A single-exe Windows TOTP generator. Keys are stored inside the executable itself, so the entire app — including all your secrets — travels as one file.
- Portable — keys persist in the PE overlay of the exe; no config files, no installer
- Multi-key support — store multiple named TOTP entries with a dropdown selector
- Configurable TOTP — set the time step (1–300 seconds) and hash algorithm (SHA1, SHA256, SHA512) per key
- Passphrase encryption — AES-256-GCM with a PBKDF2-SHA256 derived key (100,000 iterations)
- Export / Import — back up secrets to a JSON file, optionally encrypted with a separate passphrase
- Dark mode — auto-detects Windows theme with a manual toggle
- Zero dependencies — Go stdlib + Win32 syscalls only; no external Go modules
- RFC 6238 compliant — 6-digit codes with configurable period and hash algorithm
On first launch you are prompted to set a passphrase. This passphrase encrypts all stored TOTP secrets using AES-256-GCM. Each subsequent launch requires the passphrase to unlock your keys.
Your passphrase cannot be recovered. There is no reset mechanism. If you forget your passphrase, your stored keys are permanently inaccessible. You would need to re-enroll your TOTP secrets from the original provider.
TOTP secrets are stored as an encrypted blob appended to the executable's PE overlay:
[original exe bytes][encrypted payload][4-byte length][8-byte magic "ENCRKEYS"]
The encrypted payload contains a verification sentinel alongside your keys, so the app can confirm the passphrase is correct before attempting to load secrets.
Since Windows locks running executables, the app uses a clone-runner architecture: on launch, the original exe copies itself to a hidden system file (~$Portable TOTP.exe), then relaunches from the clone. The clone runs the UI while the original exe is unlocked, so all key changes are written directly to the original. The clone deletes itself on exit.
The clone-runner behavior (copying the exe and launching the copy) may trigger heuristic detections in antivirus or EDR software. This is a false positive — the app is not injecting code, just running a byte-identical copy of itself so it can update its own PE overlay data. You may need to add an exclusion for Portable TOTP.exe and its directory.
# Generate Windows resource files (icon + manifest)
go-winres make
# Build the executable
go build -ldflags="-H windowsgui -s -w" -o "Portable TOTP.exe"The -H windowsgui flag hides the console window. -s -w strips debug info for a smaller binary.
- Run
Portable TOTP.exe— on first launch, set your encryption passphrase - Click + to add a TOTP secret (name, base32 key, optional period and algorithm)
- Select a key from the dropdown to see its current code
- Use Export to back up secrets to a JSON file (with optional encryption)
- Use Import to load secrets from a JSON file (merge or replace)
- Use Passphrase to change your encryption passphrase
go test -v ./...Exported JSON files use this structure:
{
"version": 1,
"encrypted": false,
"keys": [
{
"name": "GitHub",
"secret": "JBSWY3DPEHPK3PXP",
"period": 30,
"algorithm": "SHA1"
}
]
}When encrypted, the keys array is replaced by a data field containing a base64-encoded AES-256-GCM blob. The encryption passphrase is independent from your app passphrase. Importing files from older versions without period or algorithm fields will default to 30 seconds and SHA1.