derivepassphrase.git

@@ -2,53 +2,94 @@

 ## NAME

-derivepassphrase-export-vault – export a vault-native configuration to

-standard output

+derivepassphrase-export-vault – export a vault-native configuration to standard output

 ## SYNOPSIS

 ````

-derivepassphrase export vault [OPTIONS] PATH

+derivepassphrase export vault [-f FMT] [-k K] PATH

 ````

 ## DESCRIPTION

-Read the <b>vault</b>-native configuration at <i>PATH</i>, extract all

-information from it, and export the resulting configuration to standard

-output. Depending on the configuration format, this may either be a file or

-a directory.  Supports the vault "v0.2", "v0.3" and "storeroom" formats.

+Read the <i>vault</i>(1)-native configuration at <i>PATH</i>, extract all information from it, and export the resulting configuration to standard output (as if using <i>vault</i>(1)'s <b>-</b><b>-export</b> option).

+Depending on the configuration format, this may either be a file or a directory.

+Supports the <i>vault</i>(1) `v0.2`, `v0.3` and `storeroom` formats, all of which inherently use encryption and integrity protection.

-If <i>PATH</i> is explicitly given as `VAULT_PATH`, then use the

-`VAULT_PATH` environment variable to determine the correct path. (Use

-`./VAULT_PATH` or similar to indicate a file/directory actually named

-`VAULT_PATH`.)

+If <i>PATH</i> is explicitly given as `VAULT_PATH`, then use the `VAULT_PATH` environment variable to determine the correct path.

+(Use `./VAULT_PATH` or similar to indicate a file/directory actually named `VAULT_PATH`.)

 ## OPTIONS

 <b>-f</b>, <b>-</b><b>-format</b> <i>FMT</i>

-:    try the following storage formats, in order (default: `v0.3`, `v0.2`)

+:   Try the storage format <i>FMT</i>.

+    May be given multiple times; the formats will be tried in order.

+

+    By default, we first try `v0.3`, then `v0.2`, and finally `storeroom`.

 <b>-k</b>, <b>-</b><b>-key</b> <i>K</i>

-:    use <i>K</i> as the storage master key (default: check the `VAULT_KEY`,

-     `LOGNAME`, `USER` or `USERNAME` environment variables)

+:   Use <i>K</i> as the storage master key.

+

+    By default, we check the `VAULT_KEY`, `LOGNAME`, `USER` and `USERNAME` environment variables, and use the first one with a proper value (*and only the first one*).

+

+<b>-</b><b>-debug</b>

+:   Emit all diagnostic information to standard error, including progress, warning and error messages.

+

+    Cancels the effect of any previous <b>-</b><b>-quiet</b> or <b>-</b><b>-verbose</b> options.

+

+<b>-v</b>, <b>-</b><b>-verbose</b>

+:   Emit extra/progress information to standard error, on top of warning and error messages.

+

+    Cancels the effect of any previous <b>-</b><b>-debug</b> or <b>-</b><b>-quiet</b> options.

+

+<b>-q</b>, <b>-</b><b>-quiet</b>

+:   Suppress all other diagnostic output to standard error, except error messages.

+    This includes warning messages.

+

+    Cancels the effect of any previous <b>-</b><b>-debug</b> or <b>-</b><b>-verbose</b> options.

+

+<b>-</b><b>-version</b>

+:   Show the version and exit.

 <b>-h</b>, <b>-</b><b>-help</b>

-:    Show this message and exit.

+:   Show a help message and exit.

+

+## ENVIRONMENT

-## ENVIRONMENT VARIABLES

+`DERIVEPASSPHRASE_PATH`

+:   <b>derivepassphrase</b> stores its configuration files and data in this directory.

+    Defaults to `~/.derivepassphrase` on UNIX-like systems and `C:\Users\<user>\AppData\Roaming\Derivepassphrase` on Windows.

-<b>VAULT_PATH</b>

-:   A default path, relative to the home directory, where to look for the

-    configuration to load.

