Notes to self

Keeping secrets on Linux with Password Safe

How do you keep your secrets safe on Linux? Should you just go with an online service? What if you prefer an offline option with the possibility of online backups? GNOME’s Password Safe lets you neatly organize your secrets offline with a simple Keepass file to backup.

If you are like me, you can get a bit disorganized at times. But keeping passwords and SSH keys safe and backed up is something I had to standardized on. I also did not see a reason to manage them separately in many different applications. I don’t automatically trust online services with something that important neither.

I am on Fedora and a while back I discovered and started to use GNOME’s Password Safe. Password Safe is a small and neat application for your secret management on Linux.

You can install it with DNF on Fedora 32:

$ sudo dnf install gnome-passwordsafe

It’s also available on Flathub.

KeePass is an open-source encrypted password database format based on XML and you can think of Password Safe as a KeePass Linux client as it uses KeePass v.4 format to encrypt your secrets. As a GNOME app it also perfectly integrates with your GNOME shell desktop.

Let’s look at how this small GNOME app looks like and what features it has.

Password Safe requires to set up a passphrase that you will use to unlock the KeePass file:

password_safe

It will let you organize various secrets into folders:

password_safe

You can view and create new secrets inside them. A typical secret will be a password, which Password Safe can generate for you:

password_safe

You can however also directly save key-value pairs and files (handy for SSH keys):

password_safe

You can attach a specific icon and color to neatly organize all your secrets. Password Safe will also automatically lock itself with inactivity so your secrets stay safe.

I like two things about Password Safe:

  • The fact that it’s an easy to use offline application specifically designed for GNOME (so it’s a beautiful app to look at).
  • And the fact it’s simply built around using KeePass format for encryption so there is no vendor lockin and the file itself can be easily backed up with your other files online in the cloud.

Give Password Safe a go and let me know what you think!

Work with me

I have some availability for contract work. I can be your fractional CTO, a Ruby on Rails engineer, or consultant. Write me at strzibny@strzibny.name.

RSS