Quickstart
This guide walks you through installing Tegata, creating your first vault, and running your first credential workflow, using TOTP as an example. By the end, you will have a working vault and a complete picture of the workflow. If you are new to Tegata, see the Introduction first.
Prerequisites
Before you begin, you need the following:
- A USB drive or microSD card formatted as FAT32 or exFAT
- A TOTP-compatible account, such as GitHub or Microsoft, that provides a base32 secret or an
otpauth://URI - Go 1.25 or later (optional – only if you plan to build from source)
- Node.js 20 or later and Wails v2 (optional – only if you plan to build the desktop GUI from source)
- Docker (optional – only if you want to enable audit logging)
Set up Tegata
Tegata offers two interfaces. Set up the one that fits your workflow, or set up both.
If the interface you set up does not launch on first run, check Set up your OS and Troubleshooting for platform-specific fixes.
Run the CLI and TUI
The CLI and TUI run directly from your USB drive and requires no installation on the host machine.
- Windows
- macOS
- Linux
Download tegata-windows-amd64.exe. Rename it to tegata.exe and copy it to your USB drive.
Open PowerShell. Since PowerShell does not search the current directory for executables, run the following command to run the binary by prefixing it with .\:
.\tegata.exe version
To run tegata from any directory, add the USB drive letter to your PATH by running the following command, replacing <USB_DRIVE_LETTER> with the actual letter of your drive:
$env:PATH += ";<USB_DRIVE_LETTER>:\"
Download the binary for your Mac:
- tegata-darwin-arm64 for Apple Silicon (M1 and later)
- tegata-darwin-amd64 for Intel
Make the binary executable and copy it to your USB drive by running the following commands, replacing <USB_DRIVE_NAME> with the actual name of your drive:
chmod +x tegata-darwin-arm64 # Or chmod +x tegata-darwin-amd64 for Macs with Intel processors
cp tegata-darwin-arm64 /Volumes/<USB_DRIVE_NAME>/tegata # Or cp tegata-darwin-amd64 /Volumes/<USB_DRIVE_NAME>/tegata for Macs with Intel processors
macOS might block the binary the first time you run it. For the exact steps to clear the quarantine flag, see the macOS setup guide.
Linux has not been manually tested. These steps are expected to work, but if you run into issues, please open an issue.
Download tegata-linux-amd64. Then, make the file executable and copy it to your USB drive by running the following commands, replacing <USB_DRIVE_NAME> with the actual name of your drive:
chmod +x tegata-linux-amd64
cp tegata-linux-amd64 /media/$USER/<USB_DRIVE_NAME>/tegata
Install the desktop GUI
The desktop GUI is installed on your host machine rather than carried on your USB drive.
- Windows
- macOS
- Linux
Download and run tegata-gui-windows-amd64-setup.exe. The NSIS installer places the binary in Program Files and creates a Start Menu entry.
If SmartScreen blocks first launch, select More info, then choose Run anyway.
Download tegata-gui-darwin-universal.dmg. Open the disk image and drag Tegata to your Applications folder.
If Gatekeeper blocks first launch, use System Settings → Privacy & Security → Open Anyway or follow the quarantine-removal steps in Set up your OS.
Linux has not been manually tested. These steps are expected to work, but if you run into issues, please open an issue.
Download the package format that matches your Linux system from the Releases page.
.debfor Debian, Ubuntu, and derivatives:sudo dpkg -i tegata-gui-linux-amd64.deb.rpmfor Fedora, RHEL, and derivatives:sudo rpm -i tegata-gui-linux-amd64.rpm
If the app fails to start, install the WebKit2GTK runtime package for your distribution and retry. For more information, see Set up your OS.
Build from source
If you prefer to build from source, clone the repository first:
git clone https://github.com/josh-wong/tegata.git
cd tegata
CLI and TUI
Build the CLI and TUI for your platform.
- Windows (PowerShell)
- macOS/Linux
make build on Windows requires cmd.exe and GNU Make. Instead, in PowerShell, build directly by running the following commands from the repository root:
$env:CGO_ENABLED = "0"
go build -ldflags "-s -w" -o bin\tegata.exe .\cmd\tegata\
The binary is placed in bin\tegata.exe. Copy it to your USB drive alongside your vault.
