Skip to content

SharpEconomy/SecureSharp

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SecureSharp Vault

SecureSharp is a Tauri-only, offline-first, zero-knowledge desktop vault for Windows, macOS, and Linux. It keeps passwords, private keys, seed phrases, recovery codes, and notes fully local and encrypted with AES-256-GCM and Argon2id-derived keys, bound to the current device's secure keystore. No backend, no sync, no telemetry that can read secrets.

What SecureSharp Delivers

  • Device-bound encryption: master and reset KEKs are wrapped by the OS keystore (Credential Manager/Keychain/Secret Service) and never leave the device.
  • TOTP-gated onboarding and unlock: registration and every unlock require a 6-digit Microsoft Authenticator-compatible code plus the master password.
  • Dual KEKs for recovery and rotation: the immutable reset password wraps the DEK so master password changes do not force data loss.
  • Session safety controls: idle and background auto-lock, privacy mode on focus loss, clipboard auto-clear with countdown, and short-lived re-auth windows for reveal/copy.
  • Tamper and rollback detection: integrity hashes, audit-chain hashing, and an HMAC-protected .auditguard sidecar tied to the device key.
  • Local-only backups, exports, and audit log: encrypted snapshots, integrity-checked exports, and an on-device audit trail for security events.

Security Model

Key Hierarchy

  • DEK encrypts all vault data.
  • Master KEK derives from the master password (shown in the UI as the primary secret).
  • Reset KEK derives from the immutable reset password used to prove ownership during rotation/recovery.
  • Device key from the OS keystore wraps both KEKs, enforcing device binding.

Rotation and Auth

  • Master password rotation requires the reset password plus a fresh TOTP code; the reset password itself cannot be changed anywhere in the app.
  • Unlocks are rate-limited with exponential backoff and lockout after repeated failures.
  • Re-auth windows (default 3 minutes) gate reveal/copy of sensitive fields even after unlock.

Core Flows

Onboarding

  • Calibrates Argon2id to the local CPU before deriving any secrets (defaults target ~350ms).
  • Collects name, email, phone, master password, and generates an immutable reset password.
  • Generates a TOTP secret locally, shows a QR code, and requires a valid 6-digit code to finish.
  • Seeds an initial encrypted backup snapshot and binds KEKs to the device keystore handle.

Unlock and Session Safety

  • Unlock requires master password + TOTP; sessions expire after 15 minutes server-side and respect idle/background auto-lock timers.
  • Session safety defaults: idle lock 3 minutes, background lock 8 seconds, clipboard clear 20 seconds (minimum 5 seconds).
  • Privacy mode masks sensitive panels whenever the window loses focus.

Vault Operations

  • Create, update, delete, categorize, and tag entries; filter and search without exposing decrypted data.
  • Sensitive fields stay masked; reveal/copy paths enforce re-auth windows and clipboard auto-clear with countdown.

Backups and Recovery

  • Encrypted snapshots are created on registration, lock, and manual backup; only the latest 12 are retained.
  • Restores require a fresh TOTP code, record a safety snapshot first, and rewind vault state to the chosen snapshot.

Export and Import

  • App-Reimport: requires an explicit export passphrase and TOTP; produces an integrity-checked, versioned JSON blob intended for SecureSharp. Imports require export passphrase + master password + reset password + TOTP and rebind to the current device.
  • One-Time Passphrase: derives the export key from a user-provided or generated strong passphrase (shown once if generated). Always TOTP-gated.

Audit and Integrity

  • Local-only audit log records registration, unlock, exports, backups, rotations, and other security events.
  • Integrity hash covers metadata, audit chain, and ciphertext; .auditguard uses the device binding key to detect tamper or rollback between runs.

Project Structure

src/                 # Frontend (vanilla HTML/CSS/JS)
src-tauri/           # Tauri backend (Rust)
src-tauri/src/lib.rs # Crypto and vault engine
src-tauri/src/main.rs# Tauri commands and app state
src-tauri/tests/     # Rust tests

Development

Prerequisites

  • Rust toolchain (stable)
  • Tauri prerequisites for your platform

Local Run

cd src-tauri
# Specify the main Tauri bin explicitly since the preflight helper adds a second binary.
cargo tauri dev -- --bin securesharp

Platform builds

  • Windows (run on Windows): cd src-tauri && cargo tauri bundle --target x86_64-pc-windows-msvc
  • macOS (run on macOS): cd src-tauri && cargo tauri bundle --target aarch64-apple-darwin (or x86_64-apple-darwin for Intel)
  • Linux (run on Linux): cd src-tauri && cargo tauri bundle --target x86_64-unknown-linux-gnu
  • iOS (run on macOS with Xcode): cd src-tauri && cargo tauri ios build
  • Android (Android SDK/NDK installed): cd src-tauri && cargo tauri android build

Testing

cd src-tauri
cargo test

Notes and Gaps

  • Biometric/passkey unlock is planned but not yet implemented (tracked by a failing test stub).
  • Keep reset passwords offline; losing them requires full vault rotation and re-import from exports/backups.

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors