git.schokokeks.org
Repositories
Help
Report an Issue
derivepassphrase.git
Code
Commits
Branches
Tags
Suche
Strukturansicht:
f428ac1
Branches
Tags
documentation-tree
master
unstable/modularize-and-refactor-test-machinery
unstable/ssh-agent-socket-providers
wishlist
0.1.0
0.1.1
0.1.2
0.1.3
0.2.0
0.3.0
0.3.1
0.3.2
0.3.3
0.4.0
0.5.1
0.5.2
derivepassphrase.git
0.x
reference
prerequisites-ssh-key
index.html
Deployed 74b94268335a to 0.x with MkDocs 1.6.1 and mike 2.1.3
Marco Ricci
commited
f428ac1
at 2025-08-03 22:00:48
index.html
Blame
History
Raw
<!doctype html> <html lang="en" class="no-js"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width,initial-scale=1"> <meta name="description" content="An almost faithful Python reimplementation of James Coglan's vault."> <meta name="author" content="Marco Ricci"> <link rel="canonical" href="https://the13thletter.info/derivepassphrase/0.x/reference/prerequisites-ssh-key/"> <link rel="prev" href="../derivepassphrase.vault/"> <link rel="next" href="../../explanation/"> <link rel="icon" href="../../assets/images/favicon.png"> <meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.6.16"> <title>Using derivepassphrase vault with an SSH key - derivepassphrase</title> <link rel="stylesheet" href="../../assets/stylesheets/main.7e37652d.min.css"> <style>:root{--md-text-font:"Noto Sans";--md-code-font:"Noto Mono"}</style> <link rel="stylesheet" href="../../assets/_mkdocstrings.css"> <link rel="stylesheet" href="../../mkdocstrings_recommended_styles.css"> <link rel="stylesheet" href="../../wishlist_styling.css"> </head> <body dir="ltr"> <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off"> <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off"> <label class="md-overlay" for="__drawer"></label> <div data-md-component="skip"> <a href="#prerequisites-for-using-derivepassphrase-vault-with-an-ssh-key" class="md-skip"> Skip to content </a> </div> <div data-md-component="announce"> </div> <div data-md-color-scheme="default" data-md-component="outdated" hidden> </div> <div class="md-container" data-md-component="container"> <nav class="md-tabs" aria-label="Tabs" data-md-component="tabs"> <div class="md-grid"> <ul class="md-tabs__list"> <li class="md-tabs__item"> <a href="../.." class="md-tabs__link"> Overview </a> </li> <li class="md-tabs__item"> <a href="../../tutorials/" class="md-tabs__link"> Tutorials & Examples </a> </li> <li class="md-tabs__item"> <a href="../../how-tos/" class="md-tabs__link"> How-Tos </a> </li> <li class="md-tabs__item md-tabs__item--active"> <a href="../" class="md-tabs__link"> Reference </a> </li> <li class="md-tabs__item"> <a href="../../explanation/" class="md-tabs__link"> Design & Background </a> </li> <li class="md-tabs__item"> <a href="../../changelog/" class="md-tabs__link"> Changelog </a> </li> <li class="md-tabs__item"> <a href="../../wishlist/" class="md-tabs__link"> Wishlist </a> </li> </ul> </div> </nav> <main class="md-main" data-md-component="main"> <div class="md-main__inner md-grid"> <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0"> <label class="md-nav__title" for="__drawer"> <a href="../.." title="derivepassphrase" class="md-nav__button md-logo" aria-label="derivepassphrase" data-md-component="logo"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg> </a> derivepassphrase </label> <div class="md-nav__source"> <a href="https://git.schokokeks.org/derivepassphrase.git" title="Go to repository" class="md-source" data-md-component="source"> <div class="md-source__icon md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 7.0.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2025 Fonticons, Inc.