SafeKeeper.life - Secure by design

Your data is always 100% yours We never store your data

Back to Documentation

Credential Management

User Guide

User Guide: Credential Management

This guide covers all aspects of managing credentials in SafekeeperLife, from adding your first credential to organizing and maintaining your credential store over time.

Table of Contents

Overview

SafekeeperLife stores credentials - sensitive textual information like usernames, passwords, recovery codes, and API Keys. This guide will help you manage these credentials effectively throughout the lifecycle of your Safe.

What You Can Store:

  • Usernames and passwords
  • Email account credentials
  • Password manager master passwords
  • Recovery codes and backup codes
  • API Keys and access tokens
  • Security questions and answers
  • Account PINs and passcodes
  • SSH Keys (as text)
  • Any sensitive text-based information

What You Cannot Store:

  • Files (documents, photos, videos)
  • Binary data
  • Databases
  • Large amounts of data (limit: ~10,000 characters per credential)

See Also: What Can I Store? for detailed guidance on content types.

Understanding Credentials

Credential Structure

Each credential in SafekeeperLife has:

  • Name (required): A friendly label (e.g., “Google Account Personal Account”)
  • Template (required): The credential type (Generic, Google Account, 1Password, etc.)
  • Fields (varies by template): Specific data fields (username, password, URL, etc.)
  • Notes (optional): Additional information or context
  • Created/Updated timestamps: Automatically tracked

Credential Templates

Templates provide structured fields for common credential types:

Template Use Case Key Fields
Generic Any credential username, password, url, notes
Google Account Google accounts email, password, recovery_email, 2fa_codes
1Password Password managers master_password, secret_key, emergency_kit_location
KeePassXC KeePass databases database_password, key_file_location, database_location
Dropbox Shared Folder Dropbox accounts email, password, shared_folder_link
Bank Account(s) Online banking username, password, account_number, sort_code, iban, swift

See Also: Credential Templates Guide for detailed template documentation.

Adding Credentials

Prerequisites

  • Your Safe must be in the unlocked state
  • If your Safe is locked, you must unlock it first (see Unlocking a Safe)

Step-by-Step: Adding a Credential

  1. Navigate to your Safe (click on Safe name from safes list)
  2. Ensure Safe is unlocked (status shows “Unlocked”)
  3. Click “Add Credential” button
  4. Select a template from the dropdown:
    • Choose a specific template (Google Account, 1Password, etc.) for structured data
    • Choose “Generic” for custom credentials
  5. Fill in the required fields (marked with asterisk *)
  6. Fill in optional fields as needed
  7. Add notes (optional but recommended for context)
  8. Click “Save Credential”

Your credential is now saved in the Safe.

Example: Adding a Google Account

Template: Google Account

Required Fields:
- Name: "Personal Google Account"
- Email: "john.doe@gmail.com"
- Password: "MySecurePassword123!"

Optional Fields:
- Recovery Email: "john.backup@example.com"
- Recovery Phone: "+1-555-123-4567"
- 2FA Backup Codes: "12345678, 23456789, 34567890, 45678901, 56789012"

Notes:
"Primary personal email. Uses Google Authenticator for 2FA.
Recovery email is checked weekly. Password last changed: 2025-01-15."

Example: Adding a Custom Credential (Generic Template)

Template: Generic

Required Fields:
- Name: "Home WiFi Password"
- Username: "admin"
- Password: "SecureWiFiPass2025!"

Optional Fields:
- URL: "http://192.168.1.1"

Notes:
"Router admin password for Netgear Nighthawk.
Router located in bedroom closet.
Password changed quarterly (last changed: Jan 2025)."

Tips for Adding Credentials

Use Descriptive Names:

  • Good: “Google Account Personal Account (john.doe@gmail.com)”
  • Bad: “Google Account” or “Email”

Fill in Optional Fields: Even if not required, fields like recovery email and 2FA codes are critical for account access.

Add Comprehensive Notes: Include context that will help Keyholders:

  • When password was last changed
  • Which 2FA method is used
  • Where to find additional information
  • Special login procedures

Test Credentials Before Storing: Verify credentials work before adding them to the Safe. Don’t store untested or outdated credentials.

Group Related Credentials: If you have multiple related credentials (e.g., Google accounts for different environments), add them all at once and use clear naming conventions.

