macOS
brew install gokeylocal Homebrew formula metadata
sudo port install gokeyMacPorts ports tree · security/gokey/Portfile · source: api.github.com
brew
Simple vaultless password manager in Go. Version 0.2.1 via Homebrew; verified from local package data.
install
brew install gokeylocal Homebrew formula metadata
sudo port install gokeyMacPorts ports tree · security/gokey/Portfile · source: api.github.com
sudo apt install gokeyDebian stable package indexes · gokey · source: deb.debian.org
nix profile install nixpkgs#gokeynixpkgs package indexes · pkgs/by-name/go/gokey/package.nix · source: api.github.com
overview
Simple vaultless password manager in Go
history
gokey is Cloudflare's vaultless password manager written in Go. Instead of storing passwords in a vault, it derives passwords and keys from a master password plus a realm string, with optional encrypted seed-file mode for higher-entropy material.
The project sits in the deterministic-password-manager family: the user keeps a master secret and recreates site-specific outputs rather than synchronizing a password database.
The repository begins in October 2016 with an initial release. The README describes simple password derivation, seed-file mode, and support for output types including passwords, raw bytes, ECC keys, RSA keys, x25519, and ed25519.
Early history focused on random-generation internals and command behavior. Later history includes release-binary automation, dependency updates, imported deterministic key-generation logic from Go's crypto packages, and seed unwrap testing.
gokey's adoption is mostly that of a compact security utility: it is useful to users who do not want to store, back up, or synchronize a password vault. The README emphasizes that generated passwords are available wherever the user can provide the same master password and realm.
The input package facts list Homebrew, Debian, MacPorts, Nix, and Ubuntu package names, which indicates distribution through both macOS-focused and Linux distribution channels.
In simple mode, a user runs gokey with a master password and a realm such as a resource URL. Changing the realm derives a different output while keeping the same master password.
For higher-entropy passwords or private keys, the README documents seed-file mode: generate an encrypted seed file, protect it with the master password, and derive passwords or keys from the seed plus realm. Seed paths are command inputs rather than a fixed credentials-file location.
gokey matters to package nerds because it is a small, auditable-feeling security CLI with no vault service, database daemon, or sync dependency. Its packaging footprint is a single Go command, but its security model lives in deterministic derivation choices.
It is also a useful contrast with mainstream password managers: packaging the tool is easy, while the hard part is documenting the operational warning that losing the master password or seed file loses the derived outputs.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
gokey | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/cloudflare/gokey
install metadata
| Package key | brew:gokey |
|---|---|
| Version | 0.2.1 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/gokey |
| Homepage | https://github.com/cloudflare/gokey |
| Repository | https://github.com/cloudflare/gokey |
| Upstream docs | https://github.com/cloudflare/gokey#readme |
| License | BSD-3-Clause |
| Source archive | https://github.com/cloudflare/gokey/archive/refs/tags/v0.2.1.tar.gz |
| Build dependencies | go, go-md2man |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | gokey |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
gokey 0.1.2-1+b13
simple vaultless password manager in Go
https://github.com/cloudflare/gokey
sudo apt install gokeygolang-github-cloudflare-gokey-dev 0.1.2-1
simple vaultless password manager in Go - dev package
https://github.com/cloudflare/gokey
sudo apt install golang-github-cloudflare-gokey-devgokey
nix profile install nixpkgs#gokeygokey 0.1.2-1build1
simple vaultless password manager in Go
https://github.com/cloudflare/gokey
sudo apt install gokeygolang-github-cloudflare-gokey-dev 0.1.2-1build1
simple vaultless password manager in Go - dev package
https://github.com/cloudflare/gokey
sudo apt install golang-github-cloudflare-gokey-devgokey
sudo port install gokeysource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.