+`VAULT_PATH`

+:   A default path, relative to the home directory, where to look for the configuration to load.

-<b>VAULT\_KEY</b>

-:   A password with which the vault configuration is encrypted.  The

-    password is interpreted as a UTF-8 byte string.

+`VAULT_KEY`

+:   A password with which the vault configuration is encrypted.

+    The password is interpreted as a UTF-8 byte string.

-<b>LOGNAME</b>, <b>USER</b>, <b>USERNAME</b>

+`LOGNAME`, `USER`, `USERNAME`

 :   Fallback values for `VAULT_KEY`.

+## COMPATIBILITY

+

+### With other software

+

+<b>derivepassphrase export vault</b> fully supports reading the configuration formats used by <i>vault</i>(1) v0.3 and lower (formats `v0.2` and `v0.3`), as well as the `storeroom` format used in development builds after <i>vault</i>(1) v0.3 (`storeroom` version 1).

+

+There is no corresponding "import" subcommand, nor is there support for writing configuration files or directories in any of the aforementioned formats.

+

 ## SEE ALSO

-[derivepassphrase(1)](derivepassphrase.1.md),

-[vault(1)](https://www.npmjs.com/package/vault)

+[<i>derivepassphrase</i>(1)](derivepassphrase.1.md),

+[<i>vault</i>(1)](https://www.npmjs.com/package/vault).

+

+## AUTHOR

+

+[Marco Ricci](https://the13thletter.info) (`software` at `the13thletter` dot `info`)

+

+## BUGS

+

+  * There is no support for writing <i>vault</i>(1) configuration files or directories in any of the aforementioned formats.

+

+    WONTFIX: two-way interoperability of configuration file disk formats is currently out of scope.

+    Use the standard `--import` and `--export` options of both <i>vault</i>(1) and <b>derivepassphrase vault</b>.

@@ -2,37 +2,76 @@

 ## NAME

-derivepassphrase-export – export a foreign configuration to standard

-output

+derivepassphrase-export – export a foreign configuration to standard output

 ## SYNOPSIS

 ````

-derivepassphrase export [SUBCOMMAND_ARGS]...

+derivepassphrase export SUBCOMMAND_ARGS ...

 ````

 ## DESCRIPTION

-Read a foreign system configuration, extract all information from

-it, and export the resulting configuration to standard output.

-

-The only available subcommand is <b>vault</b>, which implements the

-vault-native configuration scheme.  If no subcommand is given, we

-default to <b>vault</b>.

+Read a foreign system configuration, extract all information from it, and export the resulting configuration to standard output.

 ## SUBCOMMANDS

 [<b>vault</b>][VAULT_SUBCMD]

-:    Export a vault-native configuration to standard output.

+:    Export a <i>vault</i>(1)-native configuration to standard output.

+

+If no subcommand is given, we default to <b>vault</b>.

+

+## OPTIONS

+

+<b>-</b><b>-debug</b>

+:   Emit all diagnostic information to standard error, including progress, warning and error messages.

+

+    Cancels the effect of any previous <b>-</b><b>-quiet</b> or <b>-</b><b>-verbose</b> options.

+    Also applies to subcommands.

+

+<b>-v</b>, <b>-</b><b>-verbose</b>

+:   Emit extra/progress information to standard error, on top of warning and error messages.

+

+    Cancels the effect of any previous <b>-</b><b>-debug</b> or <b>-</b><b>-quiet</b> options.

+    Also applies to subcommands.

+

+<b>-q</b>, <b>-</b><b>-quiet</b>

+:   Suppress all other diagnostic output to standard error, except error messages.

+    This includes warning messages.

+

+    Cancels the effect of any previous <b>-</b><b>-debug</b> or <b>-</b><b>-verbose</b> options.

+    Also applies to subcommands.

-## DEPRECATION NOTICE

+<b>-</b><b>-version</b>

+:   Show the version and exit.

