{"id":17066199,"url":"https://github.com/darconeous/msecret-rust","last_synced_at":"2026-01-19T13:02:28.892Z","repository":{"id":178757115,"uuid":"655387880","full_name":"darconeous/msecret-rust","owner":"darconeous","description":"Tool for deriving various types of keys from known symmetric secrets.","archived":false,"fork":false,"pushed_at":"2023-08-02T03:42:21.000Z","size":150,"stargazers_count":2,"open_issues_count":3,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-01-14T11:33:21.077Z","etag":null,"topics":["command-line-tool","cryptography","ecc-cryptography","key-derivation","passphrase","rsa-cryptography","rust","secret-sharing"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/darconeous.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-06-18T18:34:17.000Z","updated_at":"2025-01-24T23:22:07.000Z","dependencies_parsed_at":null,"dependency_job_id":"fd3ce59b-88a1-44eb-b494-00b91516e89e","html_url":"https://github.com/darconeous/msecret-rust","commit_stats":null,"previous_names":["darconeous/msecret-rust","darconeous/msecret"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/darconeous/msecret-rust","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darconeous%2Fmsecret-rust","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darconeous%2Fmsecret-rust/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darconeous%2Fmsecret-rust/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darconeous%2Fmsecret-rust/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/darconeous","download_url":"https://codeload.github.com/darconeous/msecret-rust/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darconeous%2Fmsecret-rust/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28519254,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T18:55:29.170Z","status":"ssl_error","status_checked_at":"2026-01-17T18:55:03.375Z","response_time":85,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["command-line-tool","cryptography","ecc-cryptography","key-derivation","passphrase","rsa-cryptography","rust","secret-sharing"],"created_at":"2024-10-14T11:06:14.595Z","updated_at":"2026-01-17T21:59:45.532Z","avatar_url":"https://github.com/darconeous.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"MSecret — Experimental Key Derivation Utility\n=============================================\n\n[![crates.io][crate-image]][crate-link]\n[![Build Status][build-image]][build-link]\n[![Documentation][doc-image]][doc-link]\n[![dependency status][deps-image]][deps-link]\n![MSRV][msrv-image]\n\n-------\n\nThis project includes both:\n\n1.  A [specification][MSECRET] (with [test vectors][VECTORS]) for deterministically deriving\n    various types of data (bytes, integers, primes, etc.) and\n    cryptographic keys (RSA, ECC, etc.) from a symmetric master secret.\n2.  A reference implementation written in Rust, including a [helpful\n    command-line utility](#command-line-tool) and [library][doc-link].\n\n[MSECRET]: doc/MSECRET.md\n[VECTORS]: doc/TEST_VECTORS.md\n\n## ⚠️ WARNINGS ⚠️ ##\n\nUse this project at your own risk. As with anything experimental\nand cryptographic, there are some caveats to understand before using\nthis project:\n\n### ⚠️ BEHAVIOR SUBJECT TO CHANGE ⚠️ ###\n\nThe MSecret specification and the included reference implementation\nshould be considered EXPERIMENTAL AND SUBJECT TO CHANGE until the\nspecification is declared final. **Any changes to the derivation\nspecification will change the output of the resulting keys.** Also,\nany mistakes in the implementation of the specification may also lead\nto incorrect results.\n\nIf you need to ensure that any keys you derive from the included\nreference tool will always derive to the same key in later revisions,\nyou should avoid using this software until the specification and test\nvectors are finalized.