SAFE(1) General Commands Manual SAFE(1)

safedigital safe for your secrets

safe [-bhr] [-p prompt] [-s safe] [[-af] secret]

safe stores secrets (files) encrypted on your disk, and lets you retrieve them, given that you have the right password.

Decrypt file secret from your safe to stdout.
Encrypt stdin to your safe as secret. Use -f to overwrite an existing secret.
Batch mode. Reads master password from stdin.
Force writing to secret if it exists. Implies -a.
Print a quick usage text.
Prompt user for password using an external program (see: SAFE_ASKPASS).
Prompt user for password using text prompt. (default: "password:")
Remember the password. The variable SAFE_SOCK must be set and point to the UNIX-domain socket bound by a running agent (see AGENT).
Set the path to your safe as safe. (default: .secrets)

When the agent is started, safe can retrieve the key from it rather than prompting you for a password. safe will try to read the key from the agent whenever the SAFE_SOCK variable is set in the environment.

When the agent is first started, you can push the key to it using the -p flag.

When you add your first secret to the safe, a master entry will be created automatically. This entry stores your master password, and is used to check that you typed the master password correctly on the next calls.

Do not delete this entry as it could lead to a corrupted safe.

Store a secret in your safe

  $ safe -a secret/file < kitten.gif

List all secrets in $SAFE_DIR (choose your weapon)

  $ tree --noreport $SAFE_DIR
  $ find $SAFE_DIR -type f
  $ ls -R $SAFE_DIR
  $ tar -C $SAFE_DIR -v -f /dev/null -c . | cut -d / -f 2-

Retrieve a secret from your safe

  $ safe secret/file > kitten.gif

Defines the location of your safe (default: .secrets)
Path to the UNIX-domain socket used to communicate with the agent.
If no TTY is available, the program specified by this variable will be used to read the master password (default: ssh-askpass)

safe-agent(1), safe-store(5)

Willy Goiffon <>

2019-02-20 POSIX.1-2017