--><path fill="currentColor" d="M439.6 236.1 244 40.5c-5.4-5.5-12.8-8.5-20.4-8.5s-15 3-20.4 8.4L162.5 81l51.5 51.5c27.1-9.1 52.7 16.8 43.4 43.7l49.7 49.7c34.2-11.8 61.2 31 35.5 56.7-26.5 26.5-70.2-2.9-56-37.3L240.3 199v121.9c25.3 12.5 22.3 41.8 9.1 55-6.4 6.4-15.2 10.1-24.3 10.1s-17.8-3.6-24.3-10.1c-17.6-17.6-11.1-46.9 11.2-56v-123c-20.8-8.5-24.6-30.7-18.6-45L142.6 101 8.5 235.1C3 240.6 0 247.9 0 255.5s3 15 8.5 20.4l195.6 195.7c5.4 5.4 12.7 8.4 20.4 8.4s15-3 20.4-8.4l194.7-194.7c5.4-5.4 8.4-12.8 8.4-20.4s-3-15-8.4-20.4"/></svg> </div> <div class="md-source__repository"> the-13th-letter/derivepassphrase </div> </a> </div> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../.." class="md-nav__link"> <span class="md-ellipsis"> Overview </span> </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_2" > <div class="md-nav__link md-nav__container"> <a href="../../tutorials/" class="md-nav__link "> <span class="md-ellipsis"> Tutorials & Examples </span> </a> <label class="md-nav__link " for="__nav_2" id="__nav_2_label" tabindex="0"> <span class="md-nav__icon md-icon"></span> </label> </div> <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_2"> <span class="md-nav__icon md-icon"></span> Tutorials & Examples </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../tutorials/basic-setup-passphrase/" class="md-nav__link"> <span class="md-ellipsis"> Setting up derivepassphrase vault for three accounts, with a master passphrase </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3" > <div class="md-nav__link md-nav__container"> <a href="../../how-tos/" class="md-nav__link "> <span class="md-ellipsis"> How-Tos </span> </a> <label class="md-nav__link " for="__nav_3" id="__nav_3_label" tabindex="0"> <span class="md-nav__icon md-icon"></span> </label> </div> <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_3"> <span class="md-nav__icon md-icon"></span> How-Tos </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../how-tos/ssh-key/" class="md-nav__link"> <span class="md-ellipsis"> How to set up derivepassphrase vault with an SSH key </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" checked> <div class="md-nav__link md-nav__container"> <a href="../" class="md-nav__link "> <span class="md-ellipsis"> Reference </span> </a> <label class="md-nav__link " for="__nav_4" id="__nav_4_label" tabindex=""> <span class="md-nav__icon md-icon"></span> </label> </div> <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="true"> <label class="md-nav__title" for="__nav_4"> <span class="md-nav__icon md-icon"></span> Reference </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_2" > <label class="md-nav__link" for="__nav_4_2" id="__nav_4_2_label" tabindex=""> <span class="md-ellipsis"> Man pages </span> <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_2_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_4_2"> <span class="md-nav__icon md-icon"></span> Man pages </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../derivepassphrase.1/" class="md-nav__link"> <span class="md-ellipsis"> derivepassphrase(1) </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase-vault.1/" class="md-nav__link"> <span class="md-ellipsis"> derivepassphrase-vault(1) </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase-export.1/" class="md-nav__link"> <span class="md-ellipsis"> derivepassphrase-export(1) </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase-export-vault.1/" class="md-nav__link"> <span class="md-ellipsis"> derivepassphrase-export-vault(1) </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_3" > <label class="md-nav__link" for="__nav_4_3" id="__nav_4_3_label" tabindex=""> <span class="md-ellipsis"> API docs: Module derivepassphrase </span> <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_3_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_4_3"> <span class="md-nav__icon md-icon"></span> API docs: Module derivepassphrase </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../derivepassphrase.cli/" class="md-nav__link"> <span class="md-ellipsis"> Submodule cli </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase.exporter/" class="md-nav__link"> <span