No cloud. No account. No trust required.

A terminal password manager that stores everything in an encrypted SQLite file on your machine. Your vault never touches a server.

• Fully local - vault is a single SQLite file, no cloud required
• AES-256-GCM encryption - every sensitive field (username, password, URL, notes, TOTP secret) is encrypted individually before being written to disk
• Argon2id key derivation - master password is never stored; the key is derived at runtime and zeroed from memory on exit
• TOTP support - store TOTP secrets, view live codes with countdown timer, copy to clipboard with one key
• Clipboard integration - copy login, password or TOTP code without revealing it on screen
• Password visibility toggle - show/hide password in the detail view
• Bitwarden CSV import - import your existing vault with optional folder filter
• Fuzzy search - built-in filtering across all entries
• Tab navigation - keyboard-only, no mouse required
• Adaptive colors - UI works correctly on both light and dark terminals

Sync server (kypd) and GUI client are under development.

macOS / Linux — Homebrew

brew tap stickpro/kyp brew install kyp

Arch Linux — AUR

# pre-built binary (faster) yay -S kyp-bin # build from source yay -S kyp

Debian / Ubuntu

# Download the .deb from the latest release, then: sudo dpkg -i kyp_*_linux_amd64.deb

RHEL / Fedora / CentOS

sudo rpm -i kyp_*_linux_amd64.rpm

Alpine

apk add --allow-untrusted kyp_*_linux_amd64.apk

Windows — Scoop

scoop bucket add kyp https://github.com/stickpro/scoop-kyp scoop install kyp

Go

go install github.com/stickpro/kyp/cmd/kyp@latest

Manual — download the archive for your OS/arch from the releases page, extract, and put kyp in your $PATH.

The vault is a single encrypted SQLite file. Default location:

Override with --db, env var KYP_DB_PATH, or config.yaml:

storage: db_path: /path/to/vault.db

The vault is a single SQLite file. All sensitive fields are encrypted with AES-256-GCM before being written to disk. The encryption key is never stored - it is derived from your master password at runtime using Argon2id and discarded when the application exits.

The master password is verified through a small encrypted token stored alongside the vault metadata. If decryption of that token succeeds, the password is correct and the derived key is kept in memory for the session.

# Build the import tool make build-import # Import all entries ./.bin/kyp-import bitwarden_export.csv kyp.db mypassword # Import only entries from a specific folder ./.bin/kyp-import bitwarden_export.csv kyp.db mypassword "Work"

cmd/ kyp/ TUI client kypd/ sync server (in development) import/ Bitwarden CSV import tool internal/ crypto/ key derivation, AES-256-GCM, password generator totp/ RFC 6238 TOTP code generation vault/ vault lifecycle and entry CRUD storage/ SQLite layer with generated queries tui/ Bubbletea UI screens (list, detail, form, unlock, create) sql/ sqlite/ migrations/ goose migration files queries/ sqlc query definitions 

• Master password is never stored anywhere
• Key derivation: Argon2id (time=1, memory=64 MB, threads=4, key=32 bytes)
• Encryption: AES-256-GCM with a random nonce per field per write
• Soft deletes (deleted_at) preserve entry history for future sync conflict resolution
• vault.Close() zeroes the master key in memory before releasing it

make build # TUI client → .bin/kyp make build-server # sync server → .bin/kypd make build-import # import tool → .bin/kyp-import make build-all # all three

make run start

make gen-sql # regenerate repository code from SQL queries make fmt # format code with gofumpt make lint # run golangci-lint

• Go 1.22+
• pgxgen and sqlc for code generation (development only)

• Encrypted SQLite vault
• Argon2id key derivation
• AES-256-GCM per-field encryption
• TOTP code generation (RFC 6238)
• Terminal UI (list / detail / form / unlock / create)
• Clipboard integration
• Bitwarden CSV import
• Sync server (kypd)
• GUI client
• Browser extension