1seed
Deterministic cryptographic keys from a single seed.
What This Does
- Derives age, SSH, and signing keys from one master secret
- Encrypts and decrypts files using age
- Signs and verifies data using Ed25519
- Generates site-specific passwords
- Generates BIP39 mnemonic phrases
What This Does Not Do
- Store secrets (use files, encrypted with 1seed)
- Sync secrets (use git)
- Manage contacts (use a text file)
- Replace hardware security keys for high-value assets
- Generate TOTP codes (time-based, not derivable)
Installation
Quick Install
|
From crates.io
From Source
Requires: ssh-add (for agent integration)
Quick Start
# Option 1: Use a seed file (recommended)
# Option 2: Use a passphrase (brainwallet)
# Option 3: No file, prompt every time
# (just don't set seed-file)
# Show your age public key
# Add SSH key to agent
# Encrypt to self
|
# Decrypt
# Derive a password
Commands
Age Encryption
1seed age pub Show age public key
1seed age key Show age private key
1seed age encrypt [OPTIONS] [FILE]
-R, --recipient KEY Add recipient (repeatable)
-F, --recipients-file Add recipients from file (repeatable)
-s, --self Include self as recipient
-p, --passphrase Encrypt with passphrase
-a, --armor ASCII armor output
-o, --output FILE Output file
1seed age decrypt [OPTIONS] [FILE]
-k, --key FILE Key file (instead of derived)
-p, --passphrase Decrypt with passphrase
-o, --output FILE Output file
Default: encrypt to self, decrypt with derived key.
SSH Keys
1seed ssh pub Show SSH public key
1seed ssh key Show SSH private key
1seed ssh add [OPTIONS] Add SSH key to agent
-t, --lifetime SEC Key lifetime
-c, --confirm Require confirmation
Signing
1seed sign pub Show signing public key
1seed sign data [OPTIONS] [FILE]
-o, --output FILE Output file
--binary Binary output (default: base64)
1seed sign verify SIGNATURE [FILE]
-k, --pubkey KEY Public key (default: derived)
Derivation
1seed derive password [OPTIONS] SITE
-l, --length N Password length (default: 16)
-n, --counter N Rotation counter (default: 1)
--no-symbols Alphanumeric only
--symbols SET Symbol set (default: !@#$%^&*)
1seed derive raw [OPTIONS] PATH
-l, --length N Byte length (default: 32)
--hex Output as hex (default)
--base64 Output as base64
--binary Output as raw bytes
1seed derive mnemonic [OPTIONS]
-w, --words N Word count: 12/15/18/21/24 (default: 24)
Configuration
1seed info Show config and derived keys
1seed set KEY VALUE Set config value (realm, seed-file)
1seed get KEY Get config value
1seed realms List known realms
1seed realms add NAME Track realm
1seed realms rm NAME Untrack realm
Realms
Realms namespace all derived keys. Same seed, different realm = different keys.
# Track realms for reference
Set a default:
Password Rotation
When a password is compromised:
Same site, different counter = different password.
Backup
Your backup is the seed file (32 bytes) or passphrase.
# Backup seed file
# Or memorize a passphrase
From this, everything derives deterministically:
- Same seed + same realm = same keys (always)
- Different seeds or realms = different keys (always)
Security Notes
Seed file: 32 random bytes. Maximum entropy.
Passphrase: Processed through scrypt (N=2^20, r=8, p=1). Uses ~1GB RAM, takes ~1 second. Resists brute force, but use a strong passphrase (6+ random words).
Memory: Keys are zeroized when dropped.
Mnemonic warning: Deriving BIP39 phrases means your cryptocurrency keys share fate with your master seed. Consider using a dedicated realm and understand the risk.
Examples
Encrypt for team
# Collect public keys
# Encrypt
Sign a release
# Others verify
Multiple machines
# Machine A
# Machine B (same seed)
Environment Variables
SEED_FILE Path to seed file
SEED_REALM Default realm
Files
Configuration file location (use 1seed config path to see yours):
Linux: ~/.config/1seed/config.toml
macOS: ~/Library/Application Support/1seed/config.toml
Windows: %APPDATA%\1seed\config.toml
License
MIT