class="md-ellipsis"> Subpackage exporter </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase.sequin/" class="md-nav__link"> <span class="md-ellipsis"> Submodule sequin </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase.ssh_agent/" class="md-nav__link"> <span class="md-ellipsis"> Submodule ssh_agent </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase._types/" class="md-nav__link"> <span class="md-ellipsis"> Submodule _types </span> </a> </li> <li class="md-nav__item"> <a href="../derivepassphrase.vault/" class="md-nav__link"> <span class="md-ellipsis"> Submodule vault </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_4" checked> <label class="md-nav__link" for="__nav_4_4" id="__nav_4_4_label" tabindex=""> <span class="md-ellipsis"> Technical prerequisites </span> <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_4_label" aria-expanded="true"> <label class="md-nav__title" for="__nav_4_4"> <span class="md-nav__icon md-icon"></span> Technical prerequisites </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item md-nav__item--active"> <input class="md-nav__toggle md-toggle" type="checkbox" id="__toc"> <label class="md-nav__link md-nav__link--active" for="__toc"> <span class="md-ellipsis"> Using derivepassphrase vault with an SSH key </span> <span class="md-nav__icon md-icon"></span> </label> <a href="./" class="md-nav__link md-nav__link--active"> <span class="md-ellipsis"> Using derivepassphrase vault with an SSH key </span> </a> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#ssh-agent" class="md-nav__link"> <span class="md-ellipsis"> A running SSH agent </span> </a> </li> <li class="md-nav__item"> <a href="#python-support" class="md-nav__link"> <span class="md-ellipsis"> A Python installation that can talk to the SSH agent </span> </a> </li> <li class="md-nav__item"> <a href="#ssh-key" class="md-nav__link"> <span class="md-ellipsis"> A supported SSH key </span> </a> </li> </ul> </nav> </li> </ul> </nav> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5" > <div class="md-nav__link md-nav__container"> <a href="../../explanation/" class="md-nav__link "> <span class="md-ellipsis"> Design & Background </span> </a> <label class="md-nav__link " for="__nav_5" id="__nav_5_label" tabindex="0"> <span class="md-nav__icon md-icon"></span> </label> </div> <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_5"> <span class="md-nav__icon md-icon"></span> Design & Background </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../explanation/faq-altered-versions/" class="md-nav__link"> <span class="md-ellipsis"> "altered versions" license requirement </span> </a> </li> <li class="md-nav__item"> <a href="../../explanation/faq-vault-interchangable-passphrases/" class="md-nav__link"> <span class="md-ellipsis"> "interchangable passphrases" in vault </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_6" > <label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0"> <span class="md-ellipsis"> Changelog </span> <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_6"> <span class="md-nav__icon md-icon"></span> Changelog </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../changelog/" class="md-nav__link"> <span class="md-ellipsis"> Changelog </span> </a> </li> <li class="md-nav__item"> <a href="../../upgrade-notes/" class="md-nav__link"> <span class="md-ellipsis"> Upgrade notes </span> </a> </li> <li class="md-nav__item"> <a href="../../pycompatibility/" class="md-nav__link"> <span class="md-ellipsis"> Python compatibility </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7" > <div class="md-nav__link md-nav__container"> <a href="../../wishlist/" class="md-nav__link "> <span class="md-ellipsis"> Wishlist </span> </a> </div> <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_7_label" aria-expanded="false"> <label class="md-nav__title" for="__nav_7"> <span class="md-nav__icon