-Defaulting to <b>vault</b> is deprecated.  Starting in v1.0, the

-subcommand must be specified explicitly.

+<b>-h</b>, <b>-</b><b>-help</b>

+:   Show a help message and exit.

+

+## ENVIRONMENT

+

+`DERIVEPASSPHRASE_PATH`

+:   <b>derivepassphrase</b> stores its configuration files and data in this directory.

+    Defaults to `~/.derivepassphrase` on UNIX-like systems and `C:\Users\<user>\AppData\Roaming\Derivepassphrase` on Windows.

+

+## COMPATIBILITY

+

+### With other software

+

+See the respective subcommand's manpage for compatibility information.

+

+### Forward and backward compatibility

+

+  * [Since v0.2.0.] In v1.0, <b>derivepassphrase export</b> will require an explicit subcommand name.

+    Defaults to the subcommand <b>vault</b>.

 ## SEE ALSO

-[derivepassphrase(1)](derivepassphrase.1.md),

-[derivepassphrase-export-vault(1)]

+[<i>derivepassphrase</i>(1)](derivepassphrase.1.md),

+[<i>derivepassphrase-export-vault</i>(1)][VAULT_SUBCMD].

+

+## AUTHOR

+

+[Marco Ricci](https://the13thletter.info) (`software` at `the13thletter` dot `info`)

 [VAULT_SUBCMD]: derivepassphrase-export-vault.1.md

@@ -158,6 +158,22 @@ The compatibility and extension options modify the behavior to enable additional

 ### Other Options

+<b>-</b><b>-debug</b>

+:   Emit all diagnostic information to standard error, including progress, warning and error messages.

+

+    Cancels the effect of any previous <b>-</b><b>-quiet</b> or <b>-</b><b>-verbose</b> options.

+

+<b>-v</b>, <b>-</b><b>-verbose</b>

+:   Emit extra/progress information to standard error, on top of warning and error messages.

+

+    Cancels the effect of any previous <b>-</b><b>-debug</b> or <b>-</b><b>-quiet</b> options.

+

+<b>-q</b>, <b>-</b><b>-quiet</b>

+:   Suppress all other diagnostic output to standard error, except error messages.

+    This includes warning messages.

+

+    Cancels the effect of any previous <b>-</b><b>-debug</b> or <b>-</b><b>-verbose</b> options.

+

 <b>-</b><b>-version</b>

 :   Show the version and exit.

@@ -427,9 +443,6 @@ Exceptions:

 ### Forward and backward compatibility

-  * [Since v0.2.0.]

-    In v1.0, the commands <b>derivepassphrase</b> and <b>derivepassphrase export</b> will require an explicit subcommand name.

-    Both default to the subcommand <b>vault</b>.

   * [Since v0.2.0.]

     In v1.0, the configuration data file for the <b>vault</b> subcommand will be named `vault.json`, instead of `config.json`.

   * [Since v0.2.0, to be removed in v1.0.]

@@ -448,6 +461,7 @@ Exceptions:

 ## BUGS

-  * The defaults are dictated by <i>vault</i>(1), necessitating the ["Compatibility and extension options"](#compatibility-and-extension-options). (WONTFIX.)

+  * The defaults are dictated by <i>vault</i>(1), necessitating the ["Compatibility and extension options"](#compatibility-and-extension-options).

+    (WONTFIX.)

   * The Windows version does not support SSH keys because Python on Windows does not support the predominant type of inter-process communication used by SSH agents on Windows.

@@ -2,31 +2,21 @@

 ## NAME

-derivepassphrase – derive a strong passphrase, deterministically, from

-a master secret

+derivepassphrase – derive a strong passphrase, deterministically, from a master secret

 ## SYNOPSIS

 ````

-derivepassphrase [SUBCOMMAND_ARGS]...

+derivepassphrase SUBCOMMAND_ARGS ...

 ````

 ## DESCRIPTION

-Using a master secret, derive a passphrase for a named service,

-subject to constraints e.g. on passphrase length, allowed

-characters, etc.  The exact derivation depends on the selected

-derivation scheme.  For each scheme, it is computationally

-infeasible to discern the master secret from the derived passphrase.