Viewing Credentials

In Unlocked State

When your Safe is unlocked, you can view all credentials in plaintext:

  1. Navigate to your Safe
  2. View credential list (all credentials displayed)
  3. Click on a credential to see full details
  4. Copy values (click copy icons next to fields)

Security Note: Credentials are visible in plaintext when unlocked. Ensure you lock the Safe when done editing.

In Locked State

When your Safe is locked, credentials are encrypted and not visible. You must unlock the Safe to view them.

Why? Locking encrypts all credentials with your master password. This prevents unauthorized access and prepares the Safe for sealing.

In Sealed State

When your Safe is sealed, credentials are encrypted and only accessible through the reveal process (Keyholders uploading Keys).

You cannot view credentials in sealed state unless you:

  1. Have Keyholders upload their Keys (threshold met)
  2. Safe moves to revealed state
  3. Then view credentials

In Revealed State

When your Safe is revealed (Keyholders uploaded threshold Keys), credentials are visible to all participants who uploaded Keys.

Editing Credentials

Prerequisites

  • Safe must be in unlocked state
  • If locked, you must unlock first

Step-by-Step: Editing a Credential

  1. Navigate to your Safe
  2. Ensure Safe is unlocked
  3. Click on the credential you want to edit
  4. Click “Edit” button
  5. Modify fields as needed
  6. Update notes if relevant (e.g., “Password changed on 2025-01-20”)
  7. Click “Save Changes”

Common Edit Scenarios

Scenario 1: Password Changed

Old Credential:
- Password: "OldPassword123!"
- Notes: "Password changed quarterly"

Updated Credential:
- Password: "NewPassword456!"
- Notes: "Password changed quarterly (last changed: 2025-01-20)"

After editing: Lock and re-seal the Safe to update encrypted shares.

Scenario 2: Adding 2FA Codes

Original:
- Email: "john@gmail.com"
- Password: "MyPassword"
- 2FA Backup Codes: (empty)

Updated:
- Email: "john@gmail.com"
- Password: "MyPassword"
- 2FA Backup Codes: "12345678, 23456789, 34567890"

Notes: "Enabled 2FA on 2025-01-20. Using Google Authenticator."

Scenario 3: Correcting Typos

Original:
- Email: "john.doe@gmial.com" (typo)

Fixed:
- Email: "john.doe@gmail.com"

Always test credentials after editing to ensure they work correctly.

Deleting Credentials

Prerequisites

  • Safe must be in unlocked state

Step-by-Step: Deleting a Credential

  1. Navigate to your Safe
  2. Ensure Safe is unlocked
  3. Click on the credential you want to delete
  4. Click “Delete” button
  5. Confirm deletion (this is permanent)

Warning: Deletion is permanent and cannot be undone. Make sure you:

  • No longer need the credential
  • Have alternative access to the account
  • Have exported/backed up the credential if needed

When to Delete Credentials

Delete when:

  • Account was closed/deleted
  • Credentials are outdated or incorrect
  • Service no longer exists
  • You’ve migrated to a different account

Don’t delete when:

  • Temporarily not using the account (just keep it)
  • Unsure if needed (keep it, mark in notes as “possibly obsolete”)
  • Account might be useful in the future

Organizing Credentials

Naming Conventions

Use consistent, descriptive naming:

Good Names:

  • “Google Account Personal (john.doe@gmail.com)”
  • “1Password Master Password”
  • “Home WiFi Router Admin”
  • “Bank of America Online Banking”

Bad Names:

  • “Google Account” (which one?)
  • “Password” (password for what?)
  • “Login” (too vague)
  • “Account 1” (not descriptive)

Grouping Strategies

SafekeeperLife doesn’t have folders, but you can use naming prefixes:

Strategy 1: By Service Type

  • [Email] Google Account Personal
  • [Email] Outlook Work
  • [Bank] Chase Checking
  • [Bank] Bank of America Savings

Strategy 2: By Priority

  • [CRITICAL] 1Password Master
  • [CRITICAL] Primary Email
  • [Important] Dropbox
  • [Nice-to-Have] Netflix

Strategy 3: By Category

  • Personal - Google Account
  • Personal - Facebook
  • Work - Slack

Choose one strategy and stick with it for consistency.

