> </div> <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_5"> <span class="md-nav__icon md-icon"></span> Design & Background </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../explanation/faq-altered-versions/" class="md-nav__link"> <span class="md-ellipsis"> "altered versions" license requirement </span> </a> </li> <li class="md-nav__item"> <a href="../../explanation/faq-vault-interchangable-passphrases/" class="md-nav__link"> <span class="md-ellipsis"> "interchangable passphrases" in vault </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_6" > <label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0"> <span class="md-ellipsis"> Changelog </span> <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_6"> <span class="md-nav__icon md-icon"></span> Changelog </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../changelog/" class="md-nav__link"> <span class="md-ellipsis"> Changelog </span> </a> </li> <li class="md-nav__item"> <a href="../../upgrade-notes/" class="md-nav__link"> <span class="md-ellipsis"> Upgrade notes </span> </a> </li> <li class="md-nav__item"> <a href="../../pycompatibility/" class="md-nav__link"> <span class="md-ellipsis"> Python compatibility </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7" > <div class="md-nav__link md-nav__container"> <a href="../../wishlist/" class="md-nav__link "> <span class="md-ellipsis"> Wishlist </span> </a> </div> <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_7_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_7"> <span class="md-nav__icon md-icon"></span> Wishlist </label> <ul class="md-nav__list" data-md-scrollfix> </ul> </nav> </li> </ul> </nav> </div> </div> </div> <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#the-scenario" class="md-nav__link"> <span class="md-ellipsis"> The scenario </span> </a> </li> <li class="md-nav__item"> <a href="#installing-derivepassphrase-with-ssh-key-support" class="md-nav__link"> <span class="md-ellipsis"> Installing derivepassphrase with SSH key support </span> </a> </li> <li class="md-nav__item"> <a href="#setting-up-an-ssh-agent-and-ssh-key-generator" class="md-nav__link"> <span class="md-ellipsis"> Setting up an SSH agent and SSH key generator </span> </a> </li> <li class="md-nav__item"> <a href="#generating-a-master-ssh-key-and-loading-it-into-the-agent" class="md-nav__link"> <span class="md-ellipsis"> Generating a master SSH key, and loading it into the agent </span> </a> </li> <li class="md-nav__item"> <a href="#reconfiguring-the-accounts" class="md-nav__link"> <span class="md-ellipsis"> Reconfiguring the accounts </span> </a> </li> <li class="md-nav__item"> <a href="#using-the-master-ssh-key-by-default" class="md-nav__link"> <span class="md-ellipsis"> Using the master SSH key by default </span> </a> </li> <li class="md-nav__item"> <a href="#summary" class="md-nav__link"> <span class="md-ellipsis"> Summary </span> </a> </li> </ul> </nav> </div> </div> </div> <div class="md-content" data-md-component="content"> <article class="md-content__inner md-typeset"> <a href="https://git.schokokeks.org/derivepassphrase.git/raw/master/docs/tutorials/basic-setup-ssh-key.md" title="View source of this page" class="md-content__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 18c.56 0 1 .44 1 1s-.44 1-1 1-1-.44-1-1 .44-1 1-1m0-3c-2.73 0-5.06 1.66-6 4 .94 2.34 3.27 4 6 4s5.06-1.66 6-4c-.94-2.34-3.27-4-6-4m0 6.5a2.5 2.5 0 0 1-2.5-2.5 2.5 2.5 0 0 1 2.5-2.5 2.5 2.5 0 0 1 2.5 2.5 2.5 2.5 0 0 1-2.5 2.5M9.27 20H6V4h7v5h5v4.07c.7.08 1.36.25 2 .49V8l-6-6H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h4.5a8.2 8.2 0 0 1-1.23-2"/></svg> </a> <h1 id="using-a-master-ssh-key-with-derivepassphrase-vault-on-existing-accounts">Using a master SSH key with <code>derivepassphrase vault</code> on existing accounts<a class="headerlink" href="#using-a-master-ssh-key-with-derivepassphrase-vault-on-existing-accounts" title="Permanent link">¶</a></h1> <div class="admonition abstract"> <p class="admonition-title">See also</p> <p>→ <a href="../basic-setup-passphrase/">Tutorial: Setting up <code>derivepassphrase vault</code> for three accounts, with a master passphrase</a></p> <p>→ Tradeoffs between a master passphrase and a master SSH key (TODO)</p> </div> <h2 id="the-scenario">The scenario<a class="headerlink" href="#the-scenario" title="Permanent link">¶</a></h2> <p>This tutorial builds upon the previous <a href="../basic-setup-passphrase/">tutorial for setting up <code>derivepassphrase vault</code> for three accounts, with a master passphrase</a>. We have a working <code>derivepassphrase</code> installation, and a <code>derivepassphrase vault</code> configuration for three services <code>email</code>, <code>bank</code> and <code>work</code>, using a master passphrase.</p> <h2 id="installing-derivepassphrase-with-ssh-key-support">Installing <code>derivepassphrase</code> with SSH key support<a class="headerlink" href="#installing-derivepassphrase-with-ssh-key-support" title="Permanent link">¶</a></h2> <details class="note"> <summary>Note: Shell Notation</summary> <p><code>derivepassphrase</code> is a command-line application: it runs in the system shell, such as <code>/bin/sh</code> on UNIX and Powershell on Windows.</p> <p>In the following shell session transcripts, <code>$</code> and ‘>’ denote the <b>prompt</b> from the system shell for user input. Type in <em>the remainder</em> of line, but not the prompt itself. Other lines are <em>output lines</em>, which should appear on your shell.</p> <p>For Windows-specific commands, we use the <code>PS></code> prompt; otherwise, we use UNIX-style <code>$</code> and <code>></code> prompts.</p> </details> <p><a href="../basic-setup-passphrase/#installing-derivepassphrase">You have already installed <code>derivepassphrase</code>.</a> Once again, check that the installation was successful.</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>devirepassphrase<span class="w"> </span>vault<span class="w"> </span>--version <span class="go">derivepassphrase 0.5</span> <span class="go">Using cryptography 44.0.0</span> <span class="go">Using click 8.1.8</span> <span class="go">Supported features: master SSH key.</span> </code></pre></div> <p>(…or similar output.) Furthermore, verify that “master SSH key” is among the listed supported features.<sup id="fnref:no-support"><a class="footnote-ref" href="#fn:no-support">1</a></sup> Without support for SSH keys, this tutorial cannot be completed.</p> <h2 id="setting-up-an-ssh-agent-and-ssh-key-generator">Setting up an SSH agent and SSH key generator<a class="headerlink" href="#setting-up-an-ssh-agent-and-ssh-key-generator" title="Permanent link">¶</a></h2> <p><code>derivepassphrase</code> cannot generate SSH keys or do SSH key operations itself; instead, it relies on widespread and well-tested third-party software such as OpenSSH or PuTTY for this purpose. We need to install such software as well.</p> <div class="admonition info"> <p class="admonition-title">Setup steps</p> <div class="tabbed-set tabbed-alternate" data-tabs="1:2"><input checked="checked" id="__tabbed_1_1" name="__tabbed_1" type="radio" /><input id="__tabbed_1_2" name="__tabbed_1" type="radio" /><div class="tabbed-labels"><label for="__tabbed_1_1">UNIX (and Cygwin/MSYS, WSL, and Git for Windows)</label><label for="__tabbed_1_2">Windows</label></div> <div class="tabbed-content"> <div class="tabbed-block"> <p>You likely already have OpenSSH installed, or can easily install them via your package manager or via <a href="https://www.openssh.org/">the official OpenSSH distribution</a>. We only need access to the <code>ssh-agent</code>, <code>ssh-add</code> and <code>ssh-keygen</code> client tools; in particular, we do not need the OpenSSH server.</p> <div class="highlight"><span class="filename">Getting the version number of the installed OpenSSH client tools</span><pre><span></span><code><span class="gp">$ </span>ssh<span class="w"> </span>-V <span class="go">OpenSSH_10.2p1, OpenSSL 3.5.4 30 Sep 2025</span> </code></pre></div> <p>Start an SSH agent if none is running yet. (Some desktop environments automatically launch an agent on startup.) We can check this via <code>ssh-add -l</code>.