summaryrefslogtreecommitdiffstats
path: root/README.md
blob: 5b3cabf93b83e56d86e8d701fd824826c3bb952d (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# qpass

`qpass` is a small Go password generator with a conservative cryptographic
randomness model.

By default it uses Go's `crypto/rand` OS CSPRNG. It can also run in hybrid mode,
where local OS randomness is mixed with bytes from an external quantum,
hardware, or certified randomness source. The external source is additive: it
never replaces the OS CSPRNG as the safety baseline.

## Usage

```bash
go run ./cmd/qpass
go run ./cmd/qpass -stats
go run ./cmd/qpass -length 32 -count 5
go run ./cmd/qpass -length 32 -symbols=false
```

Hybrid entropy mode:

```bash
go run ./cmd/qpass -rng hybrid -entropy-file random-bytes.bin
go run ./cmd/qpass -rng hybrid -entropy-device /dev/qrandom
qrng-tool --raw | go run ./cmd/qpass -rng hybrid -entropy-stdin
```

Legacy compatibility:

```bash
go run ./cmd/qpass -length 32 -quantum-file random-bytes.bin
qrng-tool --raw | go run ./cmd/qpass -length 32 -quantum-file -
```

`-quantum-file` is kept as an alias for older usage. New scripts should prefer
`-rng hybrid` with `-entropy-file`, `-entropy-device`, or `-entropy-stdin`.

Entropy checks:

```bash
go run ./cmd/qpass entropy status
go run ./cmd/qpass entropy test -entropy-file random-bytes.bin
go run ./cmd/qpass entropy test -entropy-device /dev/qrandom -require-external
```

## Notes

- `-rng os` uses only Go's `crypto/rand.Reader`.
- `-rng hybrid` mixes `crypto/rand.Reader` with the configured external source
  using SHA-512 domain-separated blocks.
- Without `-require-external`, hybrid mode degrades to OS CSPRNG if the external
  source runs out or fails, and prints a warning on stderr.
- With `-require-external`, generation fails when the external source cannot
  provide enough bytes.
- `-replace-global-rand` installs the selected engine as `crypto/rand.Reader`
  for this process. It is an advanced integration option; normal password
  generation passes the reader explicitly.
- Entanglement-based randomness certification needs physical hardware and a
  Bell-test/randomness-amplification protocol.
- A normal laptop cannot reproduce that guarantee in software.
- For everyday password generation, OS CSPRNG via `crypto/rand` is the
  practical baseline.
- `qpass` prints only passwords by default. Use `-stats` when you want the
  alphabet size and estimated entropy on stderr.

## Development

```bash
make fmt
make test
make build
```