Rapg: TUI-based Secret Manager

Source: Dev.to

We’ve all been there. You join a new project, and the first thing you hear is:

“Check the pinned message in Slack for the .env file.”

Or you have several .env.local files scattered across your drive, terrified of accidentally committing one to GitHub.

As developers we know we shouldn’t keep clear‑text secrets on our disks, yet we do it every day because the “proper” enterprise solutions are often too heavy for local development.

That’s why I built Rapg.

What is Rapg?

Rapg is a developer‑first secret manager that lives in your terminal. It bridges the gap between a personal password manager and a DevOps secret store.

Instead of managing text files, you store your secrets in a secure, local vault. When you need to run your app, Rapg injects those secrets directly into the process environment.

No text files. No accidental commits. Just code.

The Killer Feature: Process Injection

The core philosophy of Rapg is that secrets should only exist in memory.

Instead of sourcing a .env file, simply wrap your command with rapg run:

# Before: Relying on a file meant to be ignored
$ npm start

# After: Secrets injected on‑the‑fly
$ rapg run -- npm start

When you run this, Rapg:

• Unlocks your vault (asking for your master password if not cached).
• Decrypts only the secrets needed for the current environment (e.g., DB_PASSWORD, STRIPE_KEY).
• Spawns your process (npm start) with those variables added to its environment.

The secrets never touch your disk. Once the process exits, the secrets are gone.

A TUI for the Modern Era

CLI tools shouldn’t be painful to use. Rapg is built with Bubble Tea, giving it a beautiful, keyboard‑centric interface.

You can:

• Search your secrets instantly.
• Generate strong, random passwords.
• Copy 2FA/TOTP codes without reaching for your phone.
• Audit your vault for password reuse.

Under the Hood: Bank‑Grade Security

For the security‑minded, Rapg follows a Zero‑Knowledge Architecture:

• Argon2id – Your master password is never stored. Argon2id (RFC 9106) derives the encryption key, making brute‑force attacks computationally expensive.
• AES‑256‑GCM – All data is encrypted with authenticated encryption, guaranteeing confidentiality and integrity.
• Memory Protection – Uses memguard to prevent sensitive keys from being swapped to disk or read by other processes.

Advanced Tools

Security Audit

Ever wonder how many services are using that same old password from 2018?

$ rapg audit
⚠️  Reuse Detected! The following passwords are used in multiple places:
...

Migration

Moving from another tool? You can import from CSV or export to .env (if you really must).

$ rapg import lastpass_export.csv

Try It Out

Rapg is open source and written in Go. Install it right now:

go install github.com/kanywst/rapg/cmd/rapg@latest

Initialize your vault, add your first secret, and stop worrying about where your .env file is.

I’d love to hear your feedback! Check out the repository, star it if you find it useful, or open an issue if you encounter a bug.

👉 GitHub Repository