derivepassphrase 0.6

An almost faithful Python reimplementation of James Coglan's vault.

derivepassphrase

An almost faithful Python reimplementation of James Coglan's vault, a deterministic password manager/generator.

Using a master passphrase or a master SSH key, derive a passphrase for a given named service, subject to length, character and character repetition constraints.

The derivation is strong: derived passphrases have as much entropy as permitted by the master passphrase and the passphrase constraints (whichever is more restrictive), and even if multiple derived passphrases are compromised, the master passphrase remains cryptographically difficult to discern from these compromised passphrases. The derivation is also deterministic, given the same inputs, thus the resulting passphrase need not be stored explicitly.

The service name and constraints themselves also need not be kept secret; the latter are usually stored in a world-readable file to ease repeated entry of passphrase constraints.

(derivepassphrase currently is a vault reimplementation, but also plans to support other passphrase derivation schemes in the future.)

---

Installation

derivepassphrase is a pure Python package, and may be easily installed with any pip-compatible Python package manager such as pip, pipx, or uv. (pip is distributed with Python 3 by default.)

derivepassphrase requires Python 3.9 or higher as well as the typing-extensions package for its core functionality and programmatic interface, and click 8.1 or higher for its command-line interface. Some old Python versions also require backports for the Python standard library: the tomli package for Python 3.9 and 3.10, and the exceptiongroup backport for Python 3.9, 3.10 and 3.11. The installer should take care of installing these dependencies automatically for you. Using the export vault subcommand additionally requires the cryptography package, version 38.0 or newer. This must be separately requested at installation, via the export extra.

• pipx

  Use pipx install derivepassphrase in general, or pipx install "derivepassphrase[export]" with the export extra.

• uv

  Use uv tool install derivepassphrase in general, or uv tool install "derivepassphrase[export]" with the export extra.

• pip

  First, manually create a virtual environment and activate it. Then use pip install derivepassphrase in general, or pip install "derivepassphrase[export]" with the export extra.

derivepassphrase runs just fine on PyPy. derivepassphrase probably also runs just fine on GraalPy, but this is untested. (Feedback wanted!)

Quick Usage

derivepassphrase is designed to principally support multiple passphrase derivation schemes, but currently only the "vault" scheme is implemented.

Using the passphrase This passphrase is for demonstration purposes only. when prompted:

$ derivepassphrase vault -p --length 30 --upper 3 --lower 1 --number 2 --space 0 --symbol 0 my-email-account
Passphrase: 
JKeet7GeBpxysOgdCEJo6UzmP8A0Ih

Some time later…

$ derivepassphrase vault -p --length 30 --upper 3 --lower 1 --number 2 --space 0 --symbol 0 my-email-account
Passphrase: 
JKeet7GeBpxysOgdCEJo6UzmP8A0Ih

Storing settings

derivepassphrase can store the length and character constraint settings in its configuration file so that you do not have to re-enter them each time.

$ derivepassphrase vault --config --length 30 --upper 3 --lower 1 --number 2 --space 0 --symbol 0 my-email-account
$ derivepassphrase vault -p my-email-account
Passphrase: 
JKeet7GeBpxysOgdCEJo6UzmP8A0Ih

SSH agent support

On systems with OpenSSH or PuTTY installed, you can use an Ed25519, Ed448 or RSA key from the agent instead of a master passphrase. (Though see agent-specific notes for commentary.)

$ derivepassphrase vault -k my-email-account
Suitable SSH keys:
[1] ssh-rsa ...feXycsvJZ2uaYRjMdZeJGNAnHLUGLkBscw5aI8=  test key without passphrase
[2] ssh-ed448 ...BQ72ZgtPMckdzabiz7JbM/b0JzcRzGLMsbwA=  test key without passphrase
[3] ssh-ed25519 ...gJIXw//Mkhv5MEwidwcakUGCekJD/vCEml2  test key without passphrase
Your selection? (1-3, leave empty to abort): 1
oXDGCvMhLWPQyCzYtaobOq2Wh9olYj

derivepassphrase can store the SSH key selection in its configuration file so you do not have to re-select it each time. This choice can be made either specifically for the service (in this case, my-email-account), or globally.

$ derivepassphrase vault --config -k  # global setting
Suitable SSH keys:
[1] ssh-rsa ...feXycsvJZ2uaYRjMdZeJGNAnHLUGLkBscw5aI8=  test key without passphrase
[2] ssh-ed448 ...BQ72ZgtPMckdzabiz7JbM/b0JzcRzGLMsbwA=  test key without passphrase
[3] ssh-ed25519 ...gJIXw//Mkhv5MEwidwcakUGCekJD/vCEml2  test key without passphrase
Your selection? (1-3, leave empty to abort): 1
$ derivepassphrase vault my-email-account
oXDGCvMhLWPQyCzYtaobOq2Wh9olYj

License

derivepassphrase is distributed under the terms of the zlib/libpng license.