-The derivations are also deterministic, given the same inputs, thus

-the resulting passphrases need not be stored explicitly.  The

-service name and constraints themselves also generally need not be

-kept secret, depending on the scheme.

-

-The currently implemented subcommands are <b>vault</b> (for the scheme

-used by vault) and <b>export</b> (for exporting foreign configuration

-data).  See the respective `--help` output for instructions.  If no

-subcommand is given, we default to <b>vault</b>.

+Using a master secret, derive a passphrase for a named service, subject to constraints e.g. on passphrase length, allowed characters, etc.

+The exact derivation depends on the selected derivation scheme.

+Each scheme derives *strong* passphrases by design: the derived passphrases have as much entropy as permitted by the master secret and the passphrase constraints (whichever is more restrictive), and even if multiple derived passphrases are compromised, the master secret remains cryptographically difficult to discern from those compromised passphrases.

+The derivations are also deterministic, given the same inputs, thus the resulting passphrases need not be stored explicitly.

+The service name and constraints themselves also generally need not be kept secret, depending on the scheme.

 ## SUBCOMMANDS

@@ -34,24 +24,65 @@ subcommand is given, we default to <b>vault</b>.

 :   Export a foreign configuration to standard output.

 [<b>vault</b>][VAULT_SUBCMD]

-:   Derive a passphrase using the vault(1) derivation scheme.

+:   Derive a passphrase using the <i>vault</i>(1) derivation scheme.

-## DEPRECATION NOTICE

+If no subcommand is given, we default to <b>vault</b>.

-Defaulting to <b>vault</b> is deprecated.  Starting in v1.0, the

-subcommand must be specified explicitly.

+## OPTIONS

-## CONFIGURATION

+<b>-</b><b>-debug</b>

+:   Emit all diagnostic information to standard error, including progress, warning and error messages.

-Configuration is stored in a directory according to the

-`$DERIVEPASSPHRASE_PATH` variable, which defaults to

-`~/.derivepassphrase` on UNIX-like systems and

-`C:\Users\<user>\AppData\Roaming\Derivepassphrase` on Windows.

+    Cancels the effect of any previous <b>-</b><b>-quiet</b> or <b>-</b><b>-verbose</b> options.

+    Also applies to subcommands.

+

+<b>-v</b>, <b>-</b><b>-verbose</b>

+:   Emit extra/progress information to standard error, on top of warning and error messages.

+

+    Cancels the effect of any previous <b>-</b><b>-debug</b> or <b>-</b><b>-quiet</b> options.

+    Also applies to subcommands.

+

+<b>-q</b>, <b>-</b><b>-quiet</b>

+:   Suppress all other diagnostic output to standard error, except error messages.

+    This includes warning messages.

+

+    Cancels the effect of any previous <b>-</b><b>-debug</b> or <b>-</b><b>-verbose</b> options.

+    Also applies to subcommands.

+

+<b>-</b><b>-version</b>

+:   Show the version and exit.

+

+<b>-h</b>, <b>-</b><b>-help</b>

+:   Show a help message and exit.

+

+## ENVIRONMENT

+

+`DERIVEPASSPHRASE_PATH`

+:   <b>derivepassphrase</b> stores its configuration files and data in this directory.

+    Defaults to `~/.derivepassphrase` on UNIX-like systems and `C:\Users\<user>\AppData\Roaming\Derivepassphrase` on Windows.

+

+## COMPATIBILITY

+

+### With other software

+

+Some derivation schemes are based on other software.

+See their respective manpages for compatibility information.

+

+Affected derivation schemes: <b>vault</b>.

+

+### Forward and backward compatibility

+

+  * [Since v0.2.0.] In v1.0, <b>derivepassphrase</b> will require an explicit subcommand name.

+    Defaults to the subcommand <b>vault</b>.

