SAFE-STORE(5) File Formats Manual SAFE-STORE(5)

safe-storeEncrypted file storage for your secrets.

The safe-store is a directory containing encrypted files called . There can be any number of sub-directories in the safe-store, in which case the secret shall be refered to by its path relative to the safe-store.

  $ find .secrets -type f
  .secrets/master
  .secrets/name
  .secrets/subdir/name
  .secrets/subdir/othername

.secrets
Default safe-store path
.secrets/cipher
A arbitrary secret named "cipher"
.secrets/master
A special secret used as a reference for derivating a key from the master password

secrets are the concatenation of a 40 bytes cream(5) header and arbitrary data encrypted using the algorithm.

The key used for encryption is derived from the parameters in the header and a master password. Every secret is encrypted with the same key.

master is a special secret containing the master password. It is used to check the master password, and as a reference for key derivation. Its content is however never checked for, and could be anything, as long as it can be decrypted properly.

The master secret is used to verify that the key derivated from your master password is correct. If it is not absent, no secret can be decrypted, and the safe(1) utility will generate a new header and master entry. It means that all secrets created with a different salt will not be decrypted properly.

To recover from a lost master secret, you can do the following (assuming that is an existing secret):

  cd $SAFE_DIR
  cp random_entry master
  echo "your master password" | safe -a master.new
  mv master.new master
  chmod 400 master
  safe master

safe(1), safe-agent(1), cream(5)

Willy Goiffon <dev@z3bra.org>

2020-05-28 POSIX.1-2017