GitHub Repository
Configuration
GitHub Access Token: Generate a classic token with the
read:packages scope to access
dependencies hosted on GitHub Package Repository..gradle/gradle.properties
Compile
Run
Docker
Instead of running the local jlink binary, you can run a Docker image by passing thedocker flag with the image name
and tag.
Build the image:
build flag to force a
rebuild even if the image already exists:
./gradlew :sava-vanity:image) is built
automatically when it has not been built yet. Pass the build flag to force a rebuild of the local
binary image even if it already exists:
outDir is required so the generated keys are saved to disk; the host directory is created if
necessary and bind-mounted into the container with write permissions so that generated keys are
persisted on the host:
Args
- A
prefixand/orsuffixmust be provided. outDiris required so the generated keys are saved to disk.numThreadsdefaults to half of the systems CPU’s.keyFileFormatcontrols the on-disk key file format and may beproperties(default) orjson.- Each thread will check every
checkFounditerations ifnumKeyshave been found. p1337Lettersallows alphabetic characters to be replaced by visually similar numbers.1337Numbersallows numbers to be replaced by visually similar alphabetic characters.screenmay be enabled to manage the session so that it can be re-attached if a remote session is disconnected.ctrl+a -> dto detachscreen -rto re-attach
Run Control
- jvmArgs=“-server -Xms64M -Xmx128M”
- [d | docker | dockerImage]=
- [b | build]=false
- screen=0
- [nt | numThreads]=
- [nk | numKeys]=1
- [kf | keyFormat]=“base64KeyPair”
- [kff | keyFileFormat]=“properties”
- [cf | checkFound]=131072
- [ld | logDelay]=“5S”
- [o | outDir]=‘.keys’ (required)
- [sv | sigVerify]=false
Encryption
The generated secret key can be encrypted at rest by enabling theencrypt flag. The password is
never passed on the command line or as a JVM system property (both of which are visible in process
listings); it is supplied to the Java runtime only via the SAVA_VANITY_ENCRYPT_PASSWORD
environment variable.
- [e | encrypt]=false
- [pw | password] — securely prompts for the password (with confirmation) and forwards it to the
Java runtime via the environment variable. Implies
encrypt=true. - [pe | passwordEnv]=ENV_VAR_NAME — reads the password from an already-exported environment variable
for fully non-interactive runs. Implies
encrypt=true.
encrypt=true is set without password/passwordEnv, and the
SAVA_VANITY_ENCRYPT_PASSWORD environment variable is not present, the application falls back to
reading the password from the interactive Java Console.
Key Derivation (KDF)
The password is run through a key derivation function before it is used to encrypt the secret. Thekdf flag selects the function and the secret is always encrypted with AES-256/GCM. The KDF parameters can be
customized; when they are omitted, hardened defaults are used.
- [kdf]=argon2id —
argon2id(memory-hard, the default) orpbkdf2(PBKDF2WithHmacSHA512). - [kit | kdfIterations] — number of iterations. Applies to both
pbkdf2andargon2id. - [kmem | kdfMemoryKB] — Argon2id memory cost in KiB. Only valid with
kdf=argon2id. - [kpar | kdfParallelism] — Argon2id parallelism (lanes). Only valid with
kdf=argon2id.
kdfMemoryKB,
kdfParallelism and kdfIterations (to use the defaults) or provide all three.
Because Argon2id is memory-hard, each concurrent derivation allocates kdfMemoryKB of heap
(default 262144 KB / 256 MiB). When kdf=argon2id is selected, genKeys.sh automatically sizes
the JVM heap to (kdfMemoryKB × numThreads) + 128 MiB so concurrent derivations do not exhaust
the default heap. Passing your own --jvm args disables this auto-sizing.
Prefix
- [p | prefix]=""
- [pc | pCaseSensitive]=false
- [pn | p1337Numbers]=true
- [pl | p1337Letters]=true
Suffix
- [s | suffix]=""
- [sc | sCaseSensitive]=false
- [sn | s1337Numbers]=true
- [sl | s1337Letters]=true