 ## SEE ALSO

-[derivepassphrase-export(1)][EXPORT_SUBCMD],

-[derivepassphrase-vault(1)][VAULT_SUBCMD]

+[<i>derivepassphrase-export</i>(1)][EXPORT_SUBCMD],

+[<i>derivepassphrase-vault</i>(1)][VAULT_SUBCMD].

+

+## AUTHOR

+

+[Marco Ricci](https://the13thletter.info) (`software` at `the13thletter` dot `info`)

 [EXPORT_SUBCMD]: derivepassphrase-export.1.md

-[VAULT_SUBCMD]: derivepassphrase-export.1.md

+[VAULT_SUBCMD]: derivepassphrase-vault.1.md

@@ -0,0 +1,221 @@

+.Dd 2025-01-11

+.Dt DERIVEPASSPHRASE-EXPORT-VAULT 1

+.Os derivepassphrase 0.4.0

+.

+.Sh NAME

+.

+.Nm derivepassphrase-export-vault

+.Nd export a vault-native configuration to standard output

+.

+.Sh SYNOPSIS

+.

+.Bd -ragged

+.Nm derivepassphrase export vault

+.Op Fl f Ar FMT

+.Op Fl k Ar K

+.Ar PATH

+.Ed

+.

+.Sh DESCRIPTION

+.

+Read the

+.Xr vault 1 Ns -native

+configuration at

+.Ar PATH ,

+extract all information from it, and export the resulting configuration to

+standard output (as if using

+.Xr vault 1 Ns 's

+.Fl \-export

+option).

+Depending on the configuration format, this may either be a file or a

+directory.

+Supports the

+.Xr vault 1

+.Li v0.2 ,

+.Li v0.3

+and

+.Li storeroom

+formats, all of which inherently use encryption and integrity protection.

+.Pp

+.

+If

+.Ar PATH

+is explicitly listed as

+.Li VAULT_PATH ,

+then use the

+.Ev VAULT_PATH

+environment variable to determine the correct path.

+.Po

+Use

+.Pa ./VAULT_PATH

+or similar to indicate a file/directory actually named

+.Pa VAULT_PATH .

+.Pc

+.

+.Sh OPTIONS

+.

+.Bl -tag -width ".Fl p , \-phrase"

+.

+.It Fl f , \-format Ar FMT

+Try the storage format

+.Ar FMT .

+May be given multiple times; the formats will be tried in order.

+.Pp

+.

+By default, we first try

+.Li v0.3 ,

+then

+.Li v0.2 ,

+and finally

+.Li storeroom .

+.

+.It Fl k , \-key Ar K

+Use

+.Ar K

+as the storage master key.

+.Pp

+.

+By default, we check the

+.Ev VAULT_KEY ,

+.Ev LOGNAME ,

+.Ev USER

+and

+.Ev USERNAME

+environment variables, and use the first one with a proper value

+.Pq Em and only the first one .

+.

+.It Fl \-debug

+Emit all diagnostic information to standard error, including progress,

+warning and error messages.

+.Pp

+.

+Cancels the effect of any previous

+.Fl \-quiet

+or

+.Fl \-verbose

+options.

+Also applies to subcommands.

+.

+.It Fl v , \-verbose

+Emit extra/progress information to standard error, on top of warning and

+error messages.

+.Pp

+.

+Cancels the effect of any previous

+.Fl \-debug

+or

+.Fl \-quiet

+options.

+Also applies to subcommands.

+.

+.It Fl q , \-quiet

+Suppress all other diagnostic output to standard error, except error

+messages.

+.Pp

+.

+Cancels the effect of any previous

+.Fl \-debug

+or

+.Fl \-verbose

+options.

+Also applies to subcommands.

+.

+.It Fl \-version

+Show the version and exit.

+.

+.It Fl h , \-help

+Show a help message and exit.

+.

+.El

+.

+.Sh ENVIRONMENT

+.

