seedpass 0.1.1

A secure password generation tool based on a single master key using Argon2 and BIP-39
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171

# ๐ŸŒฑ SeedPass - Secure and Reproducible Password Generator


**SeedPass** is a command-line tool written in **Rust** that securely generates deterministic passwords using a master key. It supports **BIP-39 mnemonic phrases** as well as custom keys. The tool leverages **Argon2id** for password derivation, **HMAC-SHA3-512** for deterministic salt generation, and ensures high security with built-in entropy validation and memory-safe operations. Users can include optional context and pepper values to enhance password uniqueness and security.

## โš ๏ธ Disclaimer


**SeedPass is currently in development and provided "as is" without any guarantees.**  
Users are responsible for securely managing their master keys and generated passwords.  
Always store your master key and pepper in secure offline locations to avoid unauthorized access.  
**Use this tool at your own risk.**

## โš ๏ธ Security Recommendations <a name="recommendations"></a>


- **Master Key:** Store your master key in a secure physical medium, such as a **steel wallet**, to ensure its long-term safety.
- **Pepper:** It is recommended to store your pepper securely on a metal-engraved card or another durable offline medium. You can choose a value that you can remember, but this is not mandatory. Ensure it is sufficiently complex and not easily guessable.
- **Regeneration:** To regenerate a password, you must have your master key, pepper, and the exact service name, context value, and password length used during the original generation. Keeping these details securely stored ensures you can recover your passwords whenever needed.
- **Air Gap Environment:** Operate SeedPass on a dedicated device that is completely disconnected from any network, especially the internet. This minimizes exposure to potential cyber threats and ensures that sensitive information, such as your master key and generated passwords, remains secure.
- **Recommended Hardware:** It is recommended to use single-board computers with at least 16GB of RAM for optimal performance, such as the Raspberry Pi 5 or Orange Pi 5 Plus. These devices can be configured as secure, isolated environments for password generation tasks.
- **Secure Password Manager**: It is recommended to store generated passwords in a secure password manager like **KeePass XC**, and use SeedPass only when necessary to regenerate a lost password or to create a new one. This ensures minimal exposure of your master key and other sensitive data while maintaining ease of access to your credentials.

## ๐Ÿ’ป Usage <a name="usage"></a>


To use `SeedPass`, follow these steps:

### 1. **Install SeedPass with Cargo:**

```bash
cargo install seedpass
```

### 2. **Generate a password:**  

Run the following command to generate a password for a service using your master key:

```bash
seedpass --master-key "your BIP-39 mnemonic phrase" --service "example.com"
```

_Example with optional parameters:_

```bash
seedpass --master-key "your BIP-39 mnemonic phrase" --service "github.com" \
            --pepper "extra_security" --context "@dertin-1" --length 32
```

### 3. **Parameters available:**


| Parameter                  | Description                                                     | Default Value |
|----------------------------|-----------------------------------------------------------------|---------------|
| `--master-key`              | The master key (BIP-39 mnemonic phrase) used to derive passwords | *Required*    |
| `--service`                 | The service name for which the password is generated             | *Required*    |
| `--pepper`                  | An optional value to further enhance security                    | None          |
| `--context`                 | Additional context to ensure uniqueness (e.g. username, timestamp, counter) | None          |
| `--length`                  | Desired length of the generated password                         | 64            |
| `--allow-master-key-no-bip39`| Allows using a non-BIP-39 master key                              | false         |


### 4. **Regenerating passwords**


To regenerate the same password for a service, you must provide the exact values used during its initial generation. This includes:

- **Master Key**: Your secure BIP-39 mnemonic phrase or custom key.
- **Pepper** (if used): The exact pepper value used to enhance security.
- **Service Name**: The exact name or identifier of the service (e.g., website URL, app name).
- **Context**: (if used) The exact identifier provided (e.g., username, timestamp, or unique descriptor).
- **Password Length**: The desired length of the generated password.

> ### โš ๏ธ Important

> These values are **as crucial as your master key and pepper.**  
> Without them, **you will not be able to regenerate the same password.**  
> ๐Ÿ’พ Please store records of the **service name**, **context**, and **password length** in a **safe and retrievable location**.

_Example of regenerating the same password:_

```bash
seedpass --master-key "your BIP-39 mnemonic phrase" --service "example.com" --context "user123"
seedpass --master-key "your BIP-39 mnemonic phrase" --service "example.com" --context "user123"
```
The output will be the same password in both cases, ensuring you can reliably retrieve your credentials whenever needed.

#### Updating passwords for a service:


If a service requires you to change your password, you can keep the same master key, pepper, and service name while updating the `--context` parameter. This allows you to generate a new password while preserving a consistent structure.

_Example of updating passwords for a service:_

```bash
seedpass --master-key "your BIP-39 mnemonic phrase" --service "example.com" --context "user123-1"
seedpass --master-key "your BIP-39 mnemonic phrase" --service "example.com" --context "user123-2"
```

**In this case:**

- The context is updated with an incremental value (user123-1, user123-2), allowing the generation of a new password without losing track of previous ones.

**Recommendations:**

- Choose a consistent context format to track password changes effectively (e.g., username-1, username-2, or service-date).
- Store older context values securely for reference in case a rollback is needed.

## ๐Ÿ” Security Features <a name="security"></a>


SeedPass is designed with security in mind, offering the following features:

- **Argon2 Key Derivation:** Uses Argon2id with configurable parameters for memory-hard password derivation.
- **BIP-39 Mnemonic Support:** Allows the use of a secure mnemonic phrase as the master key.
- **Pepper and Context:** Optional pepper and context values to increase password uniqueness.
- **Minimum Entropy Checks:** Ensures strong entropy requirements for master keys and passwords.
- **Zeroization:** Sensitive data is securely erased from memory after use.

## ๐Ÿณ Docker Support <a name="docker"></a>


You can also run SeedPass inside a Docker container:

1. **Build the Docker image for ARM64 architecture (e.g., Raspberry Pi, Orange Pi):**
```bash
docker buildx build --platform linux/arm64 -t seedpass-arm64-musl --load .

```

2. **Run SeedPass inside the container:**
```bash
docker run --rm --platform=linux/arm64 seedpass-arm64-musl /usr/local/bin/seedpass --help

```

## ๐Ÿš€ Roadmap <a name="roadmap"></a>


Check out the [milestones](https://github.com/dertin/seedpass/milestones) for upcoming features and releases.

- [ ] Enhance README and documentation (include additional usage examples, best security practices, and troubleshooting).
- [ ] Provide configuration options for Argon2 parameters (memory cost, iterations, parallelism).
- [ ] Ensure compatibility and performance optimizations for ARMv8-A architecture on devices such as Raspberry Pi and Orange Pi.
- [ ] Release the first stable version with full ARMv8-A support.
- [ ] Implement continuous integration and testing pipelines (CI/CD) for cross-platform validation.

## โ“ Troubleshooting <a name="troubleshooting"></a>


If you encounter any issues or have questions, please open an issue on the GitHub repository.

## ๐Ÿ’ซ Contributions <a name="contributions"></a>


Contributions make the open-source community thrive. Your contributions to `SeedPass` are **greatly appreciated**!

To contribute:

1. Fork the repository.
2. Create a feature branch (`git checkout -b feature/amazing-feature`).
3. Commit your changes (`git commit -m 'Add some feature'`).
4. Push to the branch (`git push origin feature/amazing-feature`).
5. Open a pull request.

For issues or suggestions, please open an issue with appropriate labels.

**Don't forget to star the project!**

## ๐Ÿงช Testing <a name="testing"></a>


Run tests to ensure everything is working correctly:

```bash
cargo test
```

## ๐Ÿ“š License


SeedPass is licensed under the MIT or Apache-2.0 License. You are free to use, modify, and distribute it under the terms of these licenses.

## ๐Ÿ“ˆ Contact


For questions or support, please open an issue on the GitHub repository.

---

Thank you for using **SeedPass** and ensuring your online security!