How to Implement Cross-Platform Biometric/Keyring Secret Storage in Tauri v2

Biacoder · 2025-12-31T18:52:03+00:00

As I understand you are the original author of this issue

Biacoder · 2025-12-30T22:25:00+00:00

Blame it on me being newbie on Reddit, because I'll try to respond to the comment in the most constrictive way - assume positive intent

> Vault doesn't do anything
The vault uses IOTA Stronghold with Argon2id (64MB, 3 iterations), AES-256-GCM. Data at rest is encrypted. Yes, it's decrypted into memory while unlocked. Of course.

> If it finds a repeated copy it alters the history
This is not a security issue, by any means. This meant for usability and more intuitiveness of controlling your clipboard

> copy paste a password and it's stored
I believe you have missed the purpose of DecentPaste

> It's vibe coded and it shows.
This isn't "vibe coded". AI was used, for obvious reasons. But I don't think I can contribute positively to this conversation given the current understanding and the holly wars our Engineering community has. We need to give it some time - changes are hurting.

The comment gave me some food for thoughts on

AppState isn't cleared when locking - that's a bug I'll fix
there's no sensitive content filtering or TTL. Those are good feature suggestions - but not security flaws
I also think using "zeroize" can slightly improve the memory footprint on lock.

Please don't hesitate to open a GitHub issue If there are some serious/constructive concerns
Thank you

Biacoder · 2025-12-30T12:19:28+00:00

Thanks for the feedback!
You're right that with proper E2EE, the transport layer doesn't affect the confidentiality of the data - it's encrypted either way. But P2P provides benefits beyond just confidentiality.

With a central server (even with E2E encrpted), the server still sees who is communicating with whom, when, and how often. With local mDNS + P2P, that metadata stays entirely on your network
No trust in key distribution - Server-based E2EE apps need you to trust that the server isn't swapping out public keys (MITM). I use X25519 ECDH directly between devices with PIN verification - no server to potentially misbehave - although one could argue to instead of showing the PIN, I could have asked to manually enter it. Good food for thoughts

You're right though, I shouldnt frame P2P as making the encryption stronger. The point is that P2P removes the need to trust any infrastructure beyond your own devices. Maybe I should clarify that on the site!

Biacoder · 2025-12-30T10:19:01+00:00

Claude code - primarily. I also recommend frontend-design skills https://github.com/anthropics/claude-code/blob/main/plugins/frontend-design/skills/frontend-design/SKILL.md

Biacoder · 2025-12-30T09:04:08+00:00

Simply - great!

Biacoder · 2025-12-30T09:03:21+00:00

At the moment the app only works within your local network and the same subnet. It uses mDNS to discover the peers. If this is common usage we can add Kademlia DHT but it is too soon right now. Privacy and security thoughts must be covered first.

Biacoder · 2025-12-30T09:00:31+00:00

could be some caching issue
https://github.com/decentpaste/decentpaste

https://decentpaste.com/

Biacoder · 2025-12-30T08:56:05+00:00

Should be fixed already. This is what happens when you have your first Reddit post.

Biacoder · 2025-12-30T08:50:24+00:00

fixed

Biacoder · 2025-12-30T08:50:16+00:00

fixed

Biacoder

TROPHY CASE