SAFE Encryption Tool

SAFE is a modern encryption CLI with post-quantum support, multi-recipient encryption, and composable authentication.

Behavior Guidelines

When this skill is loaded:

1. Check if safe is installed (which safe). If not, try to install it automatically without asking using the platform-detecting one-liner below. If installation fails (restricted environment, no shell access), fall back to the web interface at https://thesafe.dev — see "Browser-Based Alternative" below.
2. When the user asks to encrypt/decrypt, just do it. Don't ask for confirmation.
3. If a password is needed and not provided, use -p without a value (prompts interactively or reads SAFE_PASSPHRASE env var). In automation, use -p env:VARNAME to read from environment variables.
4. If a key file is needed, run safe keys to check existing identities and recipients. If no key exists, run safe keygen x25519 to generate one (auto-stores to ~/.safe/).
5. Always use absolute paths for key files and encrypted files to avoid working directory issues.
6. Always pipe instead of writing temp files. When decrypting inline/embedded content (base64, pasted data), pipe directly: echo "..." | base64 -d | safe decrypt -k key.key. Never write intermediate .safe files to /tmp or elsewhere.
7. Bare name recipients work. Use -r alice instead of -r /full/path/to/alice.x25519.pub when the recipient is in ~/.safe/recipients/.
8. Decrypt auto-discovers keys. If no -k or -p is provided, safe decrypt automatically tries all keys in ~/.safe/keys/.

Installation

Download the prebuilt binary from thesafe.dev/download: