Loading vLEI.wiki
Fetching knowledge base...
Fetching knowledge base...
This comprehensive explanation has been generated from 118 GitHub source documents. All source documents are searchable here.
Last updated: October 7, 2025
This content is meant to be consumed by AI agents via MCP. Click here to get the MCP configuration.
Note: In rare cases it may contain LLM hallucinations.
For authoritative documentation, please consult the official GLEIF vLEI trainings and the ToIP Glossary.
A passcode (also called a password, particularly in Apple devices) is secret data—typically a string of characters—used to confirm a user's identity and control access to protected resources. In KERI implementations, a passcode serves as the primary authentication credential for encrypting and accessing keystores that contain sensitive cryptographic material including private keys, salts, and AIDs.
In KERI systems, passcodes serve a critical security function as the foundation of keystore encryption. When a KERI data store is created using a passcode, it automatically enters a locked state where all contents are encrypted by default. This "secure by default" design ensures that cryptographic key material remains confidential even if the storage medium is compromised.
The passcode is used in conjunction with a cryptographic salt to derive encryption keys through key stretching algorithms (typically Argon2 via libsodium's crypto_pwhash API). This process transforms the potentially weak human-generated passcode into cryptographically strong encryption keys that protect the keystore contents.
In the agent architecture, passcodes play a dual role:
Never use user-chosen passwords: Human-selected passwords typically lack sufficient entropy. Always use cryptographically random passcode generation functions.
Passcode storage: Passcodes should never be stored in plaintext configuration files, environment variables, or source code. In production systems, use secure secret management solutions.
Key derivation: KERI implementations use libsodium's crypto_pwhash (Argon2id) for key derivation, which provides memory-hard properties resistant to GPU/ASIC attacks.
Temporary storage: In KERIA/Signify architecture, the passcode may be temporarily stored in memory during active sessions but should be cleared when no longer needed.
0123456789abcdefghijk in demo scripts)The KERIA agent never has access to the decryption keys derived from the passcode, implementing the "signing at the edge" security model where private keys remain exclusively under client control.
Passcodes in KERI implementations should follow cryptographic best practices:
kli passcode generate or randomPasscode() in SignifyTS)The passcode represents the weakest link in KERI's otherwise cryptographically robust security model, as it relies on human-memorable secrets. For this reason, KERI implementations emphasize using high-entropy randomly generated passcodes rather than user-chosen passwords.