macOS 14+ · 100% local · no accounts

Your secrets.
On your Mac. Keyboard-only.

SokuPass is a local-first password and secret manager for developers — browse everything like a filesystem, copy with a keystroke, and generate TOTP codes inline. No cloud, no sync, no telemetry.

Download on theMac App Store See the features
14-day free full trial·One-time purchase·All your Macs
SokuPass — *helm vault* ● local-only41 secrets
: Find Secrets ( C-l : Go up · C-x C-f : find-file )
1d.vault:/acme/production/
2d..vault:/acme/
3-aws-roototp · live code
4-rds-primarysecret · ••••••••••
5-s3-assetstext · acme-prod-assets
6-api.stripesecret · ••••••••
7dstaging8 secrets
*secret: aws-root*
──────────────────────
issuerAWS
accountroot@acme
typeTOTP · SHA1 · 30s
429 318
30s · RET copies code
-UUU:----*helm vault*3 MatchesL3 RET copyC-z actM-x search
Find secret or path:vault:/acme/production/ aws
why sokupass

Three reasons it sticks.

Local, end of story

Your vault is encrypted on this Mac and never leaves it. No servers, no accounts, no sync, no telemetry — the app's only network call is Apple's purchase check.

Every action is a keystroke

An Emacs/Helm-style navigator: C-x C-f to find, RET to copy, C-j to reveal. If you live in the terminal, it's already in your fingers.

TOTP built right in

Generate 2FA codes alongside your passwords — scan a QR straight off the screen, watch the 30-second ring, and RET copies the live code. Replace your authenticator app.

a look inside

Built for people who never touch the trackpad.

SokuPass — locked
Vault locked
master password ········
Unlock with Touch ID
01 Lock screen · Touch ID
*helm vault*
: Find Secrets
 1 d .
 2 d ..
 3 - aws-root otp
 4 - rds-primary ••••
 5 - s3-assets
Find: vault:/acme/ aws
02 Two-pane Helm navigator
*secret: aws-root*
429 318
AWS · root@acme · 21s
03 TOTP live preview
new secret · generator
preset: Strong · 24 chars
qT7@mK2$vL9!nR4xW8pZ#hB6
a-zA-Z0-9!@#
entropy: very strong
04 Password generator
drag / scroll →   placeholder mockups — swap with real captures before launch
how your secrets stay safe

Engineered to be boring — in the best way.

No magic, no proprietary black box. SokuPass uses well-understood, open primitives, and keeps everything on disk under your control.

AEAD vault encryption

The vault is sealed with ChaCha20-Poly1305 (CryptoKit). Authenticated encryption means tampering is detected, not just hidden.

Hardened key derivation

PBKDF2-HMAC-SHA256 at 600,000 iterations, with a fresh salt on every save. Brute-forcing your master password is deliberately expensive.

Strict file permissions

vault.enc is 0600, its directory 0700. A one-generation vault.enc.bak snapshot enables safe rollback on every save.

Touch ID, done right

Biometric unlock via Keychain with a biometryCurrentSet ACL — enrolling a new fingerprint invalidates the stored key. Master password still required after restart.

No servers, no telemetry

There is no analytics, no crash reporting, no phone-home. The only network traffic is Apple's StoreKit for the purchase itself.

vault.swift
// Derive key — 600k iterations, per-save salt
let key = pbkdf2(
    password: master,
    salt: SecRandom.bytes(16),
    rounds: 600_000,
    hash: .sha256
)

// Seal vault with AEAD (ChaChaPoly)
let box = try ChaChaPoly.seal(
    plaintext, using: key
)
try box.combined.write(
    to: vaultURL,                 // 0600
    options: .completeFileProtection
)

// Network calls: none. Ever.
free · trial · pro

Try everything for 14 days.

Download free, get every Pro feature for two weeks, then buy once. After the trial your data is never locked — Pro features simply pause and the vault stays fully readable.

FeatureFreeTrialPro
Core vault
Local encrypted vault & unlimited secrets
Keyboard navigator, tabs & global search
Touch ID, auto-lock & password generator
TOTP generation & QR scan
Pro
Create & edit beyond the free limitread-only
Import — .env · CSV · Bitwarden JSON
Encrypted backup & restore (.vaultbak)
Future Pro feature updates
Use on all Macs with your Apple ID
simple pricing

Pay once. Keep it forever.

No subscription. One purchase unlocks Pro on every Mac signed into your Apple ID.

Free
¥0
Download and use the vault forever, read-only beyond the free limit.
  • Full keyboard navigator
  • TOTP, generator, Touch ID
  • Your data is never locked
Download free
SokuPass Pro
¥1,500one-time
Everything, unlocked — import, backup, unlimited editing, and future Pro updates.
  • Unlimited create & edit
  • .env / CSV / Bitwarden import
  • Encrypted backup & restore
  • All your Macs · future updates
Buy on theMac App Store
Trial
14days free
Every Pro feature, no payment up front. Decide after you've actually used it.
  • All Pro features unlocked
  • No card, no commitment
  • Reverts to read-only, never locked
Start the trial

Final price is set on the Mac App Store · confirm the Pro price before launch

switching over

Coming from Bitwarden, 1Password, or a pile of .env files?

Bring it all in. Imports land in a new top-level folder — nothing you already have is overwritten, and name collisions auto-rename to Name (1).

.env

Dotenv files

Paste or open a .env; each KEY=VALUE becomes a masked secret, with quotes and escapes handled.

.csv

Generic CSV

Map name / value / folder / kind from your headers, adjust in the UI, and import the lot.

{ }

Bitwarden JSON

Unencrypted exports import logins, notes, cards, identities and custom fields — folder structure preserved.

muscle memory

If you know Emacs, you already know SokuPass.

A taste of the F1 reference — the whole app is reachable from the home row.

C-nC-pMove down / up
RETOpen folder · copy value
C-lUp a folder
~Jump to vault root
C-xC-fFind-file — create if missing
C-jReveal / hide secret
M-xGlobal full-text search
C-zAction menu
C-wC-yCut / paste (move item)
+New folder
⌥E⌥DEdit / delete
⌘LLock instantly

No servers. No accounts.
No telemetry.

Your vault lives at ~/Library/Application Support/ on your Mac and nowhere else. We can't read it, lose it, or leak it — because we never have it.

questions

Good questions, straight answers.

No. SokuPass has no servers and makes no network calls except Apple's StoreKit for the purchase. Your vault is encrypted on your Mac and never transmitted.

Yes — one Pro purchase covers every Mac signed into your Apple ID. There's no automatic sync (by design); move data between Macs with an encrypted .vaultbak backup.

It can't be recovered — there's no reset server, which is exactly what keeps the vault private. Keep an encrypted backup, and consider a backup master-password reminder somewhere safe.

Nothing is locked away. Pro-only features (import, backup, unlimited editing) pause, and your vault stays fully readable. Buy Pro anytime to re-enable them.

SokuPass Pro is a standard one-time in-app purchase; Apple's Family Sharing rules for non-consumable purchases apply. Confirm Family Sharing is enabled for the IAP in App Store Connect.

Yes. SokuPass implements RFC 6238 TOTP (SHA1/256/512), accepts otpauth:// URIs or Base32 secrets, scans QR codes off-screen, and copies the live code with RET.

Keep your keys close.

Local-first, keyboard-driven secrets for your Mac. Try every feature free for 14 days.

Download on theMac App Store