Regenerable ed25519 keys for OpenSSH and OpenPGP.
Passphrase Identity allows you to deterministically generate ed25519 key pairs (signing keys) for OpenSSH and OpenPGP from a set of parameters. This allows you to (re)generate your key pair on a computer which, for example, lacks persistent storage - it derives an "identity" from a passphrase.
You must be able to remember three things to (re)generate your key pair;
- A user defined "username", which can be any string.
- A Passphrase-identity defined "profile" name. There's currently only two profiles available:
2015v1, and2017, both of which usescrypt()+salsa20/8+sha256as KDF. - Your personally selected passphrase.
Usage: ./passphrase-identity [ options ] [ output directory ]
Help Options:
-h, --help Display this message (default behavior)
Key Options:
-u, --user <username> Specify which username to use [as salt]
-p, --profile <profile> Specify which profile to use
Available Profiles:
2015v1
2017
Output Format Options:
-s, --openssh Output OpenSSH public and private key
The keys are written to id_ed25519{,.pub}
-g, --gpg Output OpenPGP public and private key
The keys are written to {public,private}.asc
-
We start by creating a key pair for OpenSSH using
[email protected]as username.$ ./passphrase-identity --openssh --user [email protected] Passphrase: foobar Generating key pair using the '2015v1' profile ... This may take a little while ... Successfully generated key pair ... Saving OpenSSH secret key to id_ed25519 ... Saving OpenSSH public key to id_ed25519.pub ... $ cat id_ed25519 -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW QyNTUxOQAAACArYR91DYHLCeYb+Ls3wyYsSJrADs7topOSlioZ6GNX2AAAAJj36teu9+rX rgAAAAtzc2gtZWQyNTUxOQAAACArYR91DYHLCeYb+Ls3wyYsSJrADs7topOSlioZ6GNX2A AAAEAv/A/ak2U1vqbQR7sDFmJFp1eC7kv0HdZYm4Dt50n33ythH3UNgcsJ5hv4uzfDJixI msAOzu2ik5KWKhnoY1fYAAAAEWFoZkB0ZW5lby4weDkwLmRrAQIDBA== -----END OPENSSH PRIVATE KEY----- $ cat id_ed25519.pub ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICthH3UNgcsJ5hv4uzfDJixImsAOzu2ik5KWKhnoY1fY [email protected] $ openssl sha256 id_ed25519.pub SHA256(id_ed25519.pub)= a394eb08102eefb020d3274285671d113604690bedb551c5dfbf27c0d6844482 -
Wipe the key pair.
$ shred -u id_ed25519 $ shred -u id_ed25519.pub -
Create the key again using the same parameters and passphrase.
$ ./passphrase-identity --openssh --user [email protected] Passphrase: foobar Generating key pair using the '2015v1' profile ... This may take a little while ... Successfully generated key pair ... Saving OpenSSH secret key to id_ed25519 ... Saving OpenSSH public key to id_ed25519.pub ... $ openssl sha256 id_ed25519.pub SHA256(id_ed25519.pub)= a394eb08102eefb020d3274285671d113604690bedb551c5dfbf27c0d6844482
# if you want to use a proxy for git via https:
# git config --global http.proxy 'socks5://127.0.0.1:9150'
git clone https://github.com/ahf/passphrase-identity
apt-get install autoconf libtool pkg-config libsodium-dev -y
cd passphrase-identity/
./autogen.sh
./configure
make
# Binary will be named ./src/passphrase-identity- Code clean-up. This is a prototype written during two evenings of a weekend.
- Consider the new Tor ed25519 ID keys?
- Add proper tests. Use Travis CI to build on both OS X and Linux.
- Add fancy graphics after key generation, like the OpenSSH client, such that the user can quickly identify if something is wrong.
- Add cracklib support and remember to make it possible to disable it as well.
See the LICENSE file.