Keysafe securely backs up a gpg secret key or other short secret to the cloud.

This is not intended for storing Debian Developer keys that yield root on ten million systems. It's about making it possible for users to use gpg who currently don't, and who would find it too hard to use paperkey to back up and restore their key as they reinstall their laptop.

Not yet ready for production use! Needs security review! May run over your dog! Not suitable for bitcoin keys!


See screenshots. (Keysafe can also run in text mode in a terminal.)

How it works, basically

The secret key is encrypted using a password, and is split into three shards, and each is uploaded to a server run by a different entity. Any two of the shards are sufficient to recover the original key. So any one server can go down and you can still recover the key.

Keysafe checks your password strength (using the excellent but not perfect zxcvbn library), and shows an estimate of the cost to crack your password, before backing up the key.

(Above is for the password "makesad spindle stick")

Keysafe is designed so that it should take millions of dollars of computer time to crack any fairly good password. (This is accomplished using Argon2.) With a truely good password, such as four random words, the cracking cost should be many trillions of dollars.

The password is the most important line of defense, but keysafe's design also makes it hard for an attacker to even find your encrypted secret key.

For a more in-depth explanation, and some analysis of different attack vectors (and how keysafe thwarts them), see details. Also, there's a FAQ.


version 0.20161107

keysafe 0.20161107 released with these changes

  • The third keysafe server is now available, provided by Purism.
  • Purism's keysafe server has been vetted to Recommended level!
  • Change default for --port to 4242.
  • Fix --check-server to not fail when the server has not had anything stored on it yet.
  • --upload-queued: Exit nonzero if unable to upload all queued objects.
  • --autostart: If unable to upload all queued objects initially, delay between 1 and 2 hours and try again.
  • Better suggestion when user is having difficulty thinking of a strong enough password.
  • Defer requesting secret key from gpg until just before backup, so the user knows why gpg is asking for this secret key to be backed up.
version 0.20161022

keysafe 0.20161022 released with these changes

  • Add keywords to desktop file. Thanks, Sean Whitton
  • Fix use of .IP macro in manpage. Thanks, Sean Whitton
  • Fix some mispellings. Thanks, Sean Whitton
  • Makefile: Propagate LDFLAGS, CFLAGS, and CPPFLAGS through ghc.
  • Makefile: Allow setting BUILDER=./Setup to build w/o cabal or stack.
  • Makefile: Allow setting BUILDEROPTIONS=-j1 to avoid concurrent build, which should make build reproducible.
version 0.20161007

keysafe 0.20161007 released with these changes

  • Check if --store-local directory is writable.
  • Removed dependency on crypto-random.
  • Added a LSB init script, for non-systemd systems. (It currently uses Debian's start-stop-daemon, so would need porting for other distributions.)
  • /etc/default/keysafe is read by both the systemd service file and the init script, and contains configuration for the keysafe server.

Git repository

git clone git://

All tags and commits in this repository are gpg signed, and you should verify the signature before using it.


You should first install Haskell's stack tool, the readline and argon2 libraries, and zenity. For example, on a Debian system:

sudo apt-get install haskell-stack libreadline-dev libargon2-0-dev zenity

Then to build and install keysafe:

stack install keysafe

Note that there is a manpage, but stack doesn't install it yet.

Reporting bugs



See servers for information on the keysafe servers.


Keysafe is licensed under the terms of the AGPL 3+


Thanks to Anthony Towns for his help with keysafe's design.