SecureSharp is a Tauri-only, offline-first, zero-knowledge desktop vault for Windows, macOS, and Linux. It keeps passwords, private keys, seed phrases, recovery codes, and notes fully local and encrypted with AES-256-GCM and Argon2id-derived keys, bound to the current device's secure keystore. No backend, no sync, no telemetry that can read secrets.
- Device-bound encryption: master and reset KEKs are wrapped by the OS keystore (Credential Manager/Keychain/Secret Service) and never leave the device.
- TOTP-gated onboarding and unlock: registration and every unlock require a 6-digit Microsoft Authenticator-compatible code plus the master password.
- Dual KEKs for recovery and rotation: the immutable reset password wraps the DEK so master password changes do not force data loss.
- Session safety controls: idle and background auto-lock, privacy mode on focus loss, clipboard auto-clear with countdown, and short-lived re-auth windows for reveal/copy.
- Tamper and rollback detection: integrity hashes, audit-chain hashing, and an HMAC-protected
.auditguardsidecar tied to the device key. - Local-only backups, exports, and audit log: encrypted snapshots, integrity-checked exports, and an on-device audit trail for security events.
- DEK encrypts all vault data.
- Master KEK derives from the master password (shown in the UI as the primary secret).
- Reset KEK derives from the immutable reset password used to prove ownership during rotation/recovery.
- Device key from the OS keystore wraps both KEKs, enforcing device binding.
- Master password rotation requires the reset password plus a fresh TOTP code; the reset password itself cannot be changed anywhere in the app.
- Unlocks are rate-limited with exponential backoff and lockout after repeated failures.
- Re-auth windows (default 3 minutes) gate reveal/copy of sensitive fields even after unlock.
- Calibrates Argon2id to the local CPU before deriving any secrets (defaults target ~350ms).
- Collects name, email, phone, master password, and generates an immutable reset password.
- Generates a TOTP secret locally, shows a QR code, and requires a valid 6-digit code to finish.
- Seeds an initial encrypted backup snapshot and binds KEKs to the device keystore handle.
- Unlock requires master password + TOTP; sessions expire after 15 minutes server-side and respect idle/background auto-lock timers.
- Session safety defaults: idle lock 3 minutes, background lock 8 seconds, clipboard clear 20 seconds (minimum 5 seconds).
- Privacy mode masks sensitive panels whenever the window loses focus.
- Create, update, delete, categorize, and tag entries; filter and search without exposing decrypted data.
- Sensitive fields stay masked; reveal/copy paths enforce re-auth windows and clipboard auto-clear with countdown.
- Encrypted snapshots are created on registration, lock, and manual backup; only the latest 12 are retained.
- Restores require a fresh TOTP code, record a safety snapshot first, and rewind vault state to the chosen snapshot.
- App-Reimport: requires an explicit export passphrase and TOTP; produces an integrity-checked, versioned JSON blob intended for SecureSharp. Imports require export passphrase + master password + reset password + TOTP and rebind to the current device.
- One-Time Passphrase: derives the export key from a user-provided or generated strong passphrase (shown once if generated). Always TOTP-gated.
- Local-only audit log records registration, unlock, exports, backups, rotations, and other security events.
- Integrity hash covers metadata, audit chain, and ciphertext;
.auditguarduses the device binding key to detect tamper or rollback between runs.
src/ # Frontend (vanilla HTML/CSS/JS)
src-tauri/ # Tauri backend (Rust)
src-tauri/src/lib.rs # Crypto and vault engine
src-tauri/src/main.rs# Tauri commands and app state
src-tauri/tests/ # Rust tests
- Rust toolchain (stable)
- Tauri prerequisites for your platform
cd src-tauri
# Specify the main Tauri bin explicitly since the preflight helper adds a second binary.
cargo tauri dev -- --bin securesharp- Windows (run on Windows):
cd src-tauri && cargo tauri bundle --target x86_64-pc-windows-msvc - macOS (run on macOS):
cd src-tauri && cargo tauri bundle --target aarch64-apple-darwin(orx86_64-apple-darwinfor Intel) - Linux (run on Linux):
cd src-tauri && cargo tauri bundle --target x86_64-unknown-linux-gnu - iOS (run on macOS with Xcode):
cd src-tauri && cargo tauri ios build - Android (Android SDK/NDK installed):
cd src-tauri && cargo tauri android build
cd src-tauri
cargo test- Biometric/passkey unlock is planned but not yet implemented (tracked by a failing test stub).
- Keep reset passwords offline; losing them requires full vault rotation and re-import from exports/backups.