Tools: Rapg: TUI-based Secret Manager

Introduction ## What is Rapg? ## The Killer Feature: Process Injection ## A TUI for the Modern Era ## Under the Hood: Bank-Grade Security ## Advanced Tools ## Security Audit ## Migration ## Try It Out We've all been there. You join a new project, and the first thing you hear is: "Check the pinned message in Slack for the .env file." Or maybe you have five different versions of .env.local scattered across your drive, and you're terrified of accidentally committing one to GitHub. As developers, we know we shouldn't keep cleartext secrets on our disks, yet we do it every day because the "proper" enterprise solutions are often too heavy for local development. That's why I built Rapg. Rapg is a developer-first secret manager that lives in your terminal. It bridges the gap between a personal password manager and a DevOps secret store. Instead of managing text files, you store your secrets in a secure, local vault. When you need to run your app, Rapg injects those secrets directly into the process environment. No text files. No accidental commits. Just code. The core philosophy of Rapg is that secrets should only exist in memory. Instead of sourcing a .env file, you simply wrap your command with rapg run: When you run this, Rapg: The secrets never touch your disk. Once the process dies, the secrets are gone. CLI tools shouldn't be painful to use. Rapg is built with Bubble Tea, giving it a beautiful, keyboard-centric interface. For the security-minded, here is how Rapg keeps your data safe. It adheres to a Zero-Knowledge Architecture: Rapg isn't just a vault; it's a toolkit. Ever wonder how many services are using that same old password from 2018? Moving from another tool? You can import from CSV or export to .env (if you really must). Rapg is open source and written in Go. You can install it right now: Initialize your vault, add your first secret, and stop worrying about where your .env file is. I'd love to hear your feedback! Check out the repository, star it if you find it useful, or open an issue if you find a bug. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse COMMAND_BLOCK: # Before: Relying on a file meant to be ignored $ npm start # After: Secrets injected on-the-fly $ rapg run -- npm start Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: # Before: Relying on a file meant to be ignored $ npm start # After: Secrets injected on-the-fly $ rapg run -- npm start COMMAND_BLOCK: # Before: Relying on a file meant to be ignored $ npm start # After: Secrets injected on-the-fly $ rapg run -- npm start COMMAND_BLOCK: $ rapg audit ⚠️ Reuse Detected! The following passwords are used in multiple places: ... Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: $ rapg audit ⚠️ Reuse Detected! The following passwords are used in multiple places: ... COMMAND_BLOCK: $ rapg audit ⚠️ Reuse Detected! The following passwords are used in multiple places: ... COMMAND_BLOCK: $ rapg import lastpass_export.csv Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: $ rapg import lastpass_export.csv COMMAND_BLOCK: $ rapg import lastpass_export.csv CODE_BLOCK: go install github.com/kanywst/rapg/cmd/rapg@latest Enter fullscreen mode Exit fullscreen mode CODE_BLOCK: go install github.com/kanywst/rapg/cmd/rapg@latest CODE_BLOCK: go install github.com/kanywst/rapg/cmd/rapg@latest - Unlocks your vault (asking for your master password if not cached). - Decrypts only the secrets meant for the environment (e.g., DB_PASSWORD, STRIPE_KEY). - Spawns your process (npm start) with these variables added to its environment. - Search your secrets instantly. - Generate strong, random passwords. - Copy 2FA/TOTP codes without reaching for your phone. - Audit your vault for password reuse. - Argon2id: Your master password is never stored. We use Argon2id (RFC 9106) to derive an encryption key. This makes brute-force attacks computationally expensive. - AES-256-GCM: All data is encrypted with Authenticated Encryption. This ensures that your data is not only secret but also hasn't been tampered with. - Memory Protection: We use memguard to prevent sensitive keys from being swapped to disk or read by other processes.