1 # safe 2 3 Store your secrets in an encrypted safe, protected by a password. 4 5 ## usage 6 7 safe [-ad] [secret..] 8 9 # list all your deepest secrets 10 safe 11 12 # add a secret to your safe 13 echo 'This is secret!' | safe -a secret 14 15 # start a safe agent 16 safe -d 17 18 # retrieve a secret from your safe 19 safe secret 20 21 ## goals 22 23 + Only require a master password to unlock 24 + Provide a way to open/lock the safe (agent?) 25 + Store any kind of file 26 + Do not expose file hierarchy if locked 27 28 ## design 29 30 Your safe is stored on disk as a directory tree, with the following structure: 31 32 .safe 33 .safe/.index 34 .safe/2a809d0bfb9e39c5abf2b8b5baee231043085d3172aaa0040317cffc02736d5e 35 .safe/ad2063741cce2d9f2862b07152b06528d175e9e658ade8f2daa416834c9c089a 36 37 Where each hash represent a "secret". They're stored as hashes to hide 38 any kind of meta information about your secret. 39 These files are stored encrypted, using your master password. 40 41 The .index file stores the actual names of your entries, so we can 42 calculate the hash in-memory. 43 This file is also stored encrypted. 44 45 You can then retrieve secrets by requesting them, and typing your master 46 password to decrypt them. 47 48 To make it more usable, the safe is accessible through an agent (let's 49 call it Edgard), which acts as a gatekeeper. 50 When you want to retrieve a secret, you ask Edgard for it, and he will 51 decrypt it for you on stdout. 52 53 When you first call Edgard, he will ask you for your master password, 54 so he can decrypt the secrets for you. 55 56 The password is stored hashed in memory, so nobody can "retrieve" your 57 master password. As this hash is kept in memory to decrypt the file, 58 giving your password to Edgard means that an intruder could extract 59 this hash, and thus decrypt your secrets. 60 If you're concerned about this, then don't call Edgard. 61 62 ## license 63 This software is licensed under the ISC license, see the LICENSE file provided.