v1.2b Release

Download

Signed and verified bootable image for the latest version of SafeKeepVault. Follow the instructions below to verify your download and get set up.

Latest Release

SafeKeepVault is a bootable disk image. Flash it to a USB flash drive using Balena Etcher (Mac or Windows) or dd on Linux. Your computer’s existing files are never touched.

Download v1.23b · SHA-256 verified
SHA-256 — safekeep-release-v1.23b.img bbacfbaf2a6dcf5b4d202e4d7b0b982402b1f00faee27552a9ce9831c13e9b61

Verify your download

SHA256SUMS.txt SHA256SUMS.txt.asc

Developer public key

developer-pubkey.asc GitHub repository root
GPG Fingerprint A333 EB82 6F70 A79A 736F 0994 8EA7 DD8C EDBA 86C2

Source code

safekeep-source-v1.23b.zip
View release on GitHub full release notes, all assets

Don’t Trust, Verify

A tampered image could silently steal your seed. Verification takes about two minutes — complete all three steps before writing to your USB drive.

Step 01 Import the Developer Key

Download developer-pubkey.asc from the GitHub repository and import it. You only need to do this once.

Linux / macOS / Windows 
# Import the maintainer's public key
$ gpg --import developer-pubkey.asc

GPG is pre-installed on most Linux distributions. macOS users will need to install it, typically via Homebrew (brew install gnupg). Windows users can install Gpg4win.

Step 02 Verify the Manifest Signature

Confirm that SHA256SUMS.txt was signed by the developer’s key and has not been modified since signing.

Linux / macOS / Windows 
# Verify the signature over SHA256SUMS.txt
$ gpg --verify SHA256SUMS.txt.asc SHA256SUMS.txt

gpg: Signature made ...
gpg: using RSA key XXXXXXXXXXXXXXXX
gpg: Good signature from "SafeKeepVault Maintainer ..."

You must see Good signature. A warning that the key is “not certified with a trusted signature” is normal for newly imported keys and can be ignored. A BAD signature or key mismatch means the file was tampered with — do not proceed.

Step 03 Verify the Image Hash

Confirm that the downloaded file matches the SHA-256 hash recorded in the verified manifest.

Linux 
# Check file hash against SHA256SUMS.txt
$ sha256sum --check SHA256SUMS.txt
# Expected output: safekeep-release-v1.23b.img: OK
macOS 
# Check file hash against SHA256SUMS.txt
$ shasum -a 256 -c SHA256SUMS.txt
# Expected output: safekeep-release-v1.23b.img: OK

OK confirms the file is unmodified. FAILED means the download is corrupt or tampered with — delete it and download again.

Windows (PowerShell) 
# Generate the file hash
PS Get-FileHash safekeep-release-v1.23b.img -Algorithm SHA256

Open SHA256SUMS.txt in Notepad and confirm the hash matches exactly. If it doesn’t, delete the download and start over.

Flash & Boot

Write the image to a dedicated USB flash drive (4 GB or larger). The host machine’s internal drive is completely bypassed and remains untouched throughout the session.

Option 1 Graphical Interface (Recommended)

For the most straightforward experience across Windows, macOS, and Linux, we recommend using BalenaEtcher (or Rufus for Windows):

  1. Open the flashing utility and select the extracted safekeep-release-v1.23b.img file.
  2. Select your target flash drive.
  3. Click Flash and wait for the verification to complete.
Option 2 Command Line (Linux / macOS)

Advanced users can utilize the dd utility to write the image directly.

Linux / macOS 
# Flash with dd — replace /dev/sdX with your USB device
$ sudo dd if=safekeep-release-v1.23b.img of=/dev/sdX bs=4M status=progress oflag=sync
Booting the Vault

Once the drive is flashed, configure your computer’s UEFI/BIOS settings to boot from USB. Insert the drive and power on. SafeKeepVault initializes in under 30 seconds into a hardened, air-gapped environment with all network interfaces locked down.

♡ Donate