In Terminal, run the following command from the repository root:
make build
The binary is placed in bin/tegata. Copy it to your USB drive alongside your vault.
- Windows
- macOS
- Linux
In PowerShell, run the following command from the repository root:
.\bin\tegata.exe version
To run tegata from any directory, copy bin\tegata.exe to a folder on your PATH (for example, %USERPROFILE%\bin) and add that folder to your user PATH.
Install to a directory on your PATH by running the following command:
sudo make install
This installs tegata to /usr/local/bin/tegata by default. For a user-local path, run make install PREFIX=$HOME/.local and ensure $HOME/.local/bin is in your PATH.
Install to a directory on your PATH by running the following command:
sudo make install
This installs tegata to /usr/local/bin/tegata by default. For a user-local path, run make install PREFIX=$HOME/.local and ensure $HOME/.local/bin is in your PATH.
Desktop GUI
Building the GUI requires the Wails CLI, Go 1.25 or later, and Node.js 20 or later. Install the Wails CLI by running the following command:
go install github.com/wailsapp/wails/v2/cmd/wails@latest
- Windows (PowerShell)
- macOS/Linux
make gui on Windows uses mv, which is not available in PowerShell. Instead, run the following commands from the repository root:
cd cmd\tegata-gui
wails build -clean
The binary is placed in cmd\tegata-gui\build\bin\tegata-gui.exe.
In Terminal, run the following command from the repository root:
make gui
On macOS, the app bundle is placed in cmd/tegata-gui/build/bin/Tegata.app. On Linux, the binary is placed in cmd/tegata-gui/build/bin/tegata-gui.
Create a vault
- CLI
- TUI
- Desktop GUI
Choose your platform and run the corresponding command.
- Windows
- macOS
- Linux
In PowerShell, run the following command, replacing <USB_DRIVE_LETTER> with the actual letter of your drive:
.\tegata.exe init <USB_DRIVE_LETTER>:\
In Terminal, run the following command, replacing <USB_DRIVE_NAME> with the actual name of your drive:
tegata init /Volumes/<USB_DRIVE_NAME>
In Terminal, run the following command, replacing <USB_DRIVE_NAME> with the actual name of your drive:
tegata init /media/$USER/<USB_DRIVE_NAME>
Tegata prompts you to create a passphrase (minimum 8 characters) and then displays your recovery key:
Vault created: /path/to/vault
Recovery key (store this somewhere safe—you will not see it again):
ABCD-EFGH-IJKL-MNOP-QRST-UVWX-YZ23-4567
Write your recovery key down and store it somewhere physically separate from your USB drive—a printed copy in a safe, a trusted password manager, or a locked drawer. If you forget your passphrase, this key is the only way to recover your vault. It cannot be retrieved after moving on from this screen.
Run tegata ui to launch the TUI. If no vault exists at the resolved vault path, the setup wizard starts automatically.
tegata ui
The wizard guides you through:
- Choose vault location. Point to your USB drive or microSD card.
- Create a passphrase. Enter and confirm a passphrase (minimum 8 characters).
- Save your recovery key. The key is displayed once.
After setup completes, the TUI transitions automatically to the main view.
Write your recovery key down and store it somewhere physically separate from your USB drive—a printed copy in a safe, a trusted password manager, or a locked drawer. If you forget your passphrase, this key is the only way to recover your vault. It cannot be retrieved after moving on from this screen.
Open Tegata. On first launch, the setup wizard starts automatically.
The wizard guides you through:
- Choose vault location. Select your USB drive or microSD card directory.
- Create a passphrase. Enter and confirm a passphrase. A strength indicator shows the estimated security level.
- Save your recovery key. The key is displayed once.
The recovery key screen will not appear again. If you lose your passphrase without this key, your vault cannot be recovered.
Add a credential
- CLI
- TUI
- Desktop GUI
Tegata supports two methods for adding credentials: scanning an otpauth:// URI and entering the secret manually.
- Scan URI (recommended)
- Manual entry
When a service shows you a QR code, most services also offer a "copy link" option or display the otpauth:// URI as text. Copy the URI and run the following command, replacing path/to/vault with your vault path:
tegata add GitHub --scan --vault /path/to/vault
Tegata prompts you to paste the URI (input is hidden). The credential type, issuer, algorithm, digits, and period are parsed automatically from the URI.
