The latest articles on DEV Community by Shivsai Anantwar (@ishivsai). https://dev.to/ishivsai https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3999904%2Fb05ad861-cffd-4f51-a7c4-dc7c81b589f2.jpg https://dev.to/ishivsai en Shivsai Anantwar Wed, 24 Jun 2026 06:48:56 +0000 https://dev.to/ishivsai/hello-devto-devops-engineer-building-in-public-ehl https://dev.to/ishivsai/hello-devto-devops-engineer-building-in-public-ehl <p>Hey everyone,</p> <p>I'm Shivsai — a DevOps engineer working across cloud <br> infrastructure, pipelines, and SDLC tooling.</p> <p>I've been working with client teams for a while now and <br> recently started building in public. My first project is <br> Tokenly — a local-only encrypted credential vault for <br> developers and DevOps teams. Built it after watching every <br> dev team I worked with store PATs and API keys in Notepad.</p> <p>Stack I work with: Tauri, Rust, React, TypeScript, <br> and pretty much anything in the DevOps/cloud space.</p> <p>Planning to write about:</p> <ul> <li>Things I learn building Tokenly in public</li> <li>DevOps patterns and anti-patterns from real client work</li> <li>Security decisions and trade-offs in developer tooling</li> </ul> <p>Glad to be here. Looking forward to reading and contributing.</p> <p>github.com/MeShivsai/Tokenly<br> bitsandbooks.in</p> buildinpublic devops security showdev Shivsai Anantwar Wed, 24 Jun 2026 06:39:18 +0000 https://dev.to/ishivsai/i-built-a-local-only-credential-vault-because-every-dev-team-i-worked-with-stored-pats-in-notepad-4dof https://dev.to/ishivsai/i-built-a-local-only-credential-vault-because-every-dev-team-i-worked-with-stored-pats-in-notepad-4dof <h2> The Problem I Kept Seeing </h2> <p>Over the past year working across multiple client teams on <br> DevOps and pipeline work, I kept noticing the same thing.</p> <p>Developers storing GitHub PATs in Notepad.<br> QA engineers keeping API keys in a text file on the desktop.<br> DevOps folks with database passwords in a sticky note app.</p> <p>During screen shares — sprint reviews, debugging sessions, <br> pair programming, recorded demos — those credentials were <br> just sitting there. Visible to everyone in the call.</p> <p>Nobody said anything. It just kept happening.</p> <h2> Why Existing Tools Didn't Fit </h2> <p>I looked for something simple that solved this. Here's what <br> I found and why none of it quite worked:</p> <p><strong>Password managers (1Password, Bitwarden)</strong><br> Good tools. But they're built around cloud sync, browser <br> extensions, and team sharing. For an individual developer <br> who just wants somewhere safe to keep a PAT — overkill. <br> Also: corporate IT policies often block installation of <br> cloud-synced password managers on work machines.</p> <p><strong>Secret managers (HashiCorp Vault, AWS Secrets Manager)</strong><br> These are infrastructure tools, not personal workflow tools. <br> Setting up Vault for an individual developer's PAT collection <br> is like using a forklift to move a chair.</p> <p><strong>OS keystores (Windows Credential Manager, macOS Keychain)</strong><br> Actually decent for storage. But no UI built for this <br> workflow, no copy-to-clipboard, and they don't solve the <br> screen-exposure problem at all.</p> <p><strong>The gap:</strong> Something simple, local, and designed around <br> the moment of <em>use</em> — not just storage.</p> <h2> So I Built Tokenly </h2> <p>Tokenly is a local-only desktop credential vault. The core <br> design principle is simple:</p> <p><strong>Credential values are never shown on screen.</strong></p> <p>You copy them to clipboard. That's the only way to use them. <br> The clipboard auto-clears after 30 seconds.</p> <p>If you need to visually verify a value — press and hold a <br> button. Release it, the value hides immediately. Not a <br> toggle — a hold. Toggles get forgotten. Holds don't.</p> <h2> Technical Decisions Worth Explaining </h2> <h3> Why Tauri over Electron </h3> <p>Tauri uses the operating system's existing WebView (Edge <br> WebView2 on Windows, WKWebView on macOS) rather than <br> bundling an entire Chromium browser. The result:</p> <ul> <li>Installer under 10MB vs 150MB+ for Electron apps</li> <li>Rust backend with explicit permissions — nothing the React frontend can do reaches the system without a registered Tauri command</li> <li>Memory-safe backend by design</li> </ul> <p>For a security tool, the permission model matters. Electron's <br> Node.js backend has broad filesystem access by default. <br> That's the wrong posture for a vault application.</p> <h3> Why AES-256-GCM specifically </h3> <p>AES-256-GCM is authenticated encryption — it doesn't just <br> encrypt, it detects tampering. Every encrypted blob includes <br> a 128-bit authentication tag. Wrong password or modified <br> file, the tag fails before any data is returned.</p> <p>This means:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="n">plaintext</span> <span class="o">=</span> <span class="n">cipher</span> <span class="nf">.decrypt</span><span class="p">(</span><span class="n">nonce</span><span class="p">,</span> <span class="n">ciphertext</span><span class="p">)</span> <span class="nf">.map_err</span><span class="p">(|</span><span class="n">_</span><span class="p">|</span> <span class="s">"Wrong password or corrupted vault"</span><span class="nf">.to_string</span><span class="p">())</span><span class="o">?</span><span class="p">;</span> </code></pre> </div> <p>If decryption succeeds — the password was correct. If it <br> fails — wrong password or tampered file. No password <br> comparison ever happens. The encrypted data itself is <br> the verification mechanism.</p> <h3> Why Argon2id for key derivation </h3> <p>The master password is never stored anywhere. Instead, <br> Argon2id derives a 256-bit encryption key from the <br> password + a random salt:</p> devops security rust opensource