Skip to content
Tauri
Releases

Stronghold

Store secrets and keys using the IOTA Stronghold encrypted database and secure runtime.

Supported Platforms

  • Windows
  • Linux
  • macOS

Setup

This plugin requires a Rust version of at least 1.75

Install the stronghold plugin to get started.

Use your project’s package manager to add the dependency:

npm run tauri add stronghold

Usage

Initialize with custom password hash function

src-tauri/src/lib.rs
pub fn run() {
tauri::Builder::default()
.plugin(
tauri_plugin_stronghold::Builder::new(|password| {
// Hash the password here with e.g. argon2, blake2b or any other secure algorithm
// Here is an example implementation using the `rust-argon2` crate for hashing the password
use argon2::{hash_raw, Config, Variant, Version};
let config = Config {
lanes: 4,
mem_cost: 10_000,
time_cost: 10,
variant: Variant::Argon2id,
version: Version::Version13,
..Default::default()
};
let salt = "your-salt".as_bytes();
let key =
hash_raw(password.as_ref(), salt, &config).expect("failed to hash password");
key.to_vec()
})
.build(),
)
.run(tauri::generate_context!())
.expect("error while running tauri application");
}

Initialize with argon2 password hash function

src-tauri/src/lib.rs
use tauri::Manager;
pub fn run() {
tauri::Builder::default()
.setup(|app| {
let salt_path = app
.path()
.app_local_data_dir()
.expect("could not resolve app local data path")
.join("salt.txt");
app.handle().plugin(tauri_plugin_stronghold::Builder::with_argon2(&salt_path).build())?;
Ok(())
})
.run(tauri::generate_context!())
.expect("error while running tauri application");
}

Usage from JavaScript

The stronghold plugin is available in JavaScript.

import { Client, Stronghold } from '@tauri-apps/plugin-stronghold';
import { appDataDir } from '@tauri-apps/api/path';
const initStronghold = async () => {
const vaultPath = `${await appDataDir()}/vault.hold`;
const vaultPassword = 'vault password';
const stronghold = await Stronghold.load(vaultPath, vaultPassword);
let client: Client;
const clientName = 'name your client';
try {
client = await stronghold.loadClient(clientName);
} catch {
client = await stronghold.createClient(clientName);
}
return {
stronghold,
client,
};
};
// Insert a record to the store
async function insertRecord(store: any, key: string, value: string) {
const data = Array.from(new TextEncoder().encode(value));
await store.insert(key, data);
}
// Read a record from store
async function getRecord(store: any, key: string): Promise<string> {
const data = await store.get(key);
return new TextDecoder().decode(new Uint8Array(data));
}
const { stronghold, client } = await initStronghold();
const store = client.getStore();
const key = 'my_key';
// Insert a record to the store
insertRecord(store, key, 'secret value');
// Read a record from store
const value = await getRecord(store, key);
console.log(value); // 'secret value'
// Save your updates
await stronghold.save();
// Remove a record from store
await store.remove(key);

Permissions

By default all plugin commands are blocked and cannot be accessed. You must define a list of permissions in your capabilities configuration.

See Access Control List for more information.

src-tauri/capabilities/main.json
{
"$schema": "../gen/schemas/desktop-schema.json",
"identifier": "main-capability",
"description": "Capability for the main window",
"windows": ["main"],
"permissions": [
"path:default",
"stronghold:allow-initialize",
"stronghold:allow-create-client",
"stronghold:allow-load-client",
"stronghold:allow-save",
"stronghold:allow-save-store-record"
"stronghold:allow-get-store-record",
"stronghold:allow-remove-store-record",
]
}
PermissionDescription
stronghold:allow-create-clientEnables the create_client command without any pre-configured scope.
stronghold:deny-create-clientDenies the create_client command without any pre-configured scope.
stronghold:allow-destroyEnables the destroy command without any pre-configured scope.
stronghold:deny-destroyDenies the destroy command without any pre-configured scope.
stronghold:allow-execute-procedureEnables the execute_procedure command without any pre-configured scope.
stronghold:deny-execute-procedureDenies the execute_procedure command without any pre-configured scope.
stronghold:allow-get-store-recordEnables the get_store_record command without any pre-configured scope.
stronghold:deny-get-store-recordDenies the get_store_record command without any pre-configured scope.
stronghold:allow-initializeEnables the initialize command without any pre-configured scope.
stronghold:deny-initializeDenies the initialize command without any pre-configured scope.
stronghold:allow-load-clientEnables the load_client command without any pre-configured scope.
stronghold:deny-load-clientDenies the load_client command without any pre-configured scope.
stronghold:allow-remove-secretEnables the remove_secret command without any pre-configured scope.
stronghold:deny-remove-secretDenies the remove_secret command without any pre-configured scope.
stronghold:allow-remove-store-recordEnables the remove_store_record command without any pre-configured scope.
stronghold:deny-remove-store-recordDenies the remove_store_record command without any pre-configured scope.
stronghold:allow-saveEnables the save command without any pre-configured scope.
stronghold:deny-saveDenies the save command without any pre-configured scope.
stronghold:allow-save-secretEnables the save_secret command without any pre-configured scope.
stronghold:deny-save-secretDenies the save_secret command without any pre-configured scope.
stronghold:allow-save-store-recordEnables the save_store_record command without any pre-configured scope.
stronghold:deny-save-store-recordDenies the save_store_record command without any pre-configured scope.

© 2024 Tauri Contributors. CC-BY / MIT