Safe - A Vault CLI that makes reading from and writing to the Vault easy


Safe is a Vault Command Line Interface that makes reading from and writing to the Vault easier to do.


How to get this tool

To use this tool, please use a method listed below.

In a Linux (Debian OS), run the following command(s).

git clone


Download directly from the following link:


How to execute

**If you run Homebrew on MacOS, be aware that the Formula for safe in homebrew core is outdated, incorrect, and unmaintained. We maintain our own tap, which you are encouraged to use instead:


brew tap starkandwayne/cf

brew install starkandwayne/cf/safe



safe operates by way of sub-commands. To generate a new 2048-bit SSH keypair, and store it in secret/ssh:


safe ssh 2048 secret/ssh

To set non-sensitive keys, you can just specify them inline:


safe set secret/ssh username=system

If you use a password manager (good for you!) and don't want to have to paste passwords twice, use the paste subcommand:


safe paste secret/1pass/managed

Commands can be chained by separating them with the argument terminator, --, so to both create a new SSH keypair and set the username:

safe ssh 2048 secret/ssh -- set secret/ssh username=system


Auto-generated passwords are easy too:

safe gen secret/account passphrase


Sometimes, you just want to import passwords from another source (like your own password manager), without the hassle of writing files to disk or the risk of leaking credentials via the process table or your shell history file. For that, safe provides a double-confirmation interactive mode:

safe set secret/ssl/ca passphrase
passphrase [hidden]:
passphrase [confirm]:

What you type will not be echoed back to the screen, and the confirmation prompt is there to make sure your fingers didn't betray you.


All operations (except for delete) are additive, so the following:

safe set secret/x a=b c=d

 # is equivalent to this:

safe set secret/x a=b -- set secret/x c=d

Need to take an existing password, and generate a crypt-sha512 hash, or base64 encode it? safe fmt will do this, and store the results in a new key for you, making it easy to generate a password, and then format that password as needed.

safe gen secret/account password

safe fmt base64 secret/account password base64_pass

safe fmt crypt-sha512 secret/account password crypt_pass

safe get secret/account


References: > starkandwayne/safe



Next steps:


This article was contributed by Racquel Bailey from Jamaica. Racquel is a member of the Caribbean CSPA.

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.