md-icon"></span> Wishlist </label> <ul class="md-nav__list" data-md-scrollfix> </ul> </nav> </li> </ul> </nav> </div> </div> </div> <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#ssh-agent" class="md-nav__link"> <span class="md-ellipsis"> A running SSH agent </span> </a> </li> <li class="md-nav__item"> <a href="#python-support" class="md-nav__link"> <span class="md-ellipsis"> A Python installation that can talk to the SSH agent </span> </a> </li> <li class="md-nav__item"> <a href="#ssh-key" class="md-nav__link"> <span class="md-ellipsis"> A supported SSH key </span> </a> </li> </ul> </nav> </div> </div> </div> <div class="md-content" data-md-component="content"> <article class="md-content__inner md-typeset"> <a href="https://git.schokokeks.org/derivepassphrase.git/raw/master/docs/reference/prerequisites-ssh-key.md" title="View source of this page" class="md-content__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 18c.56 0 1 .44 1 1s-.44 1-1 1-1-.44-1-1 .44-1 1-1m0-3c-2.73 0-5.06 1.66-6 4 .94 2.34 3.27 4 6 4s5.06-1.66 6-4c-.94-2.34-3.27-4-6-4m0 6.5a2.5 2.5 0 0 1-2.5-2.5 2.5 2.5 0 0 1 2.5-2.5 2.5 2.5 0 0 1 2.5 2.5 2.5 2.5 0 0 1-2.5 2.5M9.27 20H6V4h7v5h5v4.07c.7.08 1.36.25 2 .49V8l-6-6H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h4.5a8.2 8.2 0 0 1-1.23-2"/></svg> </a> <h1 id="prerequisites-for-using-derivepassphrase-vault-with-an-ssh-key">Prerequisites for using <code>derivepassphrase vault</code> with an SSH key<a class="headerlink" href="#prerequisites-for-using-derivepassphrase-vault-with-an-ssh-key" title="Permanent link">¶</a></h1> <p>Using <code>derivepassphrase vault</code> with an SSH key requires:</p> <ol> <li><a href="#ssh-agent">a running SSH agent</a>,</li> <li><a href="#python-support">a Python installation that can talk to the SSH agent</a>, and</li> <li><a href="#ssh-key">a supported SSH key.</a></li> </ol> <h3 id="ssh-agent">A running SSH agent<a class="headerlink" href="#ssh-agent" title="Permanent link">¶</a></h3> <p>SSH agents are usually packaged as part of SSH client distributions. <code>ssh-agent</code> from <a href="https://www.openssh.com/">OpenSSH</a> and Pageant from <a href="https://www.chiark.greenend.org.uk/~sgtatham/putty/">PuTTY</a> are known to work. <code>gpg-agent</code> (v2) from <a href="https://gnupg.org/">GnuPG</a> is also known to work, but comes with caveats; see notes below.</p> <p>If in doubt, we recommend OpenSSH because it is the <i>de-facto</i> canonical SSH agent implementation.</p> <div class="admonition note"> <p class="admonition-title">Agent-specific features</p> <ul> <li>OpenSSH’s <code>ssh-agent</code> supports limiting the time the agent holds the key in memory (“key lifetime”). We recommend its usage.</li> <li><code>ssh-agent</code> and GnuPG’s <code>gpg-agent</code> support requiring confirmation upon each use for a specific key. We recommend its usage as well.</li> </ul> </div> <section id="agent-specific-notes"> <div class="admonition note"> <p class="admonition-title">Other agent-specific notes</p> <div class="tabbed-set tabbed-alternate" data-tabs="1:1"><input checked="checked" id="__tabbed_1_1" name="__tabbed_1" type="radio" /><div class="tabbed-labels"><label for="__tabbed_1_1">GnuPG/<code>gpg-agent</code></label></div> <div class="tabbed-content"> <div class="tabbed-block"> <ul> <li> <p><code>gpg-agent</code> v2.0 and later uses a <em>persistent</em> database of known keys, SSH or otherwise. “Adding” a key to the agent actually means <em>importing</em> it, and requires choosing an “import passphrase” to protect the key on disk, in the persistent database. <code>gpg-agent</code> will cache the import passphrase in memory, and if that cache entry expires, then the <em>import passphrase</em> must be provided to unlock the key.