Some ideas for future work¶
Subcommands¶
(In no particular order.)
Derivation schemes¶
spectre
(master-password
): derive passphrases according to the “Master Password” scheme as used by the Spectre app. (#2)
Other functionality¶
explore-permitted-special-characters
: generate new configurations starting from a base configuration until one of them passes the “special characters” constraints.rotate
: generate a new configuration suitable for passphrase rotation, compatible with the base configuration’s constraints.-
service-plugins
: manage plugins that automate certain tasks, as outlined in the notes of the queried service.-
load-ssh-key
: if the service uses an SSH key, autoload the key from a well-known location into the SSH agent if it isn’t already loaded.vault
-specific. -
decrypt-notes
: decrypt OpenPGP-encrypted notes with GnuPG or Sequoiasq
.Open questions:
- Use an automatic, symmetric encryption key, or rely on the standard OpenPGP key store? (Do not use the derived service passphrase for this: the quality may be arbitrarily bad due to the passphrase constaints, and the service itself could compromise that passphrase.)
-
generate-otp
: if the service uses two-factor authentication and the configuration contains one-time password settings, calloathtool
to obtain one or more OTPs.May require the
decrypt-notes
plugin first. -
manage-runit-services
: if the service containsrunit
service configuration, ensure the specifiedrunit
services are running concurrently, and stopped after signalling.Typical use case is a service only accessible via VPN or SSH proxy, where the VPN/proxy would run as a
runit
service.Open questions:
- Interface with
inotifywait
to wait for SSH control socket?
- Interface with
-
Documentation¶
(Categorized as per the diataxis framework, but otherwise in no particular order.)
Tutorials¶
- Setting up
derivepassphrase vault
from scratch for three existing accounts, with a master passphrase
How-tos¶
- How to set up
derivepassphrase vault
with an SSH key - How to choose a good service name
- How to edit a saved
derivepassphrase vault
configuration correctly - How to deal with “supported” and “unsupported” special characters
- How to deal with regular passphrase rotation/rollover
Reference¶
derivepassphrase-vault.json
(5)
Explanation¶
- Security aspects and other tradeoffs when using deterministic password generators
- Tradeoffs between a master passphrase and a master SSH key
- Why is
vault
’s--repeat
option named this way if it counts occurrences, not repetitions?