safe

Password protected secret keeper
git clone git://git.z3bra.org/safe.git
Log | Files | Refs | README | LICENSE

README (1868B)


      1 # safe
      2 
      3 Store your secrets in an encrypted safe, protected by a password.
      4 
      5 ## usage
      6 
      7 	safe [-ad] [secret..]
      8 
      9 	# list all your deepest secrets
     10 	safe
     11 
     12 	# add a secret to your safe
     13 	echo 'This is secret!' | safe -a secret
     14 
     15 	# start a safe agent
     16 	safe -d
     17 
     18 	# retrieve a secret from your safe
     19 	safe secret
     20 
     21 ## goals
     22 
     23 + Only require a master password to unlock
     24 + Provide a way to open/lock the safe (agent?)
     25 + Store any kind of file
     26 + Do not expose file hierarchy if locked
     27 
     28 ## design
     29 
     30 Your safe is stored on disk as a directory tree, with the following structure:
     31 
     32 	.safe
     33 	.safe/.index
     34 	.safe/2a809d0bfb9e39c5abf2b8b5baee231043085d3172aaa0040317cffc02736d5e
     35 	.safe/ad2063741cce2d9f2862b07152b06528d175e9e658ade8f2daa416834c9c089a
     36 
     37 Where each hash represent a "secret". They're stored as hashes to hide
     38 any kind of meta information about your secret.
     39 These files are stored encrypted, using your master password.
     40 
     41 The .index file stores the actual names of your entries, so we can
     42 calculate the hash in-memory.
     43 This file is also stored encrypted.
     44 
     45 You can then retrieve secrets by requesting them, and typing your master
     46 password to decrypt them.
     47 
     48 To make it more usable, the safe is accessible through an agent (let's
     49 call it Edgard), which acts as a gatekeeper.
     50 When you want to retrieve a secret, you ask Edgard for it, and he will
     51 decrypt it for you on stdout.
     52 
     53 When you first call Edgard, he will ask you for your master password,
     54 so he can decrypt the secrets for you.
     55 
     56 The password is stored hashed in memory, so nobody can "retrieve" your
     57 master password. As this hash is kept in memory to decrypt the file,
     58 giving your password to Edgard means that an intruder could extract
     59 this hash, and thus decrypt your secrets.
     60 If you're concerned about this, then don't call Edgard.
     61 
     62 ## license
     63 This software is licensed under the ISC license, see the LICENSE file provided.