Warning: This project is still in development.
tufa is a fast, secure, offline TOTP authenticator for the terminal. Secrets live in encrypted vaults on your local machine.
- TOTP code generation
- Multiple password-protected vaults
- AES-256-GCM encryption with Argon2id key derivation
- Interactive TUI and CLI modes
- Import from
otpauth://and Google Authenticator migration format - Export to
otpauth://URIs - Clipboard support (
wl-copy,xclip,xsel,pbcopy)
cargo install tufa-rsgit clone https://github.com/gnoega/tufa
cd tufa-rs
cargo build --release
# binary at: target/release/tufaLaunch without arguments to open the interactive interface:
tufaNavigate vaults with arrow keys or j/k, press Enter to open. Select an account and press Enter to copy the current TOTP code to your clipboard.
tufa show <account> # Display the current TOTP code
tufa list [vault] # List all accounts in a vault
tufa add <name> <secret> # Add a new TOTP account
tufa del <name> # Delete a TOTP account
tufa import <uri> # Import from an otpauth:// URI
tufa export [account] # Export accounts as otpauth:// URIs
Account names use the format <issuer>:<name> or <vault>.<issuer>:<name>.
Vaults are encrypted with AES-256-GCM using a key derived from your password via Argon2id. Each vault file includes a unique random salt and nonce, ensuring identical inputs produce different ciphertext.
All data stays on your machine
Vaults are stored in your system's config directory:
| Platform | Path |
|---|---|
| Linux | ~/.config/tufa/ |
| macOS | ~/Library/Application Support/tufa/ |
| Windows | %APPDATA%\tufa\ |
Each vault is a separate .2fa file.