A TUI/CLI application for launching Flatpak applications with data stored in encrypted LUKS2 containers ("bottles"). Keep your app data isolated and encrypted, unlockable with a password or FIDO2/YubiKey.
- Create encrypted containers (bottles) for Flatpak app data
- Password or YubiKey/FIDO2 authentication
- Interactive TUI for easy management
- CLI mode for scripting and automation
- Configurable sandbox permissions per bottle
- Automatic cleanup on exit
- Linux with systemd (for udisks2)
- Go 1.22+ (for building)
- udisks2 - for mounting/unmounting encrypted volumes
- cryptsetup - for LUKS2 encryption
- flatpak - for running sandboxed applications
- libfido2 (optional) - for YubiKey/FIDO2 support
Arch Linux:
sudo pacman -S udisks2 cryptsetup flatpak libfido2Fedora:
sudo dnf install udisks2 cryptsetup flatpak libfido2Ubuntu/Debian:
sudo apt install udisks2 cryptsetup flatpak libfido2-1# Clone the repository
git clone https://github.com/neoromantique/bottle-launch
cd bottle-launch
# Build
make build
# Install (optional)
sudo cp bottle-launch /usr/local/bin/Simply run bottle-launch to start the interactive interface:
bottle-launchNavigate with arrow keys or vim-style j/k, select with Enter, and press q to quit.
# Create a new 2GB encrypted bottle
bottle-launch create passwords.bottle 2G
# Run KeePassXC with data in an encrypted bottle
bottle-launch run passwords.bottle org.keepassxc.KeePassXC
# Run Obsidian with notes stored in an encrypted bottle
bottle-launch run notes.bottle md.obsidian.Obsidian
# Pass extra arguments to the app
bottle-launch run browser.bottle org.mozilla.firefox -- --private-window
# List mounted bottles
bottle-launch list-
Create a bottle for your password manager:
bottle-launch create passwords.bottle 500M
Enter a strong password when prompted.
-
Launch KeePassXC with data in the bottle:
bottle-launch run passwords.bottle org.keepassxc.KeePassXC
Your KeePassXC database lives inside the encrypted container.
-
Create a YubiKey-protected bottle for notes:
Use the TUI (
bottle-launch) and pressyto create a YubiKey bottle. Touch your YubiKey when prompted. -
Launch Obsidian with encrypted notes:
bottle-launch run notes.bottle md.obsidian.Obsidian
Each bottle has configurable sandbox permissions:
| Permission | Description |
|---|---|
| Network | Allow network access |
| Audio | Allow audio playback/recording |
| GPU | Allow GPU acceleration |
| Wayland | Allow Wayland display |
| X11 | Allow X11 display (fallback) |
| Camera | Allow camera access |
| Portals | Allow portal access (file chooser, notifications) |
Edit permissions in the TUI or modify the config file at ~/.config/bottle-launch/<hash>.conf.
- Bottles:
~/.local/share/bottles/(or$BOTTLE_DIR) - Configs:
~/.config/bottle-launch/
- Camera device is currently hardcoded to
/dev/video0 - No concurrent multi-bottle support (one app per bottle at a time)
- Requires polkit/sudo for LUKS operations
- Bottles use LUKS2 encryption with strong defaults
- YubiKey bottles use FIDO2 hmac-secret extension
- WARNING: Losing a YubiKey means permanent data loss for YubiKey-protected bottles
- Config files contain FIDO2 credential IDs (not secrets) - back them up!
bottle-launch/
├── src/ # Go source code
├── Makefile # Build commands
├── logo.png
└── README.md
See CONTRIBUTING.md for guidelines.
MIT License with "do no evil" clause - see LICENSE for details.