+.Bl -tag -width ".Fl p , \-phrase"

+.

+.It Ev DERIVEPASSPHRASE_PATH

+.Nm derivepassphrase

+stores its configuration files and data in this directory.

+Defaults to

+.Pa \(ti/.derivepassphrase

+on UNIX-like systems and

+.Pa C:\[rs]Users\[rs]<user>\[rs]AppData\[rs]Roaming\[rs]Derivepassphrase

+on Windows.

+.

+.It Ev VAULT_PATH

+A default path, relative to the home directory, where to look for the

+configuration to load.

+.

+.It Ev VAULT_KEY

+A password with which the vault configuration is encrypted.

+The password is interpreted as a UTF-8 byte string.

+.

+.It Ev LOGNAME , USER , USERNAME

+Fallback values for

+.Ev VAULT_KEY .

+.

+.El

+.

+.Sh COMPATIBILITY

+.

+.Ss With other software

+.

+.Nm derivepassphrase export vault

+fully supports reading the configuration formats used by

+.Xr vault 1

+v0.3 and lower

+.Pq formats Li v0.2 No and Li v0.3 ,

+as well as the

+.Li storeroom

+format used in development builds after

+.Xr vault 1

+v0.3

+.Pq Li storeroom No version 1 .

+.Pp

+.

+There is no corresponding

+.Dq import

+subcommand, nor is there support for writing configuration files or

+directories in any of the aforementioned formats.

+.

+.Sh SEE ALSO

+.

+.Xr derivepassphrase 1 .

+.Rs

+.%A "James Coglan"

+.%T "vault(1)"

+.%U https://www.npmjs.com/package/vault

+.Re

+.Pp

+.

+Further online documentation for

+.Xr derivepassphrase 1

+.Pq tutorials, how-tos, reference and design documentation

+is available at

+.Lk https://the13thletter.info/derivepassphrase/ .

+.

+.Sh AUTHOR

+.

+.Lk mailto:software@the13thletter.info "Marco Ricci"

+.

+.Sh BUGS

+.

+.Bl -bullet

+.It

+There is no support for writing

+.Xr vault 1

+configuration files or directories in any of the aforementioned formats.

+.Pp

+WONTFIX: two-way interoperability of configuration file disk formats is

+currently out of scope.

+Use the standard

+.Fl \-import

+and

+.Fl \-export

+options of both

+.Xr vault 1

+and

+.Nm derivepassphrase vault

+.Ns .

+.

+.El

+.

@@ -0,0 +1,136 @@

+.Dd 2025-01-11

+.Dt DERIVEPASSPHRASE-EXPORT 1

+.Os derivepassphrase 0.4.0

+.

+.Sh NAME

+.

+.Nm derivepassphrase-export

+.Nd export a foreign configuration to standard output

+.

+.Sh SYNOPSIS

+.

+.Bd -ragged

+.Nm derivepassphrase export

+.Ar SUBCOMMAND_ARGS No .\|.\|.

+.Ed

+.

+.Sh DESCRIPTION

+.

+Read a foreign system configuration, extract all information from it,

+and export the resulting configuration to standard output.

+.

+.Sh SUBCOMMANDS

+.

+.Bl -tag -width ".Fl p , \-phrase"

+.

+.It Ar vault

+Export a

+.Xr vault 1

+.Ns -native

+configuration to standard output.

+.

+.El

+.Pp

+.

+If no subcommand is given, we default to

+.Ar vault .

+.

+.Sh OPTIONS

+.

+.Bl -tag -width ".Fl p , \-phrase"

+.

+.It Fl \-debug

+Emit all diagnostic information to standard error, including progress,

+warning and error messages.

+.Pp

+.

+Cancels the effect of any previous

+.Fl \-quiet

+or

+.Fl \-verbose

+options.

+Also applies to subcommands.

+.

+.It Fl v , \-verbose

+Emit extra/progress information to standard error, on top of warning and

+error messages.

+.Pp

+.

