back up a secret key securely to the cloud

Latest on Hackage:0.20180326

This package is not currently in any snapshots. If you're interested in using it, we recommend adding it to Stackage Nightly. Doing so will make builds more reliable, and allow to host generated Haddocks.

AGPL-3.0-only licensed by Joey Hess
Maintained by Joey Hess

Keysafe backs up a secret key to several cloud servers, split up so that no one server can access the whole secret by itself.

A password is used to encrypt the data, and it is made expensive to decrypt, so password cracking is infeasibly expensive.


keysafe (0.20180326) unstable; urgency=medium

* Updated to argon2-1.3.

-- Joey Hess <> Mon, 26 Mar 2018 08:12:00 -0400

keysafe (0.20170811) unstable; urgency=medium

* Updated to http-client 0.5.3, servant 0.11, and stackage lts-9.0.

-- Joey Hess <> Fri, 11 Aug 2017 18:57:15 -0400

keysafe (0.20170303) unstable; urgency=medium

* Updated to use raaz-0.1.1.

-- Joey Hess <> Fri, 03 Mar 2017 16:15:47 -0400

keysafe (0.20170122) unstable; urgency=medium

* Adjust cabal bounds to allow building with ghc 8.0.
However, the stack.yaml is still using an old LTS version
to avoid polynomial's failure to build with ghc 8.0
* Clarify that dollars in cost estimates are USD.
* Keysafe has a new website,

-- Joey Hess <> Sun, 22 Jan 2017 09:44:17 -0400

keysafe (0.20161107) unstable; urgency=medium

* The third keysafe server is now available, provided by Purism.
* Purism's keysafe server has been vetted to Recommended level!
* Change default for --port to 4242.
* Fix --check-server to not fail when the server has not had anything
stored on it yet.
* --upload-queued: Exit nonzero if unable to upload all queued objects.
* --autostart: If unable to upload all queued objects initially,
delay between 1 and 2 hours and try again.
* Better suggestion when user is having difficulty thinking of a strong
enough password.
* Defer requesting secret key from gpg until just before backup, so the
user knows why gpg is asking for this secret key to be backed up.

-- Joey Hess <> Mon, 07 Nov 2016 15:05:29 -0400

keysafe (0.20161022) unstable; urgency=medium

* Add keywords to desktop file.
Thanks, Sean Whitton
* Fix use of .IP macro in manpage.
Thanks, Sean Whitton
* Fix some mispellings.
Thanks, Sean Whitton
* Makefile: Propagate LDFLAGS, CFLAGS, and CPPFLAGS through ghc.
* Makefile: Allow setting BUILDER=./Setup to build w/o cabal or stack.
* Makefile: Allow setting BUILDEROPTIONS=-j1 to avoid concurrent
build, which should make build reproducible.

-- Joey Hess <> Sat, 22 Oct 2016 19:01:24 -0400

keysafe (0.20161007) unstable; urgency=medium

* Check if --store-local directory is writable.
* Removed dependency on crypto-random.
* Added a LSB init script, for non-systemd systems.
(It currently uses Debian's start-stop-daemon, so would need porting
for other distributions.)
* /etc/default/keysafe is read by both the systemd service file and the
init script, and contains configuration for the keysafe server.

-- Joey Hess <> Thu, 20 Oct 2016 14:44:07 -0400

keysafe (0.20161006) unstable; urgency=medium

* New --add-storage-directory and --add-server options, which can be used
to make keysafe backup/restore using additional locations.
* Removed --store-local option; use --add-storage-directory instead.
* Fix bugs with entry of gpg keyid in the keysafe.log.
* Fix bug in --autostart that caused the full gpg keyid to be
used to generate object names, which made restores would only work
when --gpgkeyid was specifid.
* Remove embedded copy of argon2 binding, depend on fixed version of package.

