Trinity Passport
A native desktop identity vault for Windows, macOS, and Linux. Private keys never leave your device.
Overview
Trinity Passport is the user-facing application in the Trinity ecosystem. It provides a secure vault for private keys and certificates with an intuitive UI for managing the full certificate lifecycle.
Features
- Encrypted Vault — AES-256 (XChaCha20-Poly1305) encrypted storage with Argon2id key derivation.
- Dual-Key Support — ECDSA P-256 (default) and RSA-2048 (legacy compatibility).
- Identity Management — Create and manage multiple identities (Personal, Work, etc.).
- Certificate Lifecycle — Track status: Pending → Verified → Revoked.
- Blind Drop Support — Create encrypted CSR drops using Kyber-1024 post-quantum encryption.
- Trinity Connect — Submit CSRs directly to a Spirit gateway or Connect server.
- Whitelabeling — Customize app title, colors, and branding via
config.json. - Dark/Light Mode — Glassmorphism-inspired design with theme toggle.
Installation
Prerequisites
- Go 1.23+
- Wails v2:
go install github.com/wailsapp/wails/v2/cmd/wails@latest - Node.js (for frontend build)
- Linux:
sudo apt install libgtk-3-dev libwebkit2gtk-4.1-dev
Development Mode
cd passport
# Linux (Ubuntu 22.04+)
wails dev -tags webkit2_41
# macOS / Windows
wails devProduction Build
wails build -tags webkit2_41Workflow
1. Create Vault
On first launch, set a master password. This encrypts all private keys at rest using XChaCha20-Poly1305 with an Argon2id-derived key.
2. Create Identity
Click + Add Identity, choose a label and key type (ECDSA P-256 or RSA-2048). A private key and CSR are generated locally.
3. Get Certificate Signed
You have three options:
- Email — Click "Request via Email" to open a mailto link with the CSR.
- Cloud — Click "Submit to Cloud" to send the CSR to a Spirit/Connect server.
- Blind Drop — Create an encrypted drop file for offline/air-gap delivery.
4. Import Certificate
Once signed, import the certificate via drag-and-drop, clipboard paste, or cloud polling. The identity status changes to "Verified".
Whitelabeling
Edit config.json in the passport root:
{
"appTitle": "Acme Identity",
"companyName": "Acme Corp",
"adminEmail": "security@acme.com",
"primaryColor": "#1a1a2e",
"accentColor": "#e94560"
}Connect Mode
Connect Mode is a "Just-in-Time" security feature. It temporarily enables network operations for 10 minutes. When disabled, no outbound requests are made — a Fortress Mode indicator shows the vault is sealed.
Configure the Spirit URL and Enrollment Token in Settings to enable cloud submission.
Project Structure
| Path | Description |
|---|---|
app.go | Main application logic, Wails API bridge |
main.go | Entry point, config loading, Wails init |
internal/crypto/ | Vault encryption, key generation |
internal/config/ | Configuration management |
frontend/ | HTML, CSS, JS frontend |