What rune is, why Rust, and how this book fits into the lighthouse learning path.
Rust from Zero
18 lessons
Learn Rust fundamentals by building rune — a CLI-first password manager you will actually use. Ownership, borrowing, lifetimes, traits, async, error handling, and the type system — all taught through encrypted vaults, git-based sync, and a web UI.
what you'll learn
- Build rune — a CLI-first password manager with encrypted vaults, git sync, and a web UI. A real tool, not a throwaway tutorial
- Ownership, borrowing, and lifetimes — through problems that make them click, not contrived examples
- Navigate and leverage Rust's crate ecosystem — clap, serde, tokio, axum, sqlx, git2, and more
- Structure your application to be modular and extensible — modules, trait objects, storage backends, and clean separation between CLI and web
- AES-256-GCM encryption, argon2 key derivation, and X25519 key exchange — why Rust's deterministic destruction makes it uniquely suited for crypto
- Write tests from unit tests to integration tests to property-based fuzzing with proptest — all code ships with tests
- Enforce domain invariants using Rust's type system — newtypes, enums, and exhaustive pattern matching that catch bugs at compile time
- Async Rust with tokio and axum — run a web server alongside the CLI in the same codebase, with shared state via Arc<Mutex<>>
- Authenticate and authorize users — sessions, middleware, protected routes, and per-user vault encryption
- Read compiler errors like a conversation — the Rust compiler is your strictest and most helpful collaborator
- Implement a robust error handling strategy — Result, thiserror, custom error enums, and the ? operator
- SQLx compile-time checked queries against PostgreSQL — if it compiles, the SQL is valid
Learning Rust
Variables, mutability, functions, ownership basics, and reading compiler errors. Everything you need before we start building.
The Solo Vault
Create the rune CLI with Cargo and clap. Subcommands, help output, and reading the master password from stdin.
Design the Entry and Vault structs, serialize to JSON with serde, and understand who owns what.
AES-256-GCM encryption, argon2 key derivation, and why Rust's deterministic destruction makes it uniquely good at crypto.
Save and load the encrypted vault. Handle missing files, wrong passwords, and corrupted data with Result and thiserror.
Add, get, list, remove, edit. Passwords display as fixed-length masks. The borrow checker fights back — and wins.
rune eh shows the first 4 characters. Why fixed-length masking matters — password length is information leakage.
Generate secure passwords with configurable rules. Copy to clipboard with auto-clear. Traits, closures, and Option.
Oh No, Someone Is at My Laptop
Anyone can run rune get. That is a problem. Add master password sessions with TTL and re-authentication.
Configuration and Multiple Vaults
TOML config files, default vaults, named vaults, and the builder pattern.
Auto-commit on changes, version history, push/pull sync, and conflict detection. Trait objects for storage backends.
The Web Layer
Add an axum HTTP server alongside the CLI. Async Rust, tokio, Arc<Mutex<>>, and shared state.
PostgreSQL for user accounts. Compile-time checked SQL queries, connection pools, and migrations.
Email/password signup, argon2 hashing, sessions, protected routes, and the newtype pattern.
X25519 keypairs per user, per-user encryption, vault sharing, and lifetime annotations on crypto contexts.
Ship It
Unit tests for crypto, integration tests for vault operations, and property-based testing with proptest.
Shell completions, JSON output, cross-compilation, release builds, and binary optimization.