Marco Ricci Marco Ricci Fix more minor CLI messages or translators comments c4811b7 @ 2025-02-11 21:03:34
docs-overrides Add `mkdocstrings-python` to documentation page footer 2024-07-21 23:52:53
docs Document the addition of quality control tools in the changelog 2025-02-10 00:15:57
examples Add example for "storeroom"-type data export 2024-08-04 09:36:49
other-stubs Fix usage of `mypy --python-version=3.9` and friends 2025-01-16 01:28:57
po Automatically check and build the translations on master via hatch-gettext 2025-02-11 16:30:37
scripts Automatically check and build the translations on master via hatch-gettext 2025-02-11 16:30:37
share Automatically check and build the translations on master via hatch-gettext 2025-02-11 16:30:37
src Fix more minor CLI messages or translators comments 2025-02-11 21:03:34
tests Fix faulty notes usage test 2025-02-11 18:18:41
.gitignore Set up the "hypothesis" testing library 2024-09-27 17:32:46
CHANGELOG.md Retire the use of symlinks for the README and the changelog 2024-11-27 18:21:17
LICENSE.txt Update copyright notices to 2025, and license to zlib/libpng 2025-01-07 15:01:51
README.md Incorporate revised wording from the manpage into the README 2025-01-07 23:36:49
mkdocs.yml Move CLI messages module into a new `_internals` subpackage 2025-01-29 20:34:40
mkdocs_devsetup.yml Split off cli_helpers and cli_machinery internal modules 2025-01-29 22:23:26
mkdocs_offline.yml Add tests API documentation to "dev setup" MkDocs build 2025-01-23 11:58:44
pyproject.toml Automatically check and build the translations on master via hatch-gettext 2025-02-11 16:30:37
README.md

derivepassphrase

PyPI - Version PyPI - Python Version

An almost faithful Python reimplementation of James Coglan's vault, a deterministic password manager/generator.

Using a master passphrase or a master SSH key, derive a passphrase for a given named service, subject to length, character and character repetition constraints.

The derivation is strong: derived passphrases have as much entropy as permitted by the master passphrase and the passphrase constraints (whichever is more restrictive), and even if multiple derived passphrases are compromised, the master passphrase remains cryptographically difficult to discern from these compromised passphrases. The derivation is also deterministic, given the same inputs, thus the resulting passphrase need not be stored explicitly.

The service name and constraints themselves also need not be kept secret; the latter are usually stored in a world-readable file to ease repeated entry of passphrase constraints.


Installation

With pip

(If not inside a virtual environment, use pip install --user instead of plain pip install.)

$ pip install derivepassphrase

To use the export subcommand, install the export extra:

$ pip install "derivepassphrase[export]"

Manually

derivepassphrase is a pure Python package, and may be easily installed manually by placing the respective files and the package's dependencies into Python's import path. derivepassphrase requires Python 3.9 or higher as well as the typing-extensions package for its core functionality and programmatic interface, and click 8.1 or higher for its command-line interface. On Python 3.9 and 3.10 only, derivepassphrase additionally requires the tomli package. Using the export vault subcommand additionally requires the cryptography package, version 38.0 or newer.

derivepassphrase works just fine on PyPy.

Quick Usage

derivepassphrase is designed to principally support multiple passphrase derivation schemes, but currently only the "vault" scheme is implemented.

Using the passphrase This passphrase is for demonstration purposes only. when prompted:

$ derivepassphrase vault -p --length 30 --upper 3 --lower 1 --number 2 --space 0 --symbol 0 my-email-account
Passphrase: 
JKeet7GeBpxysOgdCEJo6UzmP8A0Ih

Some time later…

$ derivepassphrase vault -p --length 30 --upper 3 --lower 1 --number 2 --space 0 --symbol 0 my-email-account
Passphrase: 
JKeet7GeBpxysOgdCEJo6UzmP8A0Ih

Storing settings

derivepassphrase can store the length and character constraint settings in its configuration file so that you do not have to re-enter them each time.

$ derivepassphrase vault --config --length 30 --upper 3 --lower 1 --number 2 --space 0 --symbol 0 my-email-account
$ derivepassphrase vault -p my-email-account
Passphrase: 
JKeet7GeBpxysOgdCEJo6UzmP8A0Ih

SSH agent support

On UNIX-like systems with OpenSSH or PuTTY installed, you can use an Ed25519, Ed448 or RSA key from the agent instead of a master passphrase. (On Windows there are problems establishing communication channels with the agent.)

$ derivepassphrase vault -k my-email-account
Suitable SSH keys:
[1] ssh-rsa ...feXycsvJZ2uaYRjMdZeJGNAnHLUGLkBscw5aI8=  test key without passphrase
[2] ssh-ed448 ...BQ72ZgtPMckdzabiz7JbM/b0JzcRzGLMsbwA=  test key without passphrase
[3] ssh-ed25519 ...gJIXw//Mkhv5MEwidwcakUGCekJD/vCEml2  test key without passphrase
Your selection? (1-3, leave empty to abort): 1
oXDGCvMhLWPQyCzYtaobOq2Wh9olYj

derivepassphrase can store the SSH key selection in its configuration file so you do not have to re-select it each time. This choice can be made either specifically for the service (in this case, my-email-account), or globally.

$ derivepassphrase vault --config -k  # global setting
Suitable SSH keys:
[1] ssh-rsa ...feXycsvJZ2uaYRjMdZeJGNAnHLUGLkBscw5aI8=  test key without passphrase
[2] ssh-ed448 ...BQ72ZgtPMckdzabiz7JbM/b0JzcRzGLMsbwA=  test key without passphrase
[3] ssh-ed25519 ...gJIXw//Mkhv5MEwidwcakUGCekJD/vCEml2  test key without passphrase
Your selection? (1-3, leave empty to abort): 1
$ derivepassphrase vault my-email-account
oXDGCvMhLWPQyCzYtaobOq2Wh9olYj

License

derivepassphrase is distributed under the terms of the zlib/libpng license.