</p> <div class="tabbed-set tabbed-alternate" data-tabs="2:3"><input checked="checked" id="__tabbed_2_1" name="__tabbed_2" type="radio" /><input id="__tabbed_2_2" name="__tabbed_2" type="radio" /><input id="__tabbed_2_3" name="__tabbed_2" type="radio" /><div class="tabbed-labels"><label for="__tabbed_2_1">"Could not open a connection…"</label><label for="__tabbed_2_2">"The agent has no identities."</label><label for="__tabbed_2_3">random gibberish</label></div> <div class="tabbed-content"> <div class="tabbed-block"> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>ssh-add<span class="w"> </span>-l <span class="go">Could not open a connection to your authentication agent.</span> </code></pre></div> <p>The agent is not running. So start an agent manually:</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span><span class="nb">eval</span><span class="w"> </span><span class="s2">"</span><span class="k">$(</span>ssh-agent<span class="w"> </span>-s<span class="k">)</span><span class="s2">"</span> </code></pre></div> <p>and arrange for it to be shut down upon exiting this shell session:</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span><span class="nb">trap</span><span class="w"> </span><span class="s2">"kill </span><span class="nv">$SSH_AGENT_PID</span><span class="s2">"</span><span class="w"> </span><span class="m">0</span> </code></pre></div> </div> <div class="tabbed-block"> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>ssh-add<span class="w"> </span>-l <span class="go">The agent has no identities.</span> </code></pre></div> <p>The agent is already running.</p> </div> <div class="tabbed-block"> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>ssh-add<span class="w"> </span>-l <span class="go">256 SHA256:0h+WAokssfhzfzVyuMLJlIcWyCtk5WiXI8BHyhXYxC0 (ED25519)</span> <span class="go">3072 SHA256:1OHE0HrVlaSzJn2aQXQIKRu0tfO1CEMefy95K2Bt0xA (RSA)</span> </code></pre></div> <p>(… or similar output, perhaps with text.)</p> <p>The agent is running, and already contains some keys.</p> </div> </div> </div> </div> <div class="tabbed-block"> <div style="float: right;"> <p><figure markdown> <img alt="A CRT monitor wearing a spy hat." loading="lazy" src="../pageant.svg" width="96" /> <figcaption> <a href="https://www.chiark.greenend.org.uk/~sgtatham/quasiblog/putty-icons/">The <code>pageant</code> icon</a> </figcaption> </figure></p> </div> <p>Install PuTTY e.g. from <a href="https://putty.software/">the official PuTTY distribution</a> website, or from the Microsoft Store (if supported). We only need access to the <code>pageant</code> and <code>puttygen</code> tools.</p> <p>Start <code>pageant</code> if it isn’t running yet. An icon of a CRT computer monitor wearing a black hat should appear in the task bar.</p> </div> </div> </div> </div> <h2 id="generating-a-master-ssh-key-and-loading-it-into-the-agent">Generating a master SSH key, and loading it into the agent<a class="headerlink" href="#generating-a-master-ssh-key-and-loading-it-into-the-agent" title="Permanent link">¶</a></h2> <div class="admonition abstract"> <p class="admonition-title">Further reading</p> <p>→ <a href="../../reference/prerequisites-ssh-key/#ssh-key">Prerequisites for the SSH key, for use with <code>derivepassphrase vault</code></a></p> </div> <details class="warning"> <summary>Operational risk: reusing "login" SSH keys for passphrase derivation</summary> <p>SSH keys are typically used as access tokens for logging in on a remote system. You are <strong>strongly discouraged</strong> from reusing such an existing “login” key for passphrase derivation. A master SSH key is a <strong>long-lived secret</strong>, and should <strong>never need to be rotated<sup id="fnref:key-rotation-def"><a class="footnote-ref" href="#fn:key-rotation-def">2</a></sup>, unless compromised or lost</strong>. Rotating a master SSH key means <strong>forcibly changing all passphrases that are derived from this key</strong>. By contrast, a login SSH key is an access token, and may be rotated for other policy-related reasons (e.g. algorithm or key size upgrades, key consolidation, …).</p> <p>Beyond key rotation, reusing an existing login key also means that, when compromised, <strong>all your logins <em>and</em> all your passphrases will be affected</strong>.