Local-first · No cloud · Built in Go

Lock your secrets. Keep them on your machine.

A fast CLI for storing API keys and credentials with AES-256-GCM encryption, Argon2id key derivation, and OS-keychain caching. No accounts, no sync, no servers.

~/.lockr/vault.enc macOS · Linux · Windows MIT License
AES-256-GCM
~ — lockr

Built with proven primitives

Go · CobraAES-256-GCMArgon2idmacOS KeychainSecret Service (Linux)Windows Credential ManagerLocal-firstZero Network I/O Go · CobraAES-256-GCMArgon2idmacOS KeychainSecret Service (Linux)Windows Credential ManagerLocal-firstZero Network I/O
// features

Built like a paranoid sysadmin would build it.

Lockr stays out of your way: a single binary, an encrypted file under your home directory, and shell-friendly output.

AES-256-GCM at rest

Authenticated encryption with a fresh nonce on every save. Tampering is detected, plaintext never touches disk.

Argon2id KDF

Memory-hard key derivation tuned to make brute-force attacks against your master password impractical.

OS keychain caching

Master password is held in macOS Keychain, Secret Service, or Windows Credential Manager. Flush anytime with lockr lock.

Group namespaces

Organize with work/stripe_key, personal/github. Export an entire group at once.

Clipboard mode

Use --copy to put a secret straight on your clipboard — never prints, never shoulder-surfed.

Rotation reminders

Secrets older than 90 days are flagged in lockr list so stale credentials don't quietly outlive their welcome.

// commands

A handful of commands. That's it.

Designed to feel like git: predictable, scriptable, fast.

Initialize the vault

Creates an encrypted vault at ~/.lockr/vault.enc, derives your encryption key with Argon2id, and caches the master password in your OS keychain.

~ — lockr init
~ lockr init Enter master password: •••••••••••• Confirm master password: •••••••••••• Vault created at ~/.lockr/vault.enc Derived key with Argon2id (m=64MB, t=3, p=4) Cached session in OS keychain # Run `lockr lock` any time to evict the cached password.
// security model

Your master password
never leaves memory.

Lockr derives an encryption key from your password with Argon2id, encrypts your vault with AES-256-GCM, and writes a fresh nonce on every save. Vault metadata is authenticated — silent tampering is impossible.

  • Zero network I/O. Lockr makes no outbound requests. Your secrets stay on disk.
  • Argon2id (memory-hard). Resists GPU/ASIC brute-force attacks against your master password.
  • Authenticated encryption. AES-256-GCM detects any modification to the vault file.
  • OS-native keychain. Session caching uses Keychain / Secret Service / Credential Manager.
internal/crypto/encrypt.go
package crypto import ( "crypto/aes" "crypto/cipher" "crypto/rand" "golang.org/x/crypto/argon2" ) // DeriveKey turns a master password into a 32-byte AES key // using Argon2id with memory-hard parameters. func DeriveKey(pw, salt []byte) []byte { return argon2.IDKey(pw, salt, 3, 64*1024, 4, 32) } // Encrypt seals plaintext with AES-256-GCM and a fresh nonce. func Encrypt(key, plaintext []byte) ([]byte, error) { block, _ := aes.NewCipher(key) gcm, _ := cipher.NewGCM(block) nonce := make([]byte, gcm.NonceSize()) rand.Read(nonce) return gcm.Seal(nonce, nonce, plaintext, nil), nil }

// simplified — see internal/crypto for the real thing.

// real workflow

Drop into any project.

A typical morning, scripted.

// .envrc — direnv loads work secrets when you cd into the repo

# load every secret in the `work` group as env vars eval "$(lockr export work)" # or pull a single one export DATABASE_URL="$(lockr get work/db_url)"

// Makefile — never commit a token, never paste one

deploy: @STRIPE_KEY=$$(lockr get prod/stripe_key) \ SENTRY_DSN=$$(lockr get prod/sentry_dsn) \ ./scripts/deploy.sh rotate: lockr list prod | grep "days old"

// Github Actions runner setup (self-hosted)

- name: Inject secrets from local lockr vault run: | eval "$(lockr export ci)" echo "NPM_TOKEN=$NPM_TOKEN" >> $GITHUB_ENV

// shell function: copy a secret with a hotkey

# in your ~/.zshrc cpkey() { lockr get "$1" --copy && \ echo "📋 $1 on clipboard (60s)" } # usage: cpkey work/stripe_key
// install

One command. No accounts.

Pick your platform.

macOS · Homebrew
$ brew install gtchakama/tap/lockr
Linux · curl + tar
$ curl -L https://github.com/gtchakama/lockr/releases/latest/download/lockr_Linux_x86_64.tar.gz \ | tar xz && sudo mv lockr /usr/local/bin/

// arm64? swap x86_64 for arm64

Go install
$ go install github.com/gtchakama/lockr@latest
Windows / pre-built binaries
releases →
# Latest release — v1.0.0 lockr_Darwin_arm64.tar.gz lockr_Darwin_x86_64.tar.gz lockr_Linux_arm64.tar.gz lockr_Linux_x86_64.tar.gz lockr_Windows_x86_64.zip

After install, run lockr init once and you're done.

Stop pasting tokens into .env files Slack threads.

Lockr is a single 6 MB binary. It runs locally. It does one thing well.

Install lockr Read the source