Skip to content

feature: password-agent: password derivation for trezor devices#506

Open
f321x wants to merge 4 commits into
romanz:masterfrom
f321x:password-agent
Open

feature: password-agent: password derivation for trezor devices#506
f321x wants to merge 4 commits into
romanz:masterfrom
f321x:password-agent

Conversation

@f321x
Copy link
Copy Markdown

@f321x f321x commented Nov 23, 2025
edited
Loading

Implements a new feature, password-agent, which allows to derive passwords and mnemonic passphrases from the hardware wallet.
This can be useful to obtain high entropy passwords for things like file encryption.
The user provides a context string, e.g. gmail, confirms a signature on the hardware wallet and (with default args) receives a mnemonic passphrase.

Examples:

Default usage:
$ trezor-password gmail
> carton-unviable-backless-polo-steam-unwound-rocking-banister-polygon-ivy

Base 58 encoding with -b58 or --base58:
$ trezor-password gmail -b58
> 5B8qjnGqseE4KTb7CHCiRJ!

Raw hex output with --raw or -r:
$ trezor-password gmail --raw
> 21ced2f820074f2d557ab4aeea1a7b5d

Providing a custom wordlist with -w or --wordlist:
$ trezor-password gmail -w wordlist-german.txt
> Einweisens-Westinsel-Flugdatenprozessors-Fliegervereine-Säumer-zeitinvariantes-Softwaretitels

Currently it is only exposed for Trezor devices. I was testing with a Ledger Nano S as well, however it refused to sign my message, may investigate Ledger again if this gets merged.

@f321x
Copy link
Copy Markdown
Author

f321x commented Nov 23, 2025

Rebased from 9c72dd9 to 0745a22.
Should fix the pycodestyle CI issues.

@f321x
Copy link
Copy Markdown
Author

f321x commented Nov 23, 2025

Rebased from 0745a22 to d903eab.
Forgot to commit the changes to test_password.py. Now pycodestyle should be happy :)

@f321x
Copy link
Copy Markdown
Author

f321x commented Nov 23, 2025
edited
Loading

Rebased from d903eab to 65fc9bb.
Now i ran the CI in my fork, should definitely pass.

@romanz
Copy link
Copy Markdown
Owner

romanz commented Mar 1, 2026

Why not to use passage for generating and encrypting the passwords?
It works with age whose decryption can be offloaded to Trezor:
https://github.com/romanz/trezor-agent/blob/master/doc/README-age.md

@f321x
Copy link
Copy Markdown
Author

f321x commented Mar 1, 2026
edited
Loading

The difference to a password manager is that this is kind of stateless.
The only input required to derive a password is the context string, which can follow a certain scheme like using the url or name of some service the password is intended for. This eliminates the need to back up any additional files like the database of the password manager, and comes with different trade-offs than a password manager.

f321x added 4 commits March 1, 2026 17:34
@f321x
git: add .idea to .gitignore
0a0c2b5 
Adds the .idea dir created by jetbrains ide to the .gitignore.
@f321x
implement password-agent
2345fa5 
Implements a new libagent functionality, password, to deterministically
derive passwords from a hardware device.
@f321x
unittest util.Base58
ab7b11d
@f321x
unittest: tests for password-agent
92e19b0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@f321x @romanz