derivepassphrase.git

@@ -55,8 +55,4 @@

 ### Explanation

 * Security aspects and other tradeoffs when using deterministic password generators

-* Should I use one master SSH key/master passphrase, or many? (→ [TODO][HOW_TO_SSH_KEY])

 * Why is `vault`'s `--repeat` option named this way if it counts occurrences, not repetitions?

-

-[BASIC_SETUP_PASSPHRASE]: tutorials/basic-setup-passphrase.md

-[HOW_TO_SSH_KEY]: how-tos/ssh-key.md

@@ -8,7 +8,9 @@ title: Explanation overview

   in practice?][FAQ_INTERCHANGABLE_PASSPHRASES]

 * [Tradeoffs between a master passphrase and a master SSH

   key][TRADEOFFS_PASSPHRASE_SSH_KEY]

+* [Should I use one master SSH key/master passphrase, or many?][MANY_MASTER_SECRETS]

 [FAQ_ALTERED_VERSIONS]: faq-altered-versions.md

 [FAQ_INTERCHANGABLE_PASSPHRASES]: faq-vault-interchangable-passphrases.md

 [TRADEOFFS_PASSPHRASE_SSH_KEY]: tradeoffs-passphrase-ssh-key.md

+[MANY_MASTER_SECRETS]: many-master-secrets.md

@@ -0,0 +1,22 @@

+# Should I use one master SSH key/master passphrase, or many?

+

+Generally, using multiple master SSH keys or master passphrases partitions the `derivepassphrase` configuration into sets such that the compromise of one master SSH key/master passphrase compromises all passphrases within that set of configurations.

+

+However, using multiple master SSH keys or master passphrases also means that multiple SSH keys or passphrases must be managed.

+

+## Multiple master SSH keys

+

+Managing multiple master SSH keys is conceptually no different than managing a single key.

+

+`derivepassphrase vault` can record which master SSH key to use for each configuration.

+

+## Multiple master passphrases

+

+Managing multiple master passphrases is somewhat more difficult.

+The user must choose multiple high-quality master passphrases.

+If passphrases are memorized (as is recommended), then this puts a much higher cognitive load on the user than keeping multiple master SSH keys.

+

+Furthermore, `derivepassphrase vault` cannot record which master passphrase to use for each configuration, beyond storing the respective master passphrase itself (which is a **grave security risk**).

+The user must thus find a different (usually out-of-band) way to associate each configuration with its matching master passphrase.

+

+Due to these logistical difficulties, from a purely operational standpoint, using multiple master passphrases **is not recommended**.

@@ -301,7 +301,7 @@ Next, configure `derivepassphrase vault` to use the loaded SSH key.

 !!! abstract "Further reading"

-    → Should I use one master SSH key/master passphrase, or many? (TODO)

+    → [Should I use one master SSH key/master passphrase, or many?][MANY_MASTER_SECRETS]

 <aside markdown>

@@ -320,3 +320,4 @@ Next, configure `derivepassphrase vault` to use the loaded SSH key.

 [PREREQ]: ../reference/prerequisites-ssh-key.md

 [PREREQ_AGENT_SPECIFIC_NOTES]: ../reference/prerequisites-ssh-key.md#agent-specific-notes

 [TRADEOFFS_PASSPHRASE_SSH_KEY]: ../explanation/tradeoffs-passphrase-ssh-key.md

+[MANY_MASTER_SECRETS]: ../explanation/many-master-secrets.md

@@ -123,6 +123,7 @@ nav:

     - '"altered versions" license requirement': explanation/faq-altered-versions.md

     - '"interchangable passphrases" in vault': explanation/faq-vault-interchangable-passphrases.md

     - tradeoffs between passphrase & SSH key: explanation/tradeoffs-passphrase-ssh-key.md

+    - explanation/many-master-secrets.md

   - Changelog:

     - Changelog: changelog.md

     - Upgrade notes: upgrade-notes.md

@@ -74,6 +74,7 @@ nav:

     - '"altered versions" license requirement': explanation/faq-altered-versions.md

     - '"interchangable passphrases" in vault': explanation/faq-vault-interchangable-passphrases.md

     - tradeoffs between passphrase & SSH key: explanation/tradeoffs-passphrase-ssh-key.md

+    - explanation/many-master-secrets.md

   - Changelog:

     - Changelog: changelog.md

     - Upgrade notes: upgrade-notes.md