\n\n### ⚠️ NOT AUDITED ⚠️ ###\n\nNeither the reference source code nor the test vectors have been\naudited for correctness.\n\n### ⚠️ SIDE-CHANNEL ATTACKS ⚠️ ###\n\nThe reference source code has not been hardened against side-channel\nattacks.\n\n## How it works ##\n\nIn MSecret, secrets are defined to be 256-bits long. The\n[MSecret specification][MSECRET] defines methods for how various\ntypes of cryptographic keys (RSA, EC, etc) and other values (integers,\npseudo-random byte strings, etc.) can be deterministically derived\nfrom a 256-bit secret.\n\nIn addition to deriving cryptographic keys and other values, also\ndefined is a way to derive other 256-bit secrets from a \"label\". These\nderivations may be chained together to form a \"keypath\", allowing for\na hierarchical structure of derived keys. This allows for complex\nforms of domain separation.\n\n### Defined Pseudo-random Derivations ###\n\n1.  Other 256-bit symmetric secrets, via a label/keypath\n2.  Byte strings of arbitrary length\n3.  Integers with a maximum value\n4.  Prime numbers of a given bit length\n5.  RSA public/private keys of a given bit length\n6.  ECC public/private keys for arbitrary curves, including Ed25519\n    and X25519\n7.  Various styles of passwords\n8.  Bitcoin addresses and associated private keys\n\n### Secret Management ###\n\nSecrets can be generated randomly or derived from a passphrase using\n[argon2id][]. Secrets can also be split up into an arbitrary number of\n\"shares\", from which a subset can be used to recover the secret\n(m-of-n secret sharing).\n\n[argon2id]: https://en.wikipedia.org/wiki/Argon2\n\n### Keypaths ###\n\nKeypaths are strings of labels separated by slashes (\"`/`\"), making\nthem appear like the path in a file system: i.e.\n\"`/A/1/CA/com.example/2023-06-23`\". The key derivations are performed\nhierarchically, so that the secret at the path \"`/A/1`\" could be\nexported and later used to derive the secret at\n\"`CA/com.example/2023-06-23`\".\n\nChains of the same label are supported via a special notation. The\nfollowing keypaths are all equivalent:\n\n*   `/x/x/x/x`\n*   `/x@4`\n*   `/x/x@3`\n*   `/x@2/x@2`\n\n## Command-Line Tool ##\n\nTo install the command-line tool `msecretctl`, first make sure that your\nrust development environment is installed and up-to-date. To install\nfrom scratch, read the instructions [here](https://www.rust-lang.org/tools/install).\nTo update an existing installation, use rustup:\n\n```shell\n$ rustup update\n```\n\nThen you can grab the latest version of `msecretctl`:\n\n```shell\n$ cargo install msecret\n```\n\nYou should now be able to use the `msecretctl` tool.\n\n### Usage Example ###\n\nThe included reference implementation includes a command-line utility\ncalled `msecretctl` which can be used to derive various secrets. It has\nan interactive mode which can be entered by simply running it.\n\nHere is an example of using the tool to generate a new root secret and\nsplit it into 5 shares (where any three could reconstruct it):\n\n```\n$ cargo build --release\n$ target/release/msecretctl\n\n\u003e secret generate\nCreated XvvjqeUihQncbhsVQBtToB\n\n/\u003e secret share 3 5\nARhqDQyLeN1K92xHxYkWhVHbGRsjLdduhPDPT6L2FsroNfT\nErtgQEvsXKA9TgYRnjqE2s4NFhwbPd4e5YVwDU3X6cCDoZ9\nNvBfSVbkqmN37jxa8689S8htmPXnxaqvdH13FkaDLaAdWb3\nSf1GNofy4vvij3Z4uziDuxuc54ZSGiwY9MQ9fJQcWdkLSEi\naL1RKsJPN9ZsSPhifiJGz5PSB35HRTy7kNitYYHw8LAEUHA\n```\n\nWe then go on to derive two private keys for X.509 certificates:\n\n```\n/\u003e cd /A/1/CA/com.example/2023-06-23\n\n/A/1/CA/com.example/2023-06-23\u003e ecc private prime256v1\n-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIP9sNI1FKOOT0Pm56bpbXAP/aQiCu+nlXus1OcZYlt4xoAoGCCqGSM49\nAwEHoUQDQgAE1YGpnNePZH5u6apTZpUP7/9W1xaJ8x5JNxqPxyh8gf6B2xStFB7q\nUIVkSB54IZGHuuQKkYwfCjT69zDGVRwt7A==\n-----END EC PRIVATE KEY-----\n\n/A/1/CA/com.example/2023-06-23\u003e cd ../../net.example.com/2023-06-23\n\n/A/1/CA/net.example/2022-00-21\u003e