Using Notes Effectively

Notes are searchable and help provide context:

Include in Notes:

  • Last password change date
  • 2FA method used (app, SMS, hardware Key)
  • Recovery contact information
  • Special login instructions
  • Related accounts or dependencies
  • Frequency of use

Example Note:

Critical account for family photo storage.
Password changed quarterly (last: 2025-01-20).
Uses Google Authenticator for 2FA.
Recovery email: john.backup@example.com
Shared folder "Family Photos" is accessible to 5 family members.
If revealing, ensure shared folder access is preserved.

Safe States and Credential Operations

Different operations are allowed in different Safe states:

Operation Unlocked Locked Sealed Revealed
Add Credential ✅ Yes ❌ No ❌ No ❌ No
View Credential ✅ Yes ❌ No ❌ No ✅ Yes*
Edit Credential ✅ Yes ❌ No ❌ No ❌ No
Delete Credential ✅ Yes ❌ No ❌ No ❌ No
Lock Safe ✅ Yes ❌ Already locked ❌ No ❌ No
Unlock Safe ❌ Already unlocked ✅ Yes ❌ No ❌ No
Seal Safe ❌ No ✅ Yes ❌ Already sealed ❌ No

*In revealed state, credentials are viewable by Keyholders who participated in reveal.

Unlocking a Locked Safe

To edit credentials in a locked Safe:

  1. Navigate to the Safe
  2. Click “Unlock Safe”
  3. Enter your master password
  4. Click “Unlock”

Your Safe is now unlocked and you can edit credentials.

Important: After editing, you should:

  1. Lock the Safe again to re-encrypt credentials
  2. Re-seal the Safe if you want to update the encrypted shares distributed to Keyholders

Re-Locking After Edits

After editing credentials, always lock the Safe:

  1. Click “Lock Safe”
  2. Enter your master password (confirmation)
  3. Click “Confirm Lock”

This re-encrypts all credentials with the latest changes.

Re-Sealing After Edits

If your Safe was previously sealed and you’ve edited credentials:

  1. Lock the Safe (if not already locked)
  2. Click “Seal Safe”
  3. Review Keyholder list
  4. Click “Confirm Seal”

This regenerates shared Keys with the updated encrypted data and redistributes them to Keyholders.

Note: Keyholders receive new Key files. Old Key files from previous seal are invalid.

Best Practices

Security Best Practices

  1. Always lock when done editing

    • Unlocked state exposes credentials in plaintext
    • Lock encrypts everything

  2. Use strong, unique passwords for credentials

    • Don’t store weak passwords
    • Don’t reuse passwords across services

  3. Test credentials before storing

    • Verify username/password work
    • Confirm 2FA codes are correct

  4. Keep your master password secure

    • Write it down and store in a physical Safe
    • Don’t store it in the Safe itself
    • Don’t share it with Keyholders

  5. Update credentials when they change

    • Passwords changed? Update the Safe
    • 2FA codes regenerated? Update the Safe
    • Account closed? Delete from Safe

Maintenance Best Practices

  1. Regular audits (quarterly or semi-annually)

    • Review all credentials
    • Remove obsolete accounts
    • Update outdated information
    • Test critical credentials

  2. Document changes in notes

    • Track password change dates
    • Note when 2FA was enabled
    • Record recovery information updates

  3. Keep emergency contacts updated

    • Ensure recovery emails are accessible
    • Verify recovery phone numbers work
    • Update backup codes if regenerated

  4. Organize consistently

    • Use a naming convention
    • Group related credentials
    • Write informative notes

  5. Plan for updates

    • Know that editing requires unlock → edit → lock → re-seal cycle
    • Coordinate with Keyholders when redistributing Keys
    • Test the reveal process periodically

Data Entry Best Practices

  1. Copy-paste from source

    • Don’t manually type long passwords (typo risk)
    • Copy from password manager or source
    • Verify copied text is correct

  2. Include all relevant information

    • Don’t skip optional fields
    • Recovery information is critical
    • Context helps Keyholders later

  3. Write notes for future you

    • Assume you won’t remember details in 5 years
    • Assume Keyholders have zero context
    • Explain special procedures or quirks

  4. Use templates appropriately

    • Choose specific templates when available
    • Use Generic for truly custom credentials
    • Don’t force-fit data into wrong template

Common Workflows

Workflow 1: Initial Setup (New Safe)

1. Create Safe (set threshold, master password)
2. Add credentials (all at once)
   - Use templates
   - Fill in all fields
   - Add comprehensive notes
3. Review credentials (check for typos)
4. Lock Safe
5. Designate Keyholders
6. Seal Safe (distribute Keys)

Workflow 2: Adding a New Account

1. Unlock Safe (if locked)
2. Add credential (new account)
3. Lock Safe
4. (Optional) Re-seal Safe if you want Keyholders to have updated shares

Note: If you don’t re-seal, the new credential is encrypted but Keyholders’ old Keys won’t include it. Re-seal to update their Keys.

