NAME

safe-store — Encrypted file storage for your secrets.

DESCRIPTION

The safe-store is a directory containing encrypted files called secrets. There can be any number of sub-directories in the safe-store, in which case the secret shall be refered to by its path relative to the safe-store.

  $ find .secrets -type f
  .secrets/master
  .secrets/name
  .secrets/subdir/name
  .secrets/subdir/othername

FILES

.secrets

Default safe-store path

.secrets/cipher

A arbitrary secret named "cipher"

.secrets/master

A special secret used as a reference for derivating a key from the master password

secrets are the concatenation of a 40 bytes cream(5) header and arbitrary data encrypted using the XChaCha20-Poly1305 algorithm.

The key used for encryption is derived from the parameters in the header and a master password. Every secret is encrypted with the same key.

master is a special secret containing the master password. It is used to check the master password, and as a reference for key derivation. Its content is however never checked for, and could be anything, as long as it can be decrypted properly.

SECURITY CONSIDERATIONS

The master secret is used to verify that the key derivated from your master password is correct. If it is not absent, no secret can be decrypted, and the safe(1) utility will generate a new header and master entry. It means that all secrets created with a different salt will not be decrypted properly.

To recover from a lost master secret, you can do the following (assuming that random_entry is an existing secret):

  cd $SAFE_DIR
  cp random_entry master
  echo "your master password" | safe -a master.new
  mv master.new master
  chmod 400 master
  safe master

SEE ALSO

safe(1), safe-agent(1), cream(5)

AUTHORS

Willy Goiffon <dev@z3bra.org>