Fosskey: a trustless password manager

Fosskey is a free, open-source CLI password manager built in Go. The project focused on a simple model: keep secrets local, keep the implementation auditable, and avoid hosted custody. It shipped as a CLI app plus a reusable vault package.

Story

I spent about four hours learning Go one morning with no plan to build anything. After finishing, I wanted to apply it to a real problem, and Fosskey became that project. It was both a personal skills test and an itch to build a tool I could use myself without trusting someone else's code. The core belief was simple: users should control their own secrets without hosted custody or opaque software.

The project is split into two repositories. The vault package handles encryption and file operations, while the cli package provides commands such as insert, fetch, update, delete, ls, and rekey.

The security model is local-first: derive keys with Argon2id, encrypt secrets with XChaCha20-Poly1305, and document assumptions behind performance and resistance estimates so the claims stay auditable.

Source code: fosskey/cli and fosskey/vault.

Impacts

Shipped a two-package Go implementation (`cli` + `vault`) in about two weeks while learning the language from scratch.
Implemented local encrypted secret storage using XChaCha20-Poly1305 and Argon2id.
Built a reusable vault core with automated tests for cipher, read/write, and CRUD/rekey flows.
Published clear security assumptions and performance estimates in project docs.

Challenges & Solutions

Challenges

I needed to learn Go quickly while still shipping a secure tool.
Security claims are easy to overstate in this category.

Solutions

Built the vault layer first, then added the CLI once crypto and storage behavior were stable.
Kept claims tied to known primitives, RFC guidance, and explicit assumptions.