ecc private prime256v1\n-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIBDh1+5kobZT/IuuLx3KyLsaFqSF7WDVAC91/Ih9LzpeoAoGCCqGSM49\nAwEHoUQDQgAEU3lNhlWMkmVN6MEbWFIbCRH9uE4I5bxt+WSHn/vUpk9weJ/LJ4vt\nq9Wc+L1K/7QKbkJ2T0S+0PsNfQWWN2aDog==\n-----END EC PRIVATE KEY-----\n\n/A/1/CA/net.example/2022-00-21\u003e exit\n\n$\n```\n\nIf we need to recover these private keys later, we can use\nany three of the above shares to recover the key:\n\n```\n$ target/release/msecretctl\n\n\u003e secret recover\nEnter Share: Sf1GNofy4vvij3Z4uziDuxuc54ZSGiwY9MQ9fJQcWdkLSEi\nEnter Share: ARhqDQyLeN1K92xHxYkWhVHbGRsjLdduhPDPT6L2FsroNfT\nEnter Share: NvBfSVbkqmN37jxa8689S8htmPXnxaqvdH13FkaDLaAdWb3\nEnter Share:\nImported XvvjqeUihQncbhsVQBtToB\n\n/\u003e cd /A/1/CA/com.example/2023-06-23\n\n/A/1/CA/com.example/2023-06-23\u003e ecc private prime256v1\n-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIP9sNI1FKOOT0Pm56bpbXAP/aQiCu+nlXus1OcZYlt4xoAoGCCqGSM49\nAwEHoUQDQgAE1YGpnNePZH5u6apTZpUP7/9W1xaJ8x5JNxqPxyh8gf6B2xStFB7q\nUIVkSB54IZGHuuQKkYwfCjT69zDGVRwt7A==\n-----END EC PRIVATE KEY-----\n\n/A/1/CA/com.example/2023-06-23\u003e\n```\n\nYou could also export/share just the key at `/A/1`...\n\n```\n/A/1/CA/com.example/2023-06-23\u003e cd /A/1\n\n/A/1\u003e secret id\nEhK8TqdqrJ6xBaxEYx2mmb\n\n/A/1\u003e secret share 2 3 -f words\nlight-conan-flame--valid-input-poncho--bronze-falcon-jacob--piano-frame-popular--ticket-sharp-smoke--burger-status-father--cobra-ship-marion--water-shake-alien--except-private-fax\nsaint-queen-video--elite-martin-amber--canal-ferrari-jamaica--escape-soprano-dinner--honey-food-infant--paper-george-jumbo--cotton-vision-madonna--radio-rodent-episode--rainbow-citizen-ego\nsonata-tropic-mask--voice-edgar-cool--cotton-reptile-alien--meaning-carol-common--dynasty-joker-bamboo--poker-educate-random--lion-nova-demand--smile-escort-kilo--basket-ocean-fax\n\n/A/1\u003e q\n\n$\n```\n\n...and then derive the ECC keys from that:\n\n```\n$ target/release/msecretctl\n\n\u003e secret recover\nEnter Share: sonata-tropic-mask--voice-edgar-cool--cotton-reptile-alien--meaning-carol-common--dynasty-joker-bamboo--poker-educate-random--lion-nova-demand--smile-escort-kilo--basket-ocean-fax\nEnter Share: light-conan-flame--valid-input-poncho--bronze-falcon-jacob--piano-frame-popular--ticket-sharp-smoke--burger-status-father--cobra-ship-marion--water-shake-alien--except-private-fax\nEnter Share:\nImported EhK8TqdqrJ6xBaxEYx2mmb\n\n/\u003e cd CA/com.example/2023-06-23\n\n/CA/com.example/2023-06-23\u003e ecc private prime256v1\n-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIP9sNI1FKOOT0Pm56bpbXAP/aQiCu+nlXus1OcZYlt4xoAoGCCqGSM49\nAwEHoUQDQgAE1YGpnNePZH5u6apTZpUP7/9W1xaJ8x5JNxqPxyh8gf6B2xStFB7q\nUIVkSB54IZGHuuQKkYwfCjT69zDGVRwt7A==\n-----END EC PRIVATE KEY-----\n\n/CA/com.example/2023-06-23\u003e\n```\n\n## Future Work\n\n* Finalize specification\n* Smart card support with permissions\n* Keypath maps\n* Additional asymmetric key formats\n\n# License\n\nApache 2.0; see [`LICENSE`](LICENSE) for details.\n\n[//]: # (badges)\n\n[crate-image]: https://buildstats.info/crate/msecret\n[crate-link]: https://crates.io/crates/msecret\n[doc-image]: https://docs.rs/msecret/badge.svg\n[doc-link]: https://docs.rs/msecret\n[build-image]: https://github.com/darconeous/msecret-rust/workflows/CI/badge.svg\n[build-link]: https://github.com/darconeous/msecret-rust/actions?query=workflow%3ACI+branch%3Amain\n[msrv-image]: https://img.shields.io/badge/rustc-1.70+-blue.svg\n[deps-image]: https://deps.rs/crate/msecret/0.1.2/status.svg\n[deps-link]: https://deps.rs/crate/msecret/\n\n[//]: # (links)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdarconeous%2Fmsecret-rust","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdarconeous%2Fmsecret-rust","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdarconeous%2Fmsecret-rust/lists"}