Repository files navigation

gokey is a password manager, which does not require a password vault.Instead of storing your passwords in a vault it derives your password on thefly from your master password and suppliedrealm string (for example,resource URL). This way you do not have to manage, backup or sync your passwordvault (or trust its management to a third party) as your passwords areavailable immediately anywhere.

gokey -p super-secret-master-password -r example.com

• -o <output path> - by defaultgokey outputs generated data tostdout
• -P </path/to/password> - path to master password file which will be usedto generate other passwords/keys or to encrypt seed file (seeModes ofoperation below, if no master password or masterpassword file is provided,gokey will ask for it interactively)
• -p <master password> - master password which will be used to generateother passwords/keys or to encrypt seed file (seeModes ofoperation below, if no master password or masterpassword file is provided,gokey will ask for it interactively)
• -r <password/key realm> - any string which identifies requestedpassword/key, most likely key usage or resource URL
• -s <path to seed file> - needed, if you want to use seed file instead ofmaster password as an entropy source (seeModes ofoperation below); can be generated with-t seed flagas described below
• -skip <number of bytes> - number of bytes to skip when reading seed file
• -u -UNSAFE, allow generating keys without using a seed file (seeModes of operation below)
• -t <password/key type> - requested password/key output type
• -l <length> - number of characters in the generated password or number ofbytes in the generated raw stream (default 10 for "pass" type and 32 for"raw" type)

Supported password/key types:

• pass - default, generates a password
• seed - generates a seed file, which can be used with-s option later
• raw - generates 32 random bytes (can be used as a symmetric key)
• ec256 - generates ECC P-256 private key
• ec384 - generates ECC P-384 private key
• ec521 - generates ECC P-521 private key
• rsa2048 - generates 2048-bit RSA private key
• rsa4096 - generates 4096-bit RSA private key
• x25519 - generates x25519 (also known as curve25519) ECC private key
• ed25519 - generates ed25519 ECC private key

Thegokey command-line utility can be downloaded and compiled using standardgo install approach. Assuming you haveGoinstalled, do

go install github.com/cloudflare/gokey/cmd/gokey@latest

Thegokey binary should appear in your$GOPATH/bin directory. (Default$HOME/go/bin)

Precompiled binaries are also available in theReleases section

gokey can generate passwords and cryptographic private keys (ECC and RSAkeys are currently supported). However, without any additional optionsspecified it uses your master password as a single source of entropy forgenerated data. For passwords it is acceptable most of the time, but keysusually have much higher entropy requirements.

For cases, where higher entropy is required for generated passwords/keys,gokey can use a seed file (a blob with random data) instead of the masterpassword as a source of entropy.

In simple mode passwords are derived directly from your master password and therealm string. That is each unique combination of a master password and a realmstring will produce a unique password.

For example, if your master password issuper-secret-master-password and youwant to generate a password forexample.com, you would invokegokey like

gokey -p super-secret-master-password -r example.com

If you need a password for a different resource, (example2.com), you wouldchange the realm string

gokey -p super-secret-master-password -r example2.com

This way you need to remember only your master password and you can alwaysrecreate passwords for your services/resources.

NOTE: In this mode generated passwords are as strong as your master password,so do have your master password strong enough. You can also derive private keysfrom your master password, but keep in mind, that these keys will have lowentropy. That is why it is considered unsafe, sogokey does not allow it bydefault. If youreally know what you are doing, you can override thisdefault by supplying-u flag.

If you plan to generate not only passwords, but also private keys or you wantto have your passwords/keys with higher entropy, you can use a seed fileinstead of the master password. You still need to supply a master password,when invokinggokey, but it will be used only to protect the seed fileitself; all generated passwords/keys will be derived from the data in the seedfile.gokey uses seed files protected (encrypted) with your masterpassword, so it is reasonably safe to store/backup seed files to a third partylocation, such as Google Drive or Dropbox.

To generate an encrypted seed file, use

gokey -p super-secret-master-password -t seed -o seedfile

This will create a seed fileseedfile with 256 bytes of random data. The datais encrypted using AES-256-GCM mode andsuper-secret-master-password as akey.

Then, to generate EC-256 private key forexample.com, use

gokey -p super-secret-master-password -s seedfile -r example.com -t ec256

NOTE: you still need to remember your master password and keep a backup copy ofyour seed file. If you forget your master password or lose your seed file, youwill lose all derived passwords/keys as well.