-- Joey Hess <> Wed, 05 Oct 2016 20:54:51 -0400

keysafe (0.20160927) unstable; urgency=medium

* Makefile: Avoid rebuilding on make install, so that sudo make install works.
* Added --chaff-max-delay option for slower chaffing.
* Fix embedded copy of Argon2 to not use Word64, fixing build on 32 bit
* Randomize the server list.
* Don't upload more than neededshares-1 shares to Alternate servers
without asking the user if they want to do this potentially dangerous
* Added a second keysafe server to the server list. It's provided
by Marek Isalski at Faelix. Currently located in UK, but planned move
to CH. Currently at Alternate level until verification is complete.
* Server: --motd can be used to provide a Message Of The Day.
* Added --check-servers mode, which is useful both at the command line
to see what servers keysafe knows about, and as a cron job.
* Server: Round number of objects down to the nearest thousand, to avoid
leaking too much data about when objects are uploaded to servers.
* Filter out escape sequences and any other unusual characters when
writing all messages to the console.

-- Joey Hess <> Tue, 27 Sep 2016 20:25:35 -0400

keysafe (0.20160922) unstable; urgency=medium

* Keysafe now knows about 3 servers, although only 1 is currently in
operation. It will queue uploads to the other 2 servers until
they are added in a later keysafe release.
* Added --autostart mode, and make both keysafe --backup and
the Makefile install a FDO desktop autostart file to use it.
* In --autostart mode, retry any queued uploads.
* In --autostart mode, check for gpg keys that have not been
backed up, and offer to back them up. Only ask once per key.
* Changed format of ~/.keysafe/backup.log
* Server: Reduce number of buckets in rate limiter, avoiding ones with very low
proof of work.
* Server: Make rate limiter adapt to ongoing load more quickly -- every 15
minutes instead of every 60.
* Server: Added --backup-server and --restore-server to aid in backing
up keysafe servers with minimal information leakage.

-- Joey Hess <> Thu, 22 Sep 2016 15:10:56 -0400

keysafe (0.20160914) unstable; urgency=medium

* Fix bug that prevented keysafe --server from running when there was no
controlling terminal and zenity was not installed.
* Added --name and --othername options.
* Added proof of work to client/server protocol.
* Server-side rate limiting and DOS protection.
* server: Added --months-to-fill-half-disk option, defaulting to 12.
* Several new dependencies.
* Another fix to gpg secret key list parser.
* Warn when uploads fail and are put in the upload queue.
* Warn when --uploadqueued fails to upload to servers.
* Fix --uploadqueued bug that prevented deletion of local queued file.
* Added --chaff mode which uploads random junk to servers.
This is useful both to test the server throttling of uploads,
and to make it harder for servers to know if an object actually
contains secret key information.
* Store information about backed up keys in ~/.keysafe/backup.log
This can be deleted by the user at any time, but it's useful
in case a server is known to be compromised, or a problem is found
with keysafe's implementation that makes a backup insecure.

-- Joey Hess <> Wed, 14 Sep 2016 17:08:55 -0400

keysafe (0.20160831) unstable; urgency=medium

* Server implementation is ready for initial deployment.
* Keysafe as a client is not yet ready for production use.
* Removed embedded copy of secret-sharing library, since finite-field
only supports prime fields. This caused shares to be twice the size of
the input value.
* Reduced chunk size to 32kb due to share size doubling.
* Fix gpg secret key list parser to support gpg 2.
* Tuned argon2 hash parameters on better hardware than my fanless laptop.
* Improve time estimates, taking into account the number of cores.
* Added basic test suite.
* Added options: --store-directory --test --port --address
* Added a Makefile
* Added a systemd service file.
* Added a desktop file.

-- Joey Hess <> Wed, 31 Aug 2016 15:43:30 -0400

keysafe (0.20160819) unstable; urgency=medium

* First release of keysafe. This is not yet ready for production use.
* Network support is not yet implemented, but --store-local works for
testing with local data storage.
* Data backed up with keysafe version 0.* will not be able to be restored
by any later version! Once the data format stabalizes, keysafe version
1 data will be supported by every later version.
* Argon2 hashes are not yet tuned for modern hardware, but only for my
laptop. So, cracking cost estimates may be low. To help with this
tuning, run `keysafe --bechmark` and send the output to me.

-- Joey Hess <> Fri, 19 Aug 2016 19:41:06 -0400
comments powered byDisqus