+Cancels the effect of any previous

+.Fl \-debug

+or

+.Fl \-quiet

+options.

+Also applies to subcommands.

+.

+.It Fl q , \-quiet

+Suppress all other diagnostic output to standard error, except error

+messages.

+.Pp

+.

+Cancels the effect of any previous

+.Fl \-debug

+or

+.Fl \-verbose

+options.

+Also applies to subcommands.

+.

+.It Fl \-version

+Show the version and exit.

+.

+.It Fl h , \-help

+Show a help message and exit.

+.

+.El

+.

+.Sh ENVIRONMENT

+.

+.Bl -tag -width ".Fl p , \-phrase"

+.

+.It Ev DERIVEPASSPHRASE_PATH

+.Nm derivepassphrase

+stores its configuration files and data in this directory.

+Defaults to

+.Pa \(ti/.derivepassphrase

+on UNIX-like systems and

+.Pa C:\[rs]Users\[rs]<user>\[rs]AppData\[rs]Roaming\[rs]Derivepassphrase

+on Windows.

+.

+.El

+.

+.Sh COMPATIBILITY

+.

+.Ss With other software

+.

+See the respective subcommand's manpage for compatibility information.

+.

+.Ss Forward and backward compatibility

+.

+.Bl -bullet

+.

+.It

+.Bo Since v0.2.0 . Bc

+In v1.0,

+.Nm derivepassphrase export

+will require an explicit subcommand name.

+Defaults to the subcommand

+.Ic vault .

+.

+.El

+.

+.Sh SEE ALSO

+.

+.Xr derivepassphrase 1 ,

+.Xr derivepassphrase-export-vault 1 .

+.Pp

+.

+Further online documentation for

+.Xr derivepassphrase 1

+.Pq tutorials, how-tos, reference and design documentation

+is available at

+.Lk https://the13thletter.info/derivepassphrase/ .

+.

+.Sh AUTHOR

+.

+.Lk mailto:software@the13thletter.info "Marco Ricci"

+.

@@ -1,4 +1,4 @@

-.Dd 2025-01-07

+.Dd 2025-01-11

 .Dt DERIVEPASSPHRASE-VAULT 1

 .Os derivepassphrase 0.4.0

 .

@@ -408,6 +408,42 @@ were always given.)

 .

 .Bl -tag -width ".Fl p , \-phrase"

 .

+.It Fl \-debug

+Emit all diagnostic information to standard error, including progress,

+warning and error messages.

+.Pp

+.

+Cancels the effect of any previous

+.Fl \-quiet

+or

+.Fl \-verbose

+options.

+Also applies to subcommands.

+.

+.It Fl v , \-verbose

+Emit extra/progress information to standard error, on top of warning and

+error messages.

+.Pp

+.

+Cancels the effect of any previous

+.Fl \-debug

+or

+.Fl \-quiet

+options.

+Also applies to subcommands.

+.

+.It Fl q , \-quiet

+Suppress all other diagnostic output to standard error, except error

+messages.

+.Pp

+.

+Cancels the effect of any previous

+.Fl \-debug

+or

+.Fl \-verbose

+options.

+Also applies to subcommands.

+.

 .It Fl \-version

 Show the version and exit.

 .

@@ -887,16 +923,6 @@ can read both these formats and export the contents.)

 .

 .It

 .Bo Since v0.2.0 . Bc

-In v1.0, the commands

-.Nm derivepassphrase

-and

-.Nm derivepassphrase export

-will require an explicit subcommand name.

-Both default to the subcommand

-.Ic vault .

-.

-.It

-.Bo Since v0.2.0 . Bc

 In v1.0, the configuration data file for the

 .Ic vault

 subcommand will be named

@@ -0,0 +1,157 @@

+.Dd 2025-01-11

+.Dt DERIVEPASSPHRASE 1

+.Os derivepassphrase 0.4.0

+.

+.Sh NAME

+.

+.Nm derivepassphrase

+.Nd derive a strong passphrase, deterministically, from a master secret

+.