</p> </details> <p>We generate a new Ed25519-type key for use with <code>derivepassphrase</code>.</p> <div class="admonition info"> <p class="admonition-title">Generating a key (operating system-specific)</p> <div class="tabbed-set tabbed-alternate" data-tabs="3:2"><input checked="checked" id="__tabbed_3_1" name="__tabbed_3" type="radio" /><input id="__tabbed_3_2" name="__tabbed_3" type="radio" /><div class="tabbed-labels"><label for="__tabbed_3_1">UNIX (and Cygwin/MSYS, WSL, and Git for Windows)</label><label for="__tabbed_3_2">Windows</label></div> <div class="tabbed-content"> <div class="tabbed-block"> <p>We store the key as <code>my-vault-ed25519-key</code> in <code>~/.ssh</code>, using the comment “vault key”.</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>ssh-keygen<span class="w"> </span>-t<span class="w"> </span>ed25519<span class="w"> </span>-f<span class="w"> </span>~/.ssh/my-vault-ed25519-key<span class="w"> </span>-C<span class="w"> </span><span class="s2">"vault key"</span> <span class="go">Generating public/private ed25519 key pair.</span> <span class="go">Enter passphrase for ".../.ssh/my-vault-ed25519-key" (empty for no passphrase): </span> <span class="go">Enter same passphrase again: </span> <span class="go">Your identification has been saved in .../.ssh/my-vault-ed25519-key</span> <span class="go">Your public key has been saved in .../.ssh/my-vault-ed25519-key.pub</span> <span class="go">The key fingerprint is:</span> <span class="go">SHA256:0h+WAokssfhzfzVyuMLJlIcWyCtk5WiXI8BHyhXYxC0 vault key</span> <span class="go">The key's randomart image is:</span> <span class="go">+--[ED25519 256]--+</span> <span class="go">|o B=+ |</span> <span class="go">|.=oE = . |</span> <span class="go">|.oX @ + |</span> <span class="go">| = + o * . . |</span> <span class="go">| + o * S B |</span> <span class="go">| + * + O o |</span> <span class="go">| * o . |</span> <span class="go">| o |</span> <span class="go">| |</span> <span class="go">+----[SHA256]-----+</span> </code></pre></div> </div> <div class="tabbed-block"> <p>Start <code>puttygen</code>. Under “Parameters”, as “Type of key to generate”, select <strong>EdDSA</strong>, and as “Curve to use for generating this key”, select <strong>Ed25519 (255 bits)</strong>. Then, under “Actions”, select “Generate”, and follow the on-screen instructions.</p> <p><figure markdown> <img alt="puttygen's key generation parameters" loading="lazy" src="../puttygen-key-parameters.png" /> </figure></p> <p>Set the comment to “vault key”, and set a strong key passphrase (<em>recommended</em>). Finally, select “Save private key”, and store the key as <code>my-vault-ed25519-key.ppk</code> in <code>My Documents</code>. We can now close <code>puttygen</code>.</p> <p><figure markdown> <img alt="puttygen after key generation" loading="lazy" src="../puttygen-key-generation.png" /> </figure></p> </div> </div> </div> </div> <section id="sample-key"> <div class="admonition note"> <p class="admonition-title">Note: reproducibility</p> <p><strong>SSH key generation is non-reproducible</strong>: your key will naturally differ from ours, as will the key fingerprint, the randomart image (if any), and – in general, for sufficiently loose constraints – the passphrases derived from this master SSH key. This is <em>intentional</em> – you wouldn’t want others to be able to access all of your passphrases just because they installed the same software as you and have access to, or can guess, your configuration.</p> <p>This also means that you will get <strong>different derived passphrases from us</strong> unless you use <a href="../../test_key_ed25519">exactly the same master SSH key as we are using (OpenSSH format, no key passphrase)</a> <a href="../../test_key_ed25519.ppk">(PuTTY format, no key passphrase)</a>.<sup id="fnref:test-key-comment"><a class="footnote-ref" href="#fn:test-key-comment">3</a></sup></p> </div> </section> <p>We then need to load the key into the agent, so that <code>derivepassphrase</code> can interact with it. The key will persist as long as the agent is running, and will need to be re-added the next time the agent is started.