Keystone

Keystone is a local-first desktop vault for the small secrets developers scatter across loose text files - API keys, snippets, commands, and reference notes. Built for people who outgrew scattered files but don't want a shared cloud vault for personal stuff.

Security

• Per-record encryption - every item's title, value, notes, and tags are sealed individually with ChaCha20-Poly1305; only metadata (timestamps, favorites, kind) stays plaintext
• Argon2id key derivation - the master password is never stored and never leaves the machine; keys are zeroized from memory on lock
• Sleep-aware auto-lock - configurable inactivity timeout that also locks if the timeout elapsed while the machine slept

Privacy

• Fully offline - no telemetry, no auto-update server, zero network dependencies in the Rust crate; the Tauri capability file enumerates every native API the app may touch
• Win+V exclusion - copied secrets are tagged so they never enter Windows clipboard history; type-aware auto-clear wipes API keys after a configurable delay while leaving snippets and commands available to paste

Built with

• Frontend: React 19 + TypeScript, Tailwind CSS v4, Radix UI primitives
• Desktop: Tauri v2 (Rust)
• Storage: SQLite via rusqlite (bundled)
• Crypto: Argon2id KDF + ChaCha20-Poly1305 AEAD, with zeroize for in-memory key wiping