+.Sh SYNOPSIS

+.

+.Bd -ragged

+.Nm derivepassphrase

+.Ar SUBCOMMAND_ARGS No .\|.\|.

+.Ed

+.

+.Sh DESCRIPTION

+.

+Using a master secret, derive a passphrase for a named service, subject to

+constraints e.g.\& on passphrase length, allowed characters, etc.

+The exact derivation depends on the selected derivation scheme.

+Each scheme derives

+.Em strong

+passphrases by design:

+the derived passphrases have as much entropy as permitted by the master secret

+and the passphrase constraints

+.Pq whichever is more restrictive ,

+and even if multiple derived passphrases are compromised, the master secret

+remains cryptographically difficult to discern from those compromised

+passphrases.

+The derivations are also deterministic, given the same inputs, thus the

+resulting passphrsases need not be stored explicitly.

+The service name and constraints themselves also generally need not be kept

+secret, depending on the scheme.

+.

+.Sh SUBCOMMANDS

+.

+.Bl -tag -width ".Fl p , \-phrase"

+.

+.It Ar export

+Export a foreign configuration to standard output.

+.

+.It Ar vault

+Derive a passphrase using the

+.Xr vault 1

+derivation scheme.

+.

+.El

+.Pp

+.

+If no subcommand is given, we default to

+.Ar vault .

+.

+.Sh OPTIONS

+.

+.Bl -tag -width ".Fl p , \-phrase"

+.

+.It Fl \-debug

+Emit all diagnostic information to standard error, including progress,

+warning and error messages.

+.Pp

+.

+Cancels the effect of any previous

+.Fl \-quiet

+or

+.Fl \-verbose

+options.

+Also applies to subcommands.

+.

+.It Fl v , \-verbose

+Emit extra/progress information to standard error, on top of warning and

+error messages.

+.Pp

+.

+Cancels the effect of any previous

+.Fl \-debug

+or

+.Fl \-quiet

+options.

+Also applies to subcommands.

+.

+.It Fl q , \-quiet

+Suppress all other diagnostic output to standard error, except error

+messages.

+.Pp

+.

+Cancels the effect of any previous

+.Fl \-debug

+or

+.Fl \-verbose

+options.

+Also applies to subcommands.

+.

+.It Fl \-version

+Show the version and exit.

+.

+.It Fl h , \-help

+Show a help message and exit.

+.

+.El

+.

+.Sh ENVIRONMENT

+.

+.Bl -tag -width ".Fl p , \-phrase"

+.

+.It Ev DERIVEPASSPHRASE_PATH

+.Nm derivepassphrase

+stores its configuration files and data in this directory.

+Defaults to

+.Pa \(ti/.derivepassphrase

+on UNIX-like systems and

+.Pa C:\[rs]Users\[rs]<user>\[rs]AppData\[rs]Roaming\[rs]Derivepassphrase

+on Windows.

+.

+.El

+.

+.Sh COMPATIBILITY

+.

+.Ss With other software

+.

+Some derivation schemes are based on other software.

+See their respective manpages for compatibility information.

+.Pp

+.

+Affected derivation schemes:

+.Ar vault .

+.

+.Ss Forward and backward compatibility

+.

+.Bl -bullet

+.

+.It

+.Bo Since v0.2.0 . Bc

+In v1.0,

+.Nm derivepassphrase

+will require an explicit subcommand name.

+Defaults to the subcommand

+.Ic vault .

+.

+.El

+.

+.Sh SEE ALSO

+.

+.Xr derivepassphrase-export 1 ,

+.Xr derivepassphrase-vault 1 .

+.Pp

+.

+Further online documentation for

+.Xr derivepassphrase 1

+.Pq tutorials, how-tos, reference and design documentation

+is available at

+.Lk https://the13thletter.info/derivepassphrase/ .

+.

+.Sh AUTHOR

+.

+.Lk mailto:software@the13thletter.info "Marco Ricci"

+.