Crypto                           Qatsi                   29 October 2025


   Back in September I needed a console tool that would take one of my
   high-entropy master passwords (the ones I keep in my head) plus some
   context, and deterministically generate a password from that.  Same
   inputs, same output, every time.  The use case: I have several
   critical things that need strong passwords (disk encryption, PGP
   keys, SSH keys, cryptocurrency wallet passphrases, Proxmox backups),
   but using the same (master!) password for all of them would be
   dangerous.  If one context gets compromised, everything else
   potentially goes down with it.  So I needed a way to derive different
   passwords from the same master without storing anything.

   I did some research and built Qatsi (from Koyaanisqatsi, obviously).
   All other implementations I found during my research (like LessPass,
   which uses PBKDF2) proudly marketed themselves as stateless password
   managers whilst conveniently ignoring a rather important detail:
   deterministic generators are dangerous for everyday online use.  Most
   didn't use memory-hard KDFs, and nobody wanted to admit the inherent
   limitation: if someone gets your master password, you're done.
   Context layers have much less entropy, so compromising the master
   means compromising everything.

   I use Qatsi exclusively on my air-gapped Gentoo machine for offline
   stuff.  Even if someone knew my PGP or Proxmox backup passwords,
   they'd still need to get their hands on the actual keys or encrypted
   backups first.  Not exactly trivial.  Qatsi lets me keep a few
   passwords in my head instead of dozens, generate the rest when
   needed, and maintains proper isolation.  One leaked key doesn't
   compromise the others.

   What matters most to me: if I lost my KeePassXC database or it got
   corrupted (backups notwithstanding), I could still recover passwords
   for my most critical contexts.  No storage required.  That's why I
   bothered building this.  The technical report is available on arXiv,
   and the Rust source code is on GitHub at the link below.


                           coignard.org/qatsi





              Copyright (c) 2025 contact@renecoignard.com

                       Powered by Weblog v1.19.0