DEV Community: od1n The latest articles on DEV Community by od1n (@od1n). https://dev.to/od1n https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3968587%2F7f71ec04-9e3b-4a95-b07e-18084282c079.png DEV Community: od1n https://dev.to/od1n en Building a Zero-Knowledge Password Manager with Rust and Tauri 2.0 od1n Thu, 04 Jun 2026 16:01:23 +0000 https://dev.to/od1n/building-a-zero-knowledge-password-manager-with-rust-and-tauri-20-5hgp https://dev.to/od1n/building-a-zero-knowledge-password-manager-with-rust-and-tauri-20-5hgp <p>LastPass was breached in 2022. 33 million encrypted vaults ended up in attackers' hands. The root cause? Your passwords lived on their servers.</p> <p>I decided to build a password manager where that scenario is architecturally impossible — because there is no server.</p> <p>This is how I built <strong>Vault Local</strong>: a local-first, zero-knowledge password manager using Rust, Tauri 2.0, and modern cryptography.</p> <h2> The Architecture </h2> <p>The core principle: <strong>your data never leaves your computer</strong>. There's no cloud, no sync server, no account creation. Just one encrypted file on your disk.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Master Password │ ▼ Argon2id (19 MiB RAM, 2 iterations) │ ▼ HKDF-SHA256 ├──────────────────┐ ▼ ▼ db_key enc_key (SQLCipher) (XChaCha20-Poly1305) │ │ ▼ ▼ Encrypts entire Encrypts individual database file credential fields </code></pre> </div> <p>Two independent keys derived from the same master password, but cryptographically separated via HKDF with different info strings. Even if SQLCipher were somehow compromised, the field-level encryption remains intact.</p> <h2> Why Rust? </h2> <p>The ownership system prevents the exact class of bugs that plague password managers:</p> <ul> <li> <strong>No buffer overflows</strong> — Rust's borrow checker eliminates them at compile time</li> <li> <strong>No use-after-free</strong> — the compiler enforces lifetimes</li> <li> <strong>Deterministic cleanup</strong> — <code>Drop</code> runs exactly when a value goes out of scope, which matters when that value is an encryption key</li> </ul> <p>For cryptographic secrets, I use the <code>zeroize</code> and <code>secrecy</code> crates:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">zeroize</span><span class="p">::{</span><span class="n">Zeroize</span><span class="p">,</span> <span class="n">ZeroizeOnDrop</span><span class="p">};</span> <span class="k">use</span> <span class="nn">secrecy</span><span class="p">::</span><span class="n">Secret</span><span class="p">;</span> <span class="nd">#[derive(Zeroize,</span> <span class="nd">ZeroizeOnDrop)]</span> <span class="k">pub</span> <span class="k">struct</span> <span class="nf">EncKey</span><span class="p">(</span><span class="k">pub</span> <span class="p">[</span><span class="nb">u8</span><span class="p">;</span> <span class="mi">32</span><span class="p">]);</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">VaultState</span> <span class="p">{</span> <span class="k">pub</span> <span class="n">connection</span><span class="p">:</span> <span class="n">Connection</span><span class="p">,</span> <span class="k">pub</span> <span class="n">enc_key</span><span class="p">:</span> <span class="n">Secret</span><span class="o">&lt;</span><span class="n">EncKey</span><span class="o">&gt;</span><span class="p">,</span> <span class="c1">// Auto-zeroized on drop</span> <span class="p">}</span> </code></pre> </div> <p>When the vault locks, <code>VaultState</code> drops, and the encryption key is overwritten with zeros in memory. No garbage collector, no "maybe the runtime will clean it up eventually."</p> <h2> Why Tauri 2.0 over Electron? </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>Electron</th> <th>Tauri 2.0</th> </tr> </thead> <tbody> <tr> <td>Installer size</td> <td>~150 MB</td> <td><strong>4.6 MB</strong></td> </tr> <tr> <td>Runtime</td> <td>Bundles Chromium</td> <td>Uses system WebView</td> </tr> <tr> <td>Backend</td> <td>Node.js (JS)</td> <td> <strong>Rust</strong> (native)</td> </tr> <tr> <td>Security model</td> <td>Full filesystem access</td> <td>Principle of least privilege</td> </tr> <tr> <td>IPC</td> <td>Unrestricted</td> <td>Explicit command registration</td> </tr> </tbody> </table></div> <p>Tauri's security model is the key differentiator. The web frontend cannot access the filesystem, network, or system APIs. Every capability must be explicitly declared:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"permissions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"core:default"</span><span class="p">,</span><span class="w"> </span><span class="s2">"dialog:default"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The frontend communicates with the Rust backend exclusively through typed commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="nd">#[tauri::command]</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">get_entry</span><span