</p> <div class="admonition info"> <p class="admonition-title">Loading the key into the agent (operating system-specific)</p> <div class="tabbed-set tabbed-alternate" data-tabs="4:2"><input checked="checked" id="__tabbed_4_1" name="__tabbed_4" type="radio" /><input id="__tabbed_4_2" name="__tabbed_4" type="radio" /><div class="tabbed-labels"><label for="__tabbed_4_1">UNIX (and Cygwin/MSYS, WSL, and Git for Windows)</label><label for="__tabbed_4_2">Windows</label></div> <div class="tabbed-content"> <div class="tabbed-block"> <p>We instruct the agent to pop up a confirmation prompt each time the key is used, as a safety precaution.</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>ssh-add<span class="w"> </span>-c<span class="w"> </span>~/.ssh/my-vault-ed25519-key <span class="go">Enter passphrase for .../.ssh/my-vault-ed25519-key (will confirm each use):</span> <span class="go">Identity added: .../.ssh/my-vault-ed25519-key (vault key)</span> <span class="go">The user must confirm each use of the key</span> </code></pre></div> <p>Now each call to <code>derivepassphrase vault</code> using this SSH key (only when deriving a passphrase) will ellicit a confirmation prompt by the agent. Conversely, any confirmation prompt for this key <em>at other times</em> originates from a <em>different</em> program, and is therefore suspicious and should not be granted. (See operational risks above.)</p> </div> <div class="tabbed-block"> <p>Open <code>pageant</code>’s context menu (via right-click), then select “Add key (encrypted)”. In the file chooser dialog that opens, select <code>my-vault-ed25519-key.ppk</code> in <code>My Documents</code>. The key should now be loaded.</p> <p><figure markdown> <img alt="pageant context menu" loading="lazy" src="../pageant-context-menu.png" /> </figure></p> <p>To verify this, select “View keys” from <code>pageant</code>’s context menu to bring up the list of keys <code>pageant</code> is currently holding in memory. The Ed25519 key we just created should be listed there, along with the “vault key” comment.</p> <p>Upon first use of the key, <code>pageant</code> will issue a passphrase prompt for the key passphrase. The key will be unlocked, and thus usable without prompts, until it is re-encrypted in the “View keys” menu. Re-encrypt/lock the key whenever you are done using it with <code>derivepassphrase</code> to minimize the time window during which the key is accessible to other programs. (See operational risks above.)</p> </div> </div> </div> </div> <h2 id="reconfiguring-the-accounts">Reconfiguring the accounts<a class="headerlink" href="#reconfiguring-the-accounts" title="Permanent link">¶</a></h2> <details class="note"> <summary>Reminder: interactive input</summary> <p>In code listings, sections enclosed in <code>[[...]]</code> signify input to the program, for you to type or paste in.</p> <p>Also, it is normal for passphrase prompts to not “echo” the text you type in.</p> </details> <p>In the previous tutorial that set up the three accounts, <a href="../basic-setup-passphrase/#summary">we stored the settings for each account to <code>derivepassphrase vault</code>’s configuration</a>, meaning that we only have to enter the master passphrase to access the account passphrases.</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>--export<span class="w"> </span>-<span class="w"> </span><span class="c1"># to confirm the configuration</span> <span class="go">{"services": {"email": {"length": 12, "repeat": 3, "lower": 1, "upper": 1, "number": 1, "space": 0}, "bank": {"length": 5, "lower": 0, "upper": 0, "number": 5, "space": 0, "dash": 0, "symbol": 0}, "work-2024Q4": {"length": 8, "upper": 1, "number": 1, "space": 0, "dash": 1, "symbol": 0}}}</span> </code></pre></div> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>-p<span class="w"> </span>email <span class="go">Passphrase: [[I am an insecure master passphrase, but easy to type.]]</span> <span class="go">kEFwoD=C?@+7</span> <span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>-p<span class="w"> </span>bank <span class="go">Passphrase: [[I am an insecure master passphrase, but easy to type.]]