AES
256-GCM encryption, on device
0
Plaintext stored server-side
PBKDF2
Key derivation, unique salt per vault
OS
Keychain for encrypted blob storage
Security
principles.
Six decisions made early. Each one shapes what Termique will and will not do.
Local-first, always
The terminal surface and all credentials live on your device. Optional sync exists but is never required. Termique works fully offline.
AES-256-GCM encryption
Every credential is encrypted with AES-256-GCM before it leaves the renderer process. The encryption key never touches the network.
PBKDF2 key derivation
Your master password is never stored. The encryption key is derived locally via PBKDF2 with a high iteration count. Each vault has a unique salt.
OS keychain storage
Encrypted blobs live in the OS keychain - macOS Keychain, Windows Credential Manager, or libsecret. The server never receives plaintext.
No clipboard exposure
Termique connects using decrypted credentials in memory, in-process. Passwords are never written to the clipboard.
Command audit logs
Every command run in every session is timestamped and logged locally. Useful for compliance, shared hosts, and post-incident review.