</p> </li> <li> <p>The GnuPG distribution does not contain tools to generate native SSH keys or interactively add keys to a running <code>gpg-agent</code>, because its purpose is to expose keys in a different format (OpenPGP) to other (agent-compatible) SSH clients. A third-party tool (such as a full SSH client distribution) is necessary to load/import native SSH keys into <code>gpg-agent</code>.</p> </li> <li> <p>As a design consequence of the persistent database, <code>gpg-agent</code> always lists all known SSH keys as available in the agent. It is impossible to remove an SSH key from <code>gpg-agent</code> using standard SSH agent operations.</p> </li> <li> <p><code>gpg-agent</code> does not advertise its communication socket by default, contrary to other SSH agents, so it must be manually advertised:</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span><span class="nv">SSH_AUTH_SOCK</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span>gpgconf<span class="w"> </span>--list-dirs<span class="w"> </span>agent-ssh-socket<span class="k">)</span><span class="s2">"</span> <span class="gp">$ </span><span class="nb">export</span><span class="w"> </span>SSH_AUTH_SOCK </code></pre></div> </li> </ul> </div> </div> </div> </div> </section> <h3 id="python-support">A Python installation that can talk to the SSH agent<a class="headerlink" href="#python-support" title="Permanent link">¶</a></h3> <div class="admonition bug"> <p class="admonition-title">Windows is currently <em>not</em> supported</p> <p><i>→ Bug entry:</i> <a href="../../wishlist/windows-ssh-agent-support/">Support PuTTY/Pageant (and maybe OpenSSH/<code>ssh-agent</code>) on Windows</a></p> <p>The two major SSH agents on Windows (PuTTY/Pageant and OpenSSH) use <i>Windows named pipes</i> for communication, and Python on Windows does not inherently support named pipes. Since no comprehensive third-party Python modules to interface with named pipes appear to exist, teaching <code>derivepassphrase</code> to use Windows named pipes will require us developers to write a custom low-level C module specific to this application—an unrealistic task if we lack both technical know-how for the named pipe API as well as Windows hardware to test any potential implementation on.</p> </div> <p>On non-Windows operating systems, the SSH agent is expected to advertise its communication socket via the <code>SSH_AUTH_SOCK</code> environment variable, which is common procedure. Therefore, <a class="autorefs autorefs-external" href="https://docs.python.org/3/library/socket.html#socket.AF_UNIX">your Python installation must support UNIX domain sockets</a>.</p> <p><code>derivepassphrase vault --version</code> will report on supported and on unavailable features, including “master SSH key”:</p> <div class="tabbed-set tabbed-alternate" data-tabs="2:2"><input checked="checked" id="__tabbed_2_1" name="__tabbed_2" type="radio" /><input id="__tabbed_2_2" name="__tabbed_2" type="radio" /><div class="tabbed-labels"><label for="__tabbed_2_1">supported</label><label for="__tabbed_2_2">unavailable</label></div> <div class="tabbed-content"> <div class="tabbed-block"> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>--version <span class="go">derivepassphrase 0.5</span> <span class="go">Using cryptography 44.0.0</span> <span class="go">Using click 8.1.8</span> <span class="go">Supported features: master SSH key.</span> </code></pre></div> </div> <div class="tabbed-block"> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>derivepassphrase<span class="w"> </span>vault<span class="w"> </span>--version <span class="go">derivepassphrase 0.5</span> <span class="go">Using cryptography 44.0.0</span> <span class="go">Using click 8.1.8</span> <span class="go">Unavailable features: master SSH key.