</span> <span class="go">98517</span> <span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>-p<span class="w"> </span>work-2024Q4 <span class="go">Passphrase: [[I am an insecure master passphrase, but easy to type.]]</span> <span class="go">-P268G0A</span> </code></pre></div> <p>We first reconfigure the <code>email</code> account to use the master SSH key. <code>derivepassphrase</code> presents us with a key selector for all SSH keys suitable for passphrase derivation, including the one we generated earlier.</p> <div class="admonition quote"> <div class="tabbed-set tabbed-alternate" data-tabs="5:2"><input checked="checked" id="__tabbed_5_1" name="__tabbed_5" type="radio" /><input id="__tabbed_5_2" name="__tabbed_5" type="radio" /><div class="tabbed-labels"><label for="__tabbed_5_1">Only one suitable key</label><label for="__tabbed_5_2">Multiple suitable keys</label></div> <div class="tabbed-content"> <div class="tabbed-block"> <p>We confirm the selection.</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>--config<span class="w"> </span>-k<span class="w"> </span>email <span class="go">Suitable SSH keys:</span> <span class="go">[1] ssh-ed25519 ...gm1gJIXw//Mkhv5MEwidwcakUGCekJD/vCEml2 vault key</span> <span class="go">Use this key? [[yes]]</span> </code></pre></div> </div> <div class="tabbed-block"> <p>We choose the correct key.</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>--config<span class="w"> </span>-k<span class="w"> </span>email <span class="go">Suitable SSH keys:</span> <span class="go">[1] ssh-ed25519 ...gm1gJIXw//Mkhv5MEwidwcakUGCekJD/vCEml2 vault key</span> <span class="go">[2] ssh-rsa ...YAWfeXycsvJZ2uaYRjMdZeJGNAnHLUGLkBscw5aI8= some other key</span> <span class="go">Your selection? (1-2, leave empty to abort): [[1]]</span> </code></pre></div> </div> </div> </div> </div> <p>We confirm that the reconfiguring has worked because the configuration for the <code>email</code> service now references the key we selected earlier.</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>--export<span class="w"> </span>- <span class="go">{"services": {"email": {"key": "AAAAC3NzaC1lZDI1NTE5AAAAIIF4gWgm1gJIXw//Mkhv5MEwidwcakUGCekJD/vCEml2", "length": 12, "repeat": 3, "lower": 1, "upper": 1, "number": 1, "space": 0}, "bank": {"length": 5, "lower": 0, "upper": 0, "number": 5, "space": 0, "dash": 0, "symbol": 0}, "work-2024Q4": {"length": 8, "upper": 1, "number": 1, "space": 0, "dash": 1, "symbol": 0}}}</span> </code></pre></div> <p>We further confirm that the derived passphrase adheres to the rules laid out for the <code>email</code> service. Since we configured the service correctly, <code>derivepassphrase</code> knows to automatically use our previously selected SSH key.</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>email <span class="go">BNbSA\E]#s8H</span> </code></pre></div> <div class="admonition note"> <p class="admonition-title">Reminder: reproducibility</p> <p>Unless you are using our SSH test key, <strong>your SSH key will differ from ours, as will the derived passphrases</strong>.</p> </div> <p>We can now log in to our email account with the old passphrase (<code>derivepassphrase vault -p email</code>) and change it to the new one (<code>derivepassphrase vault email</code>).</p> <h2 id="using-the-master-ssh-key-by-default">Using the master SSH key by default<a class="headerlink" href="#using-the-master-ssh-key-by-default" title="Permanent link">¶</a></h2> <p>To get the other two services to use the master SSH key as well, we <em>could</em> reconfigure them manually, as we did with the <code>email</code> service. However, that is unnecessarily repetitive. Instead, we will set up <code>derivepassphrase</code> to use this master SSH key by default.