class="p">(</span> <span class="n">state</span><span class="p">:</span> <span class="nn">tauri</span><span class="p">::</span><span class="n">State</span><span class="o">&lt;</span><span class="nv">'_</span><span class="p">,</span> <span class="n">AppState</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">id</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">Entry</span><span class="p">,</span> <span class="nb">String</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Decrypt and return entry</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Frontend — this is the ONLY way to access data</span> <span class="kd">const</span> <span class="nx">entry</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">invoke</span><span class="o">&lt;</span><span class="nx">Entry</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">get_entry</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">});</span> </code></pre> </div> <h2> The Encryption Stack </h2> <h3> Key Derivation: Argon2id </h3> <p>Argon2id won the Password Hashing Competition. It's memory-hard, meaning it requires a fixed amount of RAM to compute — making GPU/ASIC attacks impractical:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="n">params</span> <span class="o">=</span> <span class="nn">Params</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="mi">19456</span><span class="p">,</span> <span class="c1">// 19 MiB of RAM</span> <span class="mi">2</span><span class="p">,</span> <span class="c1">// 2 iterations</span> <span class="mi">1</span><span class="p">,</span> <span class="c1">// 1 degree of parallelism</span> <span class="nf">Some</span><span class="p">(</span><span class="mi">32</span><span class="p">)</span> <span class="c1">// 32 bytes output</span> <span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">argon2</span> <span class="o">=</span> <span class="nn">Argon2</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">Algorithm</span><span class="p">::</span><span class="n">Argon2id</span><span class="p">,</span> <span class="nn">Version</span><span class="p">::</span><span class="n">V0x13</span><span class="p">,</span> <span class="n">params</span><span class="p">);</span> <span class="n">argon2</span><span class="nf">.hash_password_into</span><span class="p">(</span><span class="n">password</span><span class="p">,</span> <span class="n">salt</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">master_key</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> </code></pre> </div> <h3> Symmetric Encryption: XChaCha20-Poly1305 </h3> <p>I chose XChaCha20-Poly1305 over AES-256-GCM for a specific reason: the extended nonce.</p> <ul> <li>AES-256-GCM: 96-bit nonce → collision risk after ~2^32 encryptions with the same key</li> <li>XChaCha20-Poly1305: <strong>192-bit nonce</strong> → safe for virtually unlimited encryptions</li> </ul> <p>For a long-lived local vault where the same key encrypts thousands of entries over years, the larger nonce margin is significant.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">pub</span> <span class="k">fn</span> <span class="nf">encrypt</span><span class="p">(</span><span class="n">key</span><span class="p">:</span> <span class="o">&amp;</span><span class="p">[</span><span class="nb">u8</span><span class="p">;</span> <span class="mi">32</span><span class="p">],</span> <span class="n">plaintext</span><span class="p">:</span> <span class="o">&amp;</span><span class="p">[</span><span class="nb">u8</span><span class="p">])</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">u8</span><span class="o">&gt;</span><span class="p">,</span> <span class="nb">String</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">cipher</span> <span class="o">=</span> <span class="nn">XChaCha20Poly1305</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">key</span><span class="nf">.into</span><span class="p">());</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">nonce_bytes</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="mi">24</span><span class="p">];</span> <span class="n">OsRng</span><span class="nf">.fill_bytes</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">nonce_bytes</span><span class="p">);</span> <span class="k">let</span> <span class="n">nonce</span> <span class="o">=</span> <span class="nn">XNonce</span><span class="p">::</span><span class="nf">from_slice</span><span class="p">(</span><span class="o">&amp;</span><span class="n">nonce_bytes</span><span class="p">);</span> <span class="k">let</span> <span class="n">ciphertext</span> <span class="o">=</span> <span class="n">cipher</span><span class="nf">.encrypt</span><span class="p">(</span><span class="n">nonce</span><span class="p">,</span> <span class="n">plaintext</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Store as: nonce (24 bytes) || ciphertext</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">result</span> <span class="o">=</span> <span class="nn">Vec</span><span