Skip to content

derivepassphrase(1)

NAME

derivepassphrase – derive a strong passphrase, deterministically, from a master secret

SYNOPSIS

derivepassphrase [SUBCOMMAND_ARGS]...

DESCRIPTION

Using a master secret, derive a passphrase for a named service, subject to constraints e.g. on passphrase length, allowed characters, etc. The exact derivation depends on the selected derivation scheme. For each scheme, it is computationally infeasible to discern the master secret from the derived passphrase. The derivations are also deterministic, given the same inputs, thus the resulting passphrases need not be stored explicitly. The service name and constraints themselves also generally need not be kept secret, depending on the scheme.

The currently implemented subcommands are vault (for the scheme used by vault) and export (for exporting foreign configuration data). See the respective --help output for instructions. If no subcommand is given, we default to vault.

SUBCOMMANDS

export
Export a foreign configuration to standard output.
vault
Derive a passphrase using the vault(1) derivation scheme.

DEPRECATION NOTICE

Defaulting to vault is deprecated. Starting in v1.0, the subcommand must be specified explicitly.

CONFIGURATION

Configuration is stored in a directory according to the $DERIVEPASSPHRASE_PATH variable, which defaults to ~/.derivepassphrase on UNIX-like systems and C:\Users\<user>\AppData\Roaming\Derivepassphrase on Windows.

SEE ALSO

derivepassphrase-export(1), derivepassphrase-vault(1)