</p> <div class="admonition quote"> <div class="tabbed-set tabbed-alternate" data-tabs="6:2"><input checked="checked" id="__tabbed_6_1" name="__tabbed_6" type="radio" /><input id="__tabbed_6_2" name="__tabbed_6" type="radio" /><div class="tabbed-labels"><label for="__tabbed_6_1">Only one suitable key</label><label for="__tabbed_6_2">Multiple suitable keys</label></div> <div class="tabbed-content"> <div class="tabbed-block"> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>--config<span class="w"> </span>-k <span class="go">Suitable SSH keys:</span> <span class="go">[1] ssh-ed25519 ...gm1gJIXw//Mkhv5MEwidwcakUGCekJD/vCEml2 vault key</span> <span class="go">Use this key? [[yes]]</span> </code></pre></div> </div> <div class="tabbed-block"> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>--config<span class="w"> </span>-k <span class="go">Suitable SSH keys:</span> <span class="go">[1] ssh-ed25519 ...gm1gJIXw//Mkhv5MEwidwcakUGCekJD/vCEml2 vault key</span> <span class="go">[2] ssh-rsa ...YAWfeXycsvJZ2uaYRjMdZeJGNAnHLUGLkBscw5aI8= some other key</span> <span class="go">Your selection? (1-2, leave empty to abort): [[1]]</span> </code></pre></div> </div> </div> </div> </div> <p>The selected key will then appear in the <code>global</code> section of the configuration.</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>--export<span class="w"> </span>- <span class="go">{"global": {"key": "AAAAC3NzaC1lZDI1NTE5AAAAIIF4gWgm1gJIXw//Mkhv5MEwidwcakUGCekJD/vCEml2"}, "services": {"email": {"key": "AAAAC3NzaC1lZDI1NTE5AAAAIIF4gWgm1gJIXw//Mkhv5MEwidwcakUGCekJD/vCEml2", "length": 12, "repeat": 3, "lower": 1, "upper": 1, "number": 1, "space": 0}, "bank": {"length": 5, "lower": 0, "upper": 0, "number": 5, "space": 0, "dash": 0, "symbol": 0}, "work-2024Q4": {"length": 8, "upper": 1, "number": 1, "space": 0, "dash": 1, "symbol": 0}}}</span> </code></pre></div> <p>The <code>email</code> account still has an explicit configured SSH key, which overrides the global default setting; it just so happens that in this case both keys are the same. We can therefore remove the useless key override from the <code>email</code> account.</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>--config<span class="w"> </span>--unset<span class="o">=</span>key<span class="w"> </span>email <span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>--export<span class="w"> </span>- <span class="go">{"global": {"key": "AAAAC3NzaC1lZDI1NTE5AAAAIIF4gWgm1gJIXw//Mkhv5MEwidwcakUGCekJD/vCEml2"}, "services": {"email": {"length": 12, "repeat": 3, "lower": 1, "upper": 1, "number": 1, "space": 0}, "bank": {"length": 5, "lower": 0, "upper": 0, "number": 5, "space": 0, "dash": 0, "symbol": 0}, "work-2024Q4": {"length": 8, "upper": 1, "number": 1, "space": 0, "dash": 1, "symbol": 0}}}</span> </code></pre></div> <p>The generated passphrase is still the same.</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>email <span class="go">BNbSA\E]#s8H</span> </code></pre></div> <p>Finally, the generated passphrases for the <code>bank</code> and <code>work-2024Q4</code> accounts are affected by the global SSH key as well, as intended.</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>bank <span class="go">06041</span> <span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>work-2024Q4 <span class="go">PE1qg_M7</span> </code></pre></div> <p>However, <a href="../basic-setup-passphrase/#the-scenario">the new passphrase for the <code>work</code> account does not yet adhere to the company’s passphrase policy</a> because <a href="../basic-setup-passphrase/#special-character">we are using the “wrong” special characters</a>. We therefore change the passphrase generation parameters such that only dashes and no underscores are emitted.</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>--config<span class="w"> </span>--lower<span class="o">=</span><span class="m">1</span><span class="w"> </span>work-2024Q4 <span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>work-2024Q4 <span class="go">pEY-qg7n</span> </code></pre></div> <p>We can then log into our bank and work accounts using the old passphrases (with <code>-p</code>) and change them to the new ones (without <code>-p</code>).