SAFE(1) General Commands Manual SAFE(1)

safedigital safe for your secrets

safe [-hr] [-p prompt] [-s safe] [-a] secret

safe stores secrets (files) encrypted on your disk, and lets you retrieve them, given that you have the right password.

Decrypt file secret from your safe to stdout.
Print a quick usage text.
Remember the password. The variable SAFE_SOCK must be set and point to the UNIX-domain socket bound by a running agent (see AGENT).
Prompt user for password using text prompt. (default: "password:")
Set the path to your safe as safe. (default: .secrets)
Encrypt stdin to your safe as secret.
Prompt user for password using an external program (see: SAFE_ASKPASS).

When the agent is started, safe can retrieve the key from it rather than prompting you for a password. safe will try to read the key from the agent whenever the SAFE_SOCK variable is set in the environment.

When the agent is first started, you can push the key to it using the -p flag.

When you add your first secret to the safe, a master entry will be created automatically. This entry stores your master password, and is used to check that you typed the master password correctly on the next calls.

Do not delete this entry as it could lead to a corrupted safe.

Store a secret in your safe

  $ safe -a secret/file < kitten.gif

List all secrets in $SAFE_DIR (choose your weapon)

  $ tree --noreport $SAFE_DIR
  $ find $SAFE_DIR -type f
  $ ls -R $SAFE_DIR
  $ tar -C $SAFE_DIR -v -f /dev/null -c . | cut -d / -f 2-

Retrieve a secret from your safe

  $ safe secret/file > kitten.gif

Defines the location of your safe (default: .secrets)
Path to the UNIX-domain socket used to communicate with the agent.
If no TTY is available, the program specified by this variable will be used to read the master password (default: thingaskpass)

safe-agent(1), safe-store(5)

Willy Goiffon <>

2019-02-20 POSIX.1-2017