docs-overrides | Add `mkdocstrings-python` to documentation page footer | 2024-07-21 23:52:53 |
---|---|---|
docs | Reintegrate branch 'master' into documentation-fixes | 2024-09-27 22:33:03 |
examples | Add example for "storeroom"-type data export | 2024-08-04 09:36:49 |
src | Enable cross-references on function signatures in documentation | 2024-09-29 23:17:02 |
tests | Fix bad docstring reference to Python standard library | 2024-09-28 09:10:01 |
.gitignore | Set up the "hypothesis" testing library | 2024-09-27 17:32:46 |
CHANGELOG.md | ||
Keep_a_changelog-E05735.svg | ||
LICENSE.txt | Import initial project files | 2024-05-05 11:57:20 |
README.md | Update all URLs to stable and "less legally risky" versions, if possible | 2024-09-15 00:34:08 |
SemVer-3F4551.svg | ||
mkdocs.yml | Enable cross-references on function signatures in documentation | 2024-09-29 23:17:02 |
mkdocs_offline.yml | Add alternate MkDocs configuration for building offline documentation | 2024-07-22 14:05:42 |
pyproject.toml | Switch from towncrier to scriv for changelog management | 2024-09-27 21:35:32 |
An almost faithful Python reimplementation of James Coglan's vault
, a deterministic password manager/generator.
Using a master passphrase or a master SSH key, derive a passphrase for a given named service, subject to length, character and character repetition constraints. The derivation is cryptographically strong, meaning that even if a single passphrase is compromised, guessing the master passphrase or a different service's passphrase is computationally infeasible. The derivation is also deterministic, given the same inputs, thus the resulting passphrase need not be stored explicitly. The service name and constraints themselves also need not be kept secret; the latter are usually stored in a world-readable file.
pip
(If not inside a virtual environment, use pip install --user
instead of plain pip install
.)
$ pip install derivepassphrase
To use the export
subcommand, install the export
extra:
$ pip install "derivepassphrase[export]"
derivepassphrase
is a pure Python package, and may be easily installed manually by placing the respective files and the package's dependencies into Python's import path.
derivepassphrase
requires Python 3.10 or higher as well as the typing-extensions package for its core functionality and programmatic interface, and click
8.1 or higher for its command-line interface.
Using the export vault
subcommand additionally requires the cryptography package, version 38.0 or newer.
derivepassphrase
is designed to principally support multiple passphrase derivation schemes, but currently only the "vault" scheme is implemented.
Using the passphrase This passphrase is for demonstration purposes only.
when prompted:
$ derivepassphrase vault -p --length 30 --upper 3 --lower 1 --number 2 --space 0 --symbol 0 my-email-account
Passphrase:
JKeet7GeBpxysOgdCEJo6UzmP8A0Ih
Some time later…
$ derivepassphrase vault -p --length 30 --upper 3 --lower 1 --number 2 --space 0 --symbol 0 my-email-account
Passphrase:
JKeet7GeBpxysOgdCEJo6UzmP8A0Ih
derivepassphrase
can store the length and character constraint settings in its configuration file so that you do not have to re-enter them each time.
$ derivepassphrase vault --config --length 30 --upper 3 --lower 1 --number 2 --space 0 --symbol 0 my-email-account
$ derivepassphrase vault -p my-email-account
Passphrase:
JKeet7GeBpxysOgdCEJo6UzmP8A0Ih
On UNIX-like systems with OpenSSH or PuTTY installed, you can use an Ed25519, Ed448 or RSA key from the agent instead of a master passphrase. (On Windows there are problems establishing communication channels with the agent.)
$ derivepassphrase vault -k my-email-account
Suitable SSH keys:
[1] ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQ... test key
[2] ssh-ed448 AAAACXNzaC1lZDQ0OAAAADni9nLTT1... test key
[3] ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIF4gW... test key
Your selection? (1-3, leave empty to abort): 1
oXDGCvMhLWPQyCzYtaobOq2Wh9olYj
derivepassphrase
can store the SSH key selection in its configuration file so you do not have to re-select it each time.
This choice can be made either specifically for the service (in this case, my-email-account
), or globally.
$ derivepassphrase vault --config -k # global setting
Suitable SSH keys:
[1] ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQ... test key
[2] ssh-ed448 AAAACXNzaC1lZDQ0OAAAADni9nLTT1... test key
[3] ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIF4gW... test key
Your selection? (1-3, leave empty to abort): 1
$ derivepassphrase vault my-email-account
oXDGCvMhLWPQyCzYtaobOq2Wh9olYj
derivepassphrase
is distributed under the terms of the MIT license.