class="p">::</span><span class="nf">with_capacity</span><span class="p">(</span><span class="mi">24</span> <span class="o">+</span> <span class="n">ciphertext</span><span class="nf">.len</span><span class="p">());</span> <span class="n">result</span><span class="nf">.extend_from_slice</span><span class="p">(</span><span class="o">&amp;</span><span class="n">nonce_bytes</span><span class="p">);</span> <span class="n">result</span><span class="nf">.extend_from_slice</span><span class="p">(</span><span class="o">&amp;</span><span class="n">ciphertext</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> Database Encryption: SQLCipher </h3> <p>SQLCipher is a fork of SQLite that encrypts the entire database file with AES-256-CBC + HMAC-SHA256. Every page is encrypted independently.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">pub</span> <span class="k">fn</span> <span class="nf">open_db</span><span class="p">(</span><span class="n">db_path</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Path</span><span class="p">,</span> <span class="n">db_key</span><span class="p">:</span> <span class="o">&amp;</span><span class="p">[</span><span class="nb">u8</span><span class="p">;</span> <span class="mi">32</span><span class="p">])</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">Connection</span><span class="p">,</span> <span class="nb">String</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">conn</span> <span class="o">=</span> <span class="nn">Connection</span><span class="p">::</span><span class="nf">open</span><span class="p">(</span><span class="n">db_path</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">hex_key</span> <span class="o">=</span> <span class="nn">hex</span><span class="p">::</span><span class="nf">encode</span><span class="p">(</span><span class="n">db_key</span><span class="p">);</span> <span class="n">conn</span><span class="nf">.execute_batch</span><span class="p">(</span><span class="o">&amp;</span><span class="nd">format!</span><span class="p">(</span><span class="s">"PRAGMA key = </span><span class="se">\"</span><span class="s">x'{}'</span><span class="se">\"</span><span class="s">;"</span><span class="p">,</span> <span class="n">hex_key</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Verify the key works</span> <span class="n">conn</span><span class="nf">.execute_batch</span><span class="p">(</span><span class="s">"SELECT count(*) FROM sqlite_master;"</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> Browser Extension via Native Messaging </h2> <p>The browser extension doesn't store any credentials. It communicates with the desktop app through Chrome's Native Messaging protocol:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Extension popup → Native Messaging Host (Node.js) → TCP localhost:51820 → Rust IPC Server </code></pre> </div> <p>The IPC server only listens on <code>127.0.0.1</code> and requires a token that regenerates on every vault unlock. No external network access.</p> <h2> What I Learned </h2> <ol> <li><p><strong>Tauri 2.0 is production-ready</strong> for security-sensitive apps. The permission model is genuinely useful.</p></li> <li><p><strong>SQLCipher's <code>bundled-sqlcipher-vendored-openssl</code></strong> feature in rusqlite compiles OpenSSL from source. It requires Perl on Windows (Strawberry Perl). Plan for this in your build pipeline.</p></li> <li><p><strong>The <code>zeroize</code> crate can't clear CPU registers</strong> — it's a fundamental limitation. But it handles heap and stack memory correctly, which covers the vast majority of attack surface.</p></li> <li><p><strong>XChaCha20 is constant-time without hardware support</strong>, unlike AES which relies on AES-NI for timing-attack resistance. This matters for cross-platform software where you can't guarantee hardware features.</p></li> <li><p><strong>Native Messaging on Windows requires a <code>.bat</code> wrapper</strong> — Node.js <code>.js</code> files can't be executed directly as native messaging hosts. A one-line batch file solves it.</p></li> </ol> <h2> Try It </h2> <p>Vault Local is free and open source (MIT):</p> <ul> <li> <strong>GitHub</strong>: <a href="https://github.com/od1n/vault-local" rel="noopener noreferrer">github.com/od1n/vault-local</a> </li> <li> <strong>Website</strong>: <a href="https://vault-local.vercel.app" rel="noopener noreferrer">vault-local.vercel.app</a> </li> <li> <strong>Download</strong>: <a href="https://github.com/od1n/vault-local/releases" rel="noopener noreferrer">Windows installer (4.6 MB)</a> </li> </ul> <p>Features include: password audit with HIBP breach check, TOTP authenticator, SSH agent, import from 8 formats (Chrome, Firefox, Bitwarden, 1Password, LastPass, KeePass), encrypted sync, browser extension, and passkey storage.</p> <p>Built with ~15,000 lines of Rust + TypeScript across ~70 files. I'd appreciate any feedback, especially on the cryptographic implementation.</p> rust security tauri opensource