Workflow 3: Updating a Password

1. Change password on the actual service
2. Unlock Safe
3. Edit credential (update password field)
4. Update notes ("Password changed on [date]")
5. Lock Safe
6. Re-seal Safe (redistribute Keys with updated data)
7. Notify Keyholders (optional: "I've updated the Safe, you'll receive new Keys")

Workflow 4: Quarterly Audit

1. Unlock Safe
2. Review each credential:
   - Still needed?
   - Information still accurate?
   - Password still current?
   - Recovery info up-to-date?
3. Update/delete as needed
4. Lock Safe
5. Re-seal Safe (if changes made)

Workflow 5: Migrating to a New Safe

If you need to change your master password or threshold:

1. Create new Safe (new master password, new threshold)
2. Unlock old Safe
3. Copy credentials (one by one or export)
4. Add to new Safe
5. Lock new Safe
6. Designate Keyholders (same or different)
7. Seal new Safe
8. Remove old Safe (after verifying new Safe works)

Troubleshooting

Problem: Can’t Edit Credentials

Symptom: Edit button is grayed out or missing.

Cause: Safe is in locked, sealed, or revealed state.

Solution:

  • If locked: Unlock the Safe using your master password
  • If sealed: Cannot edit unless you reveal (requires Keyholder coordination) or remove and create new Safe
  • If revealed: Cannot edit in revealed state

Problem: Credential Not Saving

Symptom: Click “Save” but credential doesn’t appear in list.

Possible Causes:

  • Required fields are empty
  • Password field is too long (>10,000 characters)
  • Network error

Solution:

  • Check for validation errors (red text under fields)
  • Ensure required fields (name, template) are filled
  • Try again with shorter content
  • Check network connection

Problem: Lost Master Password

Symptom: Can’t unlock Safe because you forgot the master password.

Cause: Master password not stored or remembered.

Solution: There is no solution. Credentials are permanently unrecoverable. SafekeeperLife does not have password recovery.

Prevention:

  • Write down master password and store securely
  • Use a memorable passphrase
  • Consider storing master password in a different password manager

Problem: Keyholder Keys Outdated

Symptom: Keyholders try to reveal but their Keys don’t work.

Cause: You edited credentials, re-locked, but didn’t re-seal.

Solution:

  1. Unseal the Safe (if possible) or create reveal scenario
  2. After revealing, remove the Safe
  3. Create new Safe with updated credentials
  4. Seal and distribute new Keys

Or:

  1. Unlock Safe (using master password)
  2. Re-seal Safe (generates new Keys)
  3. Keyholders receive updated Keys

Problem: Deleted Credential by Accident

Symptom: Accidentally deleted a credential and need it back.

Cause: Deletion is permanent, no undo.

Solution: If you remember the credential details, re-add it manually. Otherwise, the credential is lost.

Prevention:

  • Be careful when deleting
  • Export/backup credentials before deleting
  • Use “Archive” or “Obsolete” notes instead of deleting if unsure

Problem: Can’t Add More Credentials

Symptom: “Add Credential” button is disabled.

Possible Causes:

  • Safe is in locked state (must unlock first)
  • Safe is sealed (cannot add credentials after sealing)
  • Reached credential limit (unlikely, but check if limit exists)

Solution:

  • If locked: Unlock the Safe
  • If sealed: Cannot add credentials to sealed Safe (reveal or create new Safe)

Problem: Wrong Template Selected

Symptom: Selected Google Account template but should have used Generic.

Solution:

  1. Edit the credential
  2. Change template field (if allowed) OR
  3. Delete credential and re-add with correct template

Note: Some templates may not allow template changes after creation. If stuck, delete and re-add.

Need help? See the General FAQ or Getting Started Guide.

Need Help?

Can't find what you're looking for? Check out our other guides or return to the documentation index.

← All Documentation Getting Started Guide →
Back to Documentation Getting Started Guide