Index / Unix


secret(1) is a small shell script tool that I wrote to help me keep track of passwords and other bits of important data. Stuff you can't keep in your head, but may have to reference often and can't store unprotected.

I guess you could call secret a "password manager", but you can use it to store whatever you want. Text or binary, small files or huge files, secret doesn't care. It is very handy for passwords and I do suggest using unique 16+ random character passwords for online services.

secret uses GnuPG for the encryption, which has the added bonus that you can now use the same key pair to secure your email messages as well. The OpenPGP standard is well documented and has been proven reliable over a long time. GnuPG also uses file compression by default.

secret stores every snippet that it encrypts as a separate file in a regular directory. This helps protect against data corruption and also makes it easy to backup the data. Hopefully all these design decisions will also ensure that the system is future proof.


This software is distributed under the MIT license which ensures that it will always remain free and that you can modify it to your own needs.

Download secret-0.3.tar.gz (SHA256), or you can have a look at the man page first.

Some background

I wrote the first version of secret in 2009. I wanted something to help me store all the passwords I couldn't keep in my head.

I looked at several ready made password managers, but none of them seemed portable enough (I was using both Mac OS X and Linux at the time). Also, I was wary of the security of their password stores and how I would be able to access the data in years to come.

As it would happen, I had recently begun using GnuPG and this got me thinking. Would it not be most convenient to use my GnuPG key pair to handle the encryption? This way I would only have to remember one master passphrase.

After perusing the man pages and some initial testing it became clear that this was a very viable solution. Keeping the data as regular files in the filesystem makes everything easy to understand (and backup) and as every piece of data is its own file there is also some protection against corruption.

But retyping those long gpg(1) commands quickly became tiring. Some automation was required, and also some way to find the correct file quickly. Thus secret was born.

It was a very crude program at the time, but it served me well.

I did have ideas on how to make it and easier to use, but I didn't implement them until my wife started using it. Since the program was much more polished now, I thought I might as well make it available to the public.