English | 简体中文
oak-keyring is a privacy-first, local-first password manager with a keyboard-driven terminal UI.
Many password tools provide scriptable CLIs, but daily vault management also needs browsing, selection, confirmation, recovery, and status feedback. oak-keyring uses a full-screen TUI so those workflows stay interactive, keyboard-driven, and local.
The command-line binary is ok.
- Vault management — browse, create, edit, and delete credentials and secure notes
- Password generator — standalone or embedded in forms, configurable length and character sets
- Keyboard-driven TUI — full-screen interface with sidebar navigation, search, and batch operations
- Tags and trash — organize records with tags; soft-delete with trash and restore
- Import and export — transfer data in and out of the vault
- Vault recovery — recover access with BIP-39 recovery words
- Sync — optional cloud sync via Google Drive (preview)
- Auto-lock — lock the vault after inactivity
- Password health — leaked password indicators and health checks
- macOS — Apple Silicon and Intel builds (preview)
- Download the tarball matching your Mac architecture.
- Verify
checksums.txt. - Unpack and run
ok --version.
Preview builds are unsigned and not notarized. macOS may require manual approval.
brew tap openkeyring/oak-keyring
brew install oknpm install -g @openkeyring/ok
ok --versiongit clone https://github.com/OpenKeyring/oak-keyring.git
cd oak-keyring
cp .env.example .env
# Edit .env and set OAK_GOOGLE_CLIENT_ID and OAK_GOOGLE_CLIENT_SECRET.
cargo build --release
./target/release/ok --versionSource builds embed Google OAuth2 configuration for sync. Use source builds for development or local inspection, and configure OAuth2 values explicitly.
Tip
Recommended: use a Nerd Font in your terminal so icons display correctly.
Start the app:
okOn first run, create a vault, choose a strong master password, and save the recovery words somewhere safe. If both the master password and recovery words are lost, maintainers cannot recover your vault.
oak-keyring is pre-1.0 preview software (v0.8.0-preview.1).
- Current builds target macOS (Apple Silicon and Intel); Linux and Windows are not yet available.
- macOS binaries are unsigned and not notarized.
- Vault data, configuration, and packaging may change before a stable release.
- There is no formal support SLA.
- You are responsible for your master password, recovery words, and backups.
oak-keyring is local-first: the vault belongs to the user and is stored locally by default. Normal release builds use a SQLCipher-backed local database. The app uses a master password and recovery words for vault access and recovery.
The preview does not provide a hosted account recovery service. Keep recovery words and backups separate from the device running oak-keyring. Any sync features should be treated within the currently implemented product scope, not as a hosted custody model.
If you download release assets directly, verify checksums before running the binary. Report security issues through SECURITY.md.
- SECURITY.md — vulnerability reporting and security boundaries
- CONTRIBUTING.md — how to contribute
- CHANGELOG.md — release history
- LICENSE — MIT license