Architecture¶
Screenshot placeholder — high-level component diagram.
Voltius runs as three independent components plus the optional sync layer.
Components¶
| Component | Where it runs | What it holds |
|---|---|---|
| Desktop client | Your machine (Tauri / Rust + React) | Decryption keys, plaintext vault in memory only |
| Local vault file | $APP_DATA/voltius/secrets.enc |
XChaCha20-Poly1305 ciphertext, on disk |
| Auth server | auth.voltius.app (or your self-host) |
auth_key hashes, account metadata, JWTs |
| Sync relay | sync.voltius.app (or your self-host) |
Encrypted CRDT payloads |
| Web portal | app.voltius.app (Next.js) |
Same voltius-crypto crate, compiled to WASM |
| Gist host (Gist sync only) | gist.github.com (your account) |
Encrypted per-device app-state blobs |
Trust boundaries¶
- Inside the Tauri process — full trust. The Rust backend never exposes raw secrets to the JS frontend except via Tauri IPC, and even then only when explicitly needed (e.g. to display a password in the UI).
- The auth server — sees
auth_key(an Argon2id derivation), email, machine fingerprints, JWTs. Never sees the password orenc_key. - The sync relay — sees encrypted blobs. Cannot decrypt them.
- GitHub Gist — same: encrypted blobs only, plus the PAT you provided.
Key separation¶
Three independent keys are derived from the same password:
| Key | Use |
|---|---|
auth_key |
Sent to the auth server for login. Server stores a hash of this — not the password. |
enc_key |
Encrypts the local vault. Never leaves the device. |
gist_enc_key |
Encrypts Gist-sync blobs. Derived from a passphrase + manifest salt; distinct from enc_key. |
Compromise of one does not yield the others.
Plugin sandbox¶
Plugins run as bundled ESM modules in the renderer process. They access the host only through PluginAPI, which is permission-gated. Plugins cannot:
- Read terminal output or inject keystrokes.
- Read another plugin's vault keys.
- Call Tauri commands directly.
- Open SSH tunnels.
See the marketplace docs for the full list.