</span> </code></pre></div> </div> </div> </div> <h3 id="ssh-key">A supported SSH key<a class="headerlink" href="#ssh-key" title="Permanent link">¶</a></h3> <p>For an SSH key to be usable by <code>derivepassphrase</code>, the SSH agent must always generate the same signature for the same input, i.e. the signature must be deterministic for this key type. Commonly used SSH key types include <a href="https://en.wikipedia.org/wiki/RSA_(cryptosystem)">RSA</a>, <a href="https://en.wikipedia.org/wiki/Digital_Signature_Algorithm">DSA</a>, <a href="https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm">ECDSA</a>, <a href="https://en.wikipedia.org/wiki/EdDSA#Ed25519">Ed25519</a> and <a href="https://en.wikipedia.org/wiki/EdDSA#Ed448">Ed448</a>.</p> <ul> <li> <p>RSA, Ed25519 and Ed448 signatures are deterministic by definition. Thus RSA, Ed25519 and Ed448 keys are supported under any SSH agent that implements them.</p> </li> <li> <p>DSA and ECDSA signatures require choosing a value specific to each signature (a “cryptographic nonce”), which must be unpredictable. Typical DSA/ECDSA implementations therefore generate a suitably large random number as the nonce. This makes signatures non-deterministic, and thus unsuitable for <code>derivepassphrase</code>.</p> <details class="info"> <summary>Exception: PuTTY/Pageant and RFC 6979</summary> <p><a href="https://www.rfc-editor.org/rfc/rfc6979">RFC 6979</a> specifies a method to <em>calculate</em> the nonce from the DSA/ECDSA key and the message to be signed. DSA/ECDSA signatures from SSH agents implementing RFC 6979 are therefore deterministic, and thus <em>also</em> suitable for <code>derivepassphrase</code>. Pageant 0.81 implements RFC 6979.</p> <div class="admonition warning"> <p class="admonition-title">Warning: Pageant < 0.81</p> <p>Pageant 0.80 and earlier uses a different, homegrown method to calculate the nonce deterministically. Those versions are <em>also</em> prinicipally suitable for use with <code>derivepassphrase</code>, but <strong>they generate different signatures – and different derived passphrases – than Pageant 0.81 and later</strong>.</p> </div> </details> </li> </ul> <details class="info"> <summary>What SSH key type do I have?</summary> <p>If, according to your SSH agent, your key’s type…</p> <ul> <li>…ends with <code>-cert-v01@openssh.com</code>, then, for the purposes of this list, ignore the <code>-cert-v01@openssh.com</code> suffix.</li> <li>…is <code>dsa</code> or <code>ssh-dss</code>, or is <code>dsa</code> followed by a number, then your key type is <strong>DSA</strong>.</li> <li>…is <code>rsa</code> or <code>ssh-rsa</code>, or is <code>rsa</code> followed by a number, then your key type is <strong>RSA</strong>.</li> <li>…is <code>ecdsa</code> followed by a number, or is <code>ecdsa-sha2-nistp</code> followed by a number, then your key type is <strong>ECDSA</strong>.</li> <li>…is <code>ssh-ed25519</code>, then your key type is <strong>Ed25519</strong>.</li> <li>…is <code>ssh-ed448</code>, then your key type is <strong>Ed448</strong>.</li> </ul> </details> <p>If you do not yet have a (supported) SSH key, we recommend Ed25519 for maximum speed and reasonable availability, otherwise RSA for maximum availability. We do not in general recommend Ed448 because it is not widely implemented.</p> <details class="example"> <summary>Generating new SSH keys for <code>derivepassphrase</code></summary> <div class="tabbed-set tabbed-alternate" data-tabs="3:3"><input checked="checked" id="__tabbed_3_1" name="__tabbed_3" type="radio" /><input id="__tabbed_3_2" name="__tabbed_3" type="radio" /><input id="__tabbed_3_3" name="__tabbed_3" type="radio" /><div class="tabbed-labels"><label for="__tabbed_3_1">OpenSSH</label><label for="__tabbed_3_2">PuTTY</label><label for="__tabbed_3_3">GnuPG</label></div> <div class="tabbed-content"> <div class="tabbed-block"> <p>The resulting key will be stored in <code>~/.ssh/my-vault-ed25519-key</code>, using “vault key” as a comment. Replace <code>-t ed25519</code> with <code>-t rsa</code> if generating an RSA key, and adapt the filename accordingly.