SAFE-STORE(5) | File Formats Manual | SAFE-STORE(5) |
safe-store
—
Encrypted file storage for your secrets.
The safe-store
is a directory containing
encrypted files called
secrets.
There can be any number of sub-directories in the
safe-store
, in which case the secret shall be
refered to by its path relative to the
safe-store
.
$ find .secrets -type f .secrets/master .secrets/name .secrets/subdir/name .secrets/subdir/othername
safe-store
pathsecrets are the concatenation of a 40 bytes cream(5) header and arbitrary data encrypted using the XChaCha20-Poly1305 algorithm.
The key used for encryption is derived from the parameters in the header and a master password. Every secret is encrypted with the same key.
master is a special secret containing the master password. It is used to check the master password, and as a reference for key derivation. Its content is however never checked for, and could be anything, as long as it can be decrypted properly.
The master secret is used to verify that the key derivated from your master password is correct. If it is not absent, no secret can be decrypted, and the safe(1) utility will generate a new header and master entry. It means that all secrets created with a different salt will not be decrypted properly.
To recover from a lost master secret, you can do the following (assuming that random_entry is an existing secret):
cd $SAFE_DIR cp random_entry master echo "your master password" | safe -a master.new mv master.new master chmod 400 master safe master
Willy Goiffon <dev@z3bra.org>
2020-05-28 | POSIX.1-2017 |