</p> <h2 id="summary">Summary<a class="headerlink" href="#summary" title="Permanent link">¶</a></h2> <p>We have reconfigured <code>derivepassphrase</code> (with the <code>vault</code> passphrase derivation scheme) for use with a master SSH key, and modified three existing accounts to use that key. Our configuration should look like this:</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>--export<span class="w"> </span>- <span class="go">{"global": {"key": "AAAAC3NzaC1lZDI1NTE5AAAAIIF4gWgm1gJIXw//Mkhv5MEwidwcakUGCekJD/vCEml2"}, "services": {"bank": {"dash": 0, "length": 5, "lower": 0, "number": 5, "space": 0, "symbol": 0, "upper": 0}, "email": {"length": 12, "lower": 1, "number": 1, "repeat": 3, "space": 0, "upper": 1}, "work-2024Q4": {"dash": 1, "length": 8, "lower": 1, "number": 1, "space": 0, "symbol": 0, "upper": 1}}}</span> </code></pre></div> <p>We should also get the following output when asking for those passphrases again:</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>email <span class="go">BNbSA\E]#s8H</span> <span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>bank <span class="go">06041</span> <span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>work-2024Q4 <span class="go">pEY-qg7n</span> </code></pre></div> <p>This completes the tutorial.</p> <aside> <details class="abstract"> <summary>Image credits</summary> <ul> <li>The <code>pageant</code> logo is part of the PuTTY software package, generated from source files contained within. <a href="https://git.tartarus.org/?p=simon/putty.git;a=blob;f=LICENCE;h=091556577ce55d3502f121460668c5495de91baa;hb=refs/tags/0.83" title="License for the PuTTY software suite (and icons)">License</a></li> </ul> </details> </aside> <div class="footnote"> <hr /> <ol> <li id="fn:no-support"> <p>If “master SSH key” is not listed as a supported feature, then this <code>derivepassphrase</code> installation cannot use master SSH keys. Sorry. This likely means that we cannot talk to the SSH agent because it uses a communication channel that we cannot or don’t know how to access. <a class="footnote-backref" href="#fnref:no-support" title="Jump back to footnote 1 in the text">↩</a></p> </li> <li id="fn:key-rotation-def"> <p><dfn>key rotation</dfn>: the exchange of a cryptographic key against a newer one, for the same purpose/access/capabilities as the old one, as a matter of policy, to artificially limit the scope of the old key. Usually done on a schedule. Typical policy reasons include protection against loss of access to the key material, and upgrades to different algorithms or key sizes (where possible). <a class="footnote-backref" href="#fnref:key-rotation-def" title="Jump back to footnote 2 in the text">↩</a></p> </li> <li id="fn:test-key-comment"> <p>Technically, we are lying about the key comment you will be seeing when using our test key. <a class="footnote-backref" href="#fnref:test-key-comment" title="Jump back to footnote 3 in the text">↩</a></p> </li> </ol> </div> </article> </div> </div> </main> <footer class="md-footer"> <nav class="md-footer__inner md-grid" aria-label="Footer" > <a href="../basic-setup-passphrase/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Setting up derivepassphrase vault for three accounts, with a master passphrase"> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg> </div> <div class="md-footer__title"> <span class="md-footer__direction"> Previous </span> <div class="md-ellipsis"> Setting up derivepassphrase vault for three accounts, with a master passphrase </div> </div> </a> <a href="../../how-tos/" class="md-footer__link md-footer__link--next" aria-label="Next: How-to overview"> <div class="md-footer__title"> <span class="md-footer__direction"> Next </span> <div class="md-ellipsis"> How-to overview </div> </div> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11z"/></svg> </div> </a> </nav> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class="md-copyright"> <div class="md-copyright__highlight"> Copyright © 2026 Marco Ricci (the-13th-letter) </div> Made with <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener"> Material for MkDocs </a> and <a href="https://mkdocstrings.github.io/python/" target="_blank" rel="noopener"> mkdocstrings-python </a> </div> </div> </div> </footer> </div> <div class="md-dialog" data-md-component="dialog"> <div class="md-dialog__inner md-typeset"></div> </div> </body> </html>