</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>ssh-keygen<span class="w"> </span>-t<span class="w"> </span>ed25519<span class="w"> </span>-f<span class="w"> </span>~/.ssh/my-vault-ed25519-key<span class="w"> </span>-C<span class="w"> </span><span class="s2">"vault key"</span> <span class="go">Generating public/private ed25519 key pair.</span> <span class="go">Enter passphrase for ".../.ssh/my-vault-ed25519-key" (empty for no passphrase): </span> <span class="go">Enter same passphrase again:</span> <span class="go">Your identification has been saved in .../.ssh/my-vault-ed25519-key</span> <span class="go">Your public key has been saved in .../.ssh/my-vault-ed25519-key.pub</span> <span class="go">The key fingerprint is:</span> <span class="go">SHA256:0h+WAokssfhzfzVyuMLJlIcWyCtk5WiXI8BHyhXYxC0 vault key</span> <span class="go">The key's randomart image is:</span> <span class="go">+--[ED25519 256]--+</span> <span class="go">|o B=+ |</span> <span class="go">|.=oE = . |</span> <span class="go">|.oX @ + |</span> <span class="go">| = + o * . . |</span> <span class="go">| + o * S B |</span> <span class="go">| + * + O o |</span> <span class="go">| * o . |</span> <span class="go">| o |</span> <span class="go">| |</span> <span class="go">+----[SHA256]-----+</span> </code></pre></div> <p>(The key fingerprint and the randomart image will naturally differ, as they are key-specific.)</p> </div> <div class="tabbed-block"> <p>The resulting key will be stored in <code>~/.ssh/my-vault-ed25519-key.ppk</code>, using “vault key” as a comment. Replace <code>-t ed25519</code> with <code>-t rsa</code> if generating an RSA key, and adapt the filename accordingly.</p> <div class="highlight"><pre><span></span><code><span class="gp">$ </span>puttygen<span class="w"> </span>-t<span class="w"> </span>ed25519<span class="w"> </span>-o<span class="w"> </span>~/.ssh/my-vault-ed25519-key.ppk<span class="w"> </span>-C<span class="w"> </span><span class="s2">"vault key"</span> <span class="go">Enter passphrase to save key: </span> <span class="go">Re-enter passphrase to verify: </span> </code></pre></div> </div> <div class="tabbed-block"> <p>Not supported natively. An alternative SSH client distribution such as OpenSSH or PuTTY is necessary.</p> <p>Alternatively, GnuPG supports reusing keys in its native OpenPGP format for SSH as long as the underlying key type is compatible.</p> </div> </div> </div> </details> <hr /> <div class="admonition abstract"> <p class="admonition-title">Further reading</p> <p>→ <a href="../../how-tos/ssh-key/">How to set up <code>derivepassphrase vault</code> with an SSH key</a></p> </div> </article> </div> </div> </main> <footer class="md-footer"> <nav class="md-footer__inner md-grid" aria-label="Footer" > <a href="../derivepassphrase.vault/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Submodule vault"> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg> </div> <div class="md-footer__title"> <span class="md-footer__direction"> Previous </span> <div class="md-ellipsis"> Submodule vault </div> </div> </a> <a href="../../explanation/" class="md-footer__link md-footer__link--next" aria-label="Next: Explanation overview"> <div class="md-footer__title"> <span class="md-footer__direction"> Next </span> <div class="md-ellipsis"> Explanation overview </div> </div> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11z"/></svg> </div> </a> </nav> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class="md-copyright"> <div class="md-copyright__highlight"> Copyright © 2025 Marco Ricci (the-13th-letter) </div> Made with <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener"> Material for MkDocs </a> and <a href="https://mkdocstrings.github.io/python/" target="_blank" rel="noopener"> mkdocstrings-python </a> </div> </div> </div> </footer> </div> <div class="md-dialog" data-md-component="dialog"> <div class="md-dialog__inner md-typeset"></div> </div> </body> </html>