If you only have the base32 secret, run the following command and replace the secret with your own. Be sure to replace path/to/vault with your vault path:
tegata add GitHub --type totp --issuer GitHub --vault /path/to/vault
Tegata prompts you to enter the secret (input is hidden).
In the main view, press a to open the add credential overlay. Press Tab to cycle through credential types (TOTP, HOTP, Challenge-response, Static password), fill in the label and secret fields, then press Enter to save.
After the credential is saved, it appears in the list and is automatically selected.
Select the + button in the toolbar, or choose Add credential from the File menu. The dialog has tabs for each credential type: TOTP, HOTP, Challenge-response, and Static password. Fill in the required fields and select Add.
To add a credential by using an otpauth:// URI, select Scan URI and paste the URI. The type, label, issuer, algorithm, digits, and period are populated automatically.
Generate your first code
- CLI
- TUI
- Desktop GUI
Run the following command, replacing /path/to/vault with your vault path:
tegata code GitHub --vault /path/to/vault
The output shows the current code, the time until it expires, and a confirmation that it has been copied to your clipboard:
482901
Expires in 18s
Copied to clipboard (auto-clear in 45s)
Set the TEGATA_VAULT environment variable to your USB drive path by running the following command, replacing /path/to/vault with your vault path. All commands will find your vault automatically.
export TEGATA_VAULT=/path/to/vault
In PowerShell on Windows, run the following command, replacing <USB_DRIVE_LETTER> with the actual letter of your drive:
$env:TEGATA_VAULT = "<USB_DRIVE_LETTER>:\"
Navigate to the credential with ↑/↓ and press Enter to copy the current code to your clipboard. The detail panel shows the current code, a countdown timer, and clipboard confirmation.
For TOTP credentials, the code and timer update automatically — you do not need to press Enter again to refresh.
Select the credential in the list. The detail panel on the right shows the current code and countdown timer. Select Copy to copy it to your clipboard.
For TOTP credentials, the code updates automatically before it expires.
Workflow
- CLI
- TUI
- Desktop GUI
The typical workflow is:
- Plug in your USB drive.
- Run
tegata code <label>to generate and copy a code. - Paste the code where needed.
- The clipboard clears automatically in 45 seconds.
To list all credentials in your vault, run the following command:
tegata list
Credentials are grouped by tag. Untagged credentials appear under [untagged].
When you do not specify --vault, Tegata looks for your vault in this order:
--vaultflagTEGATA_VAULTenvironment variable./vault.tegatain the current working directory
The typical workflow is:
- Plug in your USB drive.
- Run
tegata uito launch the TUI, or leave it running between sessions. - Navigate with ↑/↓ and press Enter to copy a code.
- Paste the code where needed.
- The clipboard clears automatically in 45 seconds.
For keyboard shortcuts, credential management, and tips for daily use, see Using the TUI.
The typical workflow is:
- Plug in your USB drive.
- Open Tegata.
- Select a credential and select Copy to copy the code.
- Paste the code where needed.
- The clipboard clears automatically in 45 seconds.
For credential management, settings, and the audit panel, see Using the desktop GUI.
Optional: Enable audit logging
Tegata can record every authentication event in a tamper-evident audit log backed by ScalarDL Ledger. Audit logging is disabled by default and requires Docker.
- CLI
- TUI
- Desktop GUI
Run the following command once after creating your vault, replacing /path/to/vault with your vault path:
tegata ledger start --vault /path/to/vault
After setup, every vault unlock automatically starts the Docker stack in the background.
Audit logging setup uses the CLI command regardless of your primary interface. Run the following command once, replacing /path/to/vault with your vault path:
tegata ledger start --vault /path/to/vault
After setup, every vault unlock automatically starts the Docker stack in the background.
Enable audit logging from the Settings panel, or run the following CLI command once to set it up:
tegata ledger start --vault /path/to/vault
After enabling, the audit panel becomes available in the GUI to view recorded events. For details, see Using the desktop GUI.
For full details, see the Enable audit logging guide.
Next steps
- Set up your OS: USB formatting, Gatekeeper, Linux udev rules
- Using the GUI: A walkthrough of the desktop application
- Using the TUI: Keyboard shortcuts and workflows
- CLI reference: Every command, flag, and environment variable
- Security best practices: Tips for keeping your vault safe