One Seed to Rule Them All

SeedPass deterministically derives every key and password from a single 12‑word phrase.

alpha bravo charlie delta echo foxtrot golf hotel india juliet kilo lima
πŸ”‘ Passwords
πŸ“± 2FA Codes
πŸ–§ SSH Keys
πŸ”’ PGP Key
🌱 Seed Phrase
⚑ Nostr Keys
πŸ”‘ Key/Value
πŸ‘₯ Managed Account
Get Started

Architecture Overview

Restore
Backup Pipeline
Local Storage
Same seed β‡’ re-derive any artifact on demand
Local Backup File
Nostr Snapshot
Portable Backup
Vault Restore
(Vault / BackupManager)
Timestamped Backups
(BackupManager)
Portable Backup
(portable_backup.py)
.json.enc
Nostr Snapshot
(nostr.client)
gzip chunks
Vault
(password_manager.Vault)
β€’ encrypted index
β€’ config
Parent Seed
(BIP-39 Mnemonic)
Seed Bytes
(BIP-39 β†’ 512-bit)
BIP-85 Derivation
(local_bip85.BIP85)
Password Entropy
(password_generation)
TOTP Secret
(utils.key_derivation.derive_totp_secret)
SSH Key Entropy
(password_generation.derive_ssh_key)
PGP Key Entropy
(entry_management.add_pgp_key)
Child Mnemonic
(BIP-85 derive_mnemonic)
Nostr Key Entropy
(nostr.KeyManager)
Key/Value Data
(entry_management.add_key_value)
Managed Account Seed
(entry_management.add_managed_account)
Passwords
2FA Codes
SSH Key Pair
PGP Key
Seed Phrase
Nostr Keys
(npub / nsec)
Key/Value
Managed Account

Features

  • Deterministic password generation using BIP-85
  • Encrypted local storage for seeds and sensitive data
  • Nostr relay integration with parameterised replaceable events for chunked snapshots and deltas
  • Seed/Fingerprint switching for managing multiple profiles
  • Checksum verification to ensure script integrity
  • Interactive TUI for managing entries and settings
  • Issue or import TOTP secrets for 2FA
  • Store arbitrary secrets as key/value pairs
  • Export your 2FA codes to an encrypted file
  • Optional external backup location
  • Auto-lock after inactivity
  • Derive nested managed account seeds
  • Secret Mode copies passwords to your clipboard
  • Group entries using tags for easy cross-type search

How SeedPass Works

SeedPass uses Bitcoin's BIP-85 standard for deterministic password generation. This means your passwords are not stored but can be regenerated using your master seed and specific indices.

BIP-85 Derivation Tree

The BIP-85 standard allows you to derive multiple child seeds from a single master seed. Each child seed can then be used to generate secure passwords. Here's a simplified illustration:

Master_Seed
β”œβ”€β”€ Child_Seed_0
β”‚   └── Password_A
β”œβ”€β”€ Child_Seed_1
β”‚   └── Password_B
β”œβ”€β”€ Child_Seed_2
β”‚   └── Password_C
└── ...

Seed/Fingerprint Switching

SeedPass allows you to manage multiple seed profiles (fingerprints). You can switch between different seeds to compartmentalize your passwords.

Nostr Relay Integration

SeedPass publishes your encrypted vault to Nostr in 50 KB chunks using parameterised replaceable events. A manifest describes each snapshot while deltas record updates. When too many deltas accumulate, a new snapshot is rotated in automatically.

Checksum Verification

Built-in checksum verification ensures your SeedPass installation hasn't been tampered with.

Interactive TUI

Navigate through menus to manage entries and settings. Example:

Select an option:
1. Add Entry
2. Retrieve Entry
3. Search Entries
4. List Entries
5. Modify an Existing Entry
6. 2FA Codes
7. Settings

Enter your choice (1-7) or press Enter to exit:

Secret Mode

When Secret Mode is enabled, retrieved passwords are copied directly to your clipboard instead of displayed. The clipboard clears automatically after a delay you set.

Disclaimer

⚠️ Disclaimer: This software was not developed by an experienced security expert and should be used with caution. There may be bugs and missing features. Additionally, the security of the program's memory management and logs has not been evaluated and may leak sensitive information.

Loss or exposure of the parent seed places all derived passwords, accounts, and other artifacts at risk.

Snapshot chunks are limited to 50 KB and rotated when deltas accumulate.