Stronghold

GitHub npm crates.io

API Reference

Store secrets and keys using the IOTA Stronghold encrypted database and secure runtime.

Supported Platforms

Windows
Linux
macOS

Setup

This plugin requires a Rust version of at least 1.75

Install the stronghold plugin to get started.

Automatic
Manual

Use your project’s package manager to add the dependency:

npm run tauri add stronghold

yarn run tauri add stronghold

pnpm tauri add stronghold

cargo tauri add stronghold

Install the stronghold plugin by adding the following to your Cargo.toml file:

[dependencies]
tauri-plugin-stronghold = "2.0.0-beta"
# alternatively with Git:
tauri-plugin-stronghold = { git = "https://github.com/tauri-apps/plugins-workspace", branch = "v2" }

Modify lib.rs to initialize the plugin:

fn run() {
    tauri::Builder::default()
        .plugin(tauri_plugin_stronghold::Builder::new(|password| {}).build())
        .run(tauri::generate_context!())
        .expect("error while running tauri application");
}

Install the JavaScript Guest bindings using your preferred JavaScript package manager:

npm install @tauri-apps/plugin-stronghold

yarn add @tauri-apps/plugin-stronghold

pnpm add @tauri-apps/plugin-stronghold

Usage

Initialize with custom password hash function

pub fn run() {
    tauri::Builder::default()
        .plugin(
            tauri_plugin_stronghold::Builder::new(|password| {
                // Hash the password here with e.g. argon2, blake2b or any other secure algorithm
                // Here is an example implementation using the `rust-argon2` crate for hashing the password
                use argon2::{hash_raw, Config, Variant, Version};

                let config = Config {
                    lanes: 4,
                    mem_cost: 10_000,
                    time_cost: 10,
                    variant: Variant::Argon2id,
                    version: Version::Version13,
                    ..Default::default()
                };
                let salt = "your-salt".as_bytes();
                let key =
                    hash_raw(password.as_ref(), salt, &config).expect("failed to hash password");

                key.to_vec()
            })
            .build(),
        )
        .run(tauri::generate_context!())
        .expect("error while running tauri application");
}

Initialize with argon2 password hash function

use tauri::Manager;

pub fn run() {
    tauri::Builder::default()
        .setup(|app| {
            let salt_path = app
                .path()
                .app_local_data_dir()
                .expect("could not resolve app local data path")
                .join("salt.txt");
            app.handle().plugin(tauri_plugin_stronghold::Builder::with_argon2(&salt_path).build())?;
            Ok(())
        })
        .run(tauri::generate_context!())
        .expect("error while running tauri application");
}

Usage from JavaScript

The stronghold plugin is available in JavaScript.

import { Client, Stronghold } from '@tauri-apps/plugin-stronghold';
import { appDataDir } from '@tauri-apps/api/path';

const initStronghold = async () => {
  const vaultPath = `${await appDataDir()}/vault.hold`;
  const vaultPassword = 'vault password';
  const stronghold = await Stronghold.load(vaultPath, vaultPassword);

  let client: Client;
  const clientName = 'name your client';
  try {
    client = await stronghold.loadClient(clientName);
  } catch {
    client = await stronghold.createClient(clientName);
  }

  return {
    stronghold,
    client,
  };
};

// Insert a record to the store
async function insertRecord(store: any, key: string, value: string) {
  const data = Array.from(new TextEncoder().encode(value));
  await store.insert(key, data);
}

// Read a record from store
async function getRecord(store: any, key: string): Promise<string> {
  const data = await store.get(key);
  return new TextDecoder().decode(new Uint8Array(data));
}

const { stronghold, client } = await initStronghold();

const store = client.getStore();
const key = 'my_key';

// Insert a record to the store
insertRecord(store, key, 'secret value');

// Read a record from store
const value = await getRecord(store, key);
console.log(value); // 'secret value'

// Save your updates
await stronghold.save();

// Remove a record from store
await store.remove(key);

Permissions

By default all plugin commands are blocked and cannot be accessed. You must define a list of permissions in your capabilities configuration.

See Permissions Overview for more information.

{
  "$schema": "../gen/schemas/desktop-schema.json",
  "identifier": "main-capability",
  "description": "Capability for the main window",
  "windows": ["main"],
  "permissions": [
    "path:default",
    "stronghold:allow-initialize",
    "stronghold:allow-create-client",
    "stronghold:allow-load-client",
    "stronghold:allow-save",
    "stronghold:allow-save-store-record"
    "stronghold:allow-get-store-record",
    "stronghold:allow-remove-store-record",
  ]
}

Permission	Description
`stronghold:allow-create-client`	Enables the create_client command without any pre-configured scope.
`stronghold:deny-create-client`	Denies the create_client command without any pre-configured scope.
`stronghold:allow-destroy`	Enables the destroy command without any pre-configured scope.
`stronghold:deny-destroy`	Denies the destroy command without any pre-configured scope.
`stronghold:allow-execute-procedure`	Enables the execute_procedure command without any pre-configured scope.
`stronghold:deny-execute-procedure`	Denies the execute_procedure command without any pre-configured scope.
`stronghold:allow-get-store-record`	Enables the get_store_record command without any pre-configured scope.
`stronghold:deny-get-store-record`	Denies the get_store_record command without any pre-configured scope.
`stronghold:allow-initialize`	Enables the initialize command without any pre-configured scope.
`stronghold:deny-initialize`	Denies the initialize command without any pre-configured scope.
`stronghold:allow-load-client`	Enables the load_client command without any pre-configured scope.
`stronghold:deny-load-client`	Denies the load_client command without any pre-configured scope.
`stronghold:allow-remove-secret`	Enables the remove_secret command without any pre-configured scope.
`stronghold:deny-remove-secret`	Denies the remove_secret command without any pre-configured scope.
`stronghold:allow-remove-store-record`	Enables the remove_store_record command without any pre-configured scope.
`stronghold:deny-remove-store-record`	Denies the remove_store_record command without any pre-configured scope.
`stronghold:allow-save`	Enables the save command without any pre-configured scope.
`stronghold:deny-save`	Denies the save command without any pre-configured scope.
`stronghold:allow-save-secret`	Enables the save_secret command without any pre-configured scope.
`stronghold:deny-save-secret`	Denies the save_secret command without any pre-configured scope.
`stronghold:allow-save-store-record`	Enables the save_store_record command without any pre-configured scope.
`stronghold:deny-save-store-record`	Denies the save_store_record command without any pre-configured scope.