termique
Security

Your credentials
never leave your device.

Termique is built local-first. Credentials are encrypted with AES-256-GCM on your device before anything else happens. The server never sees plaintext, not even if it is compromised.

Download freeResponsible disclosure

AES

256-GCM encryption, on device

0

Plaintext stored server-side

PBKDF2

Key derivation, unique salt per vault

OS

Keychain for encrypted blob storage

Encryption
at every layer.

Four layers, four separate guarantees. Each one independent.

01

Device layer

Credentials encrypted in the renderer process before touching any other layer. The encryption key is derived locally from your master password.

AES-GCM
02

OS keychain

Encrypted blobs stored in macOS Keychain, Windows Credential Manager, or libsecret on Linux. No secrets in flat files.

Ciphertext only
03

Transport

All network traffic runs over TLS. SSH sessions use standard public-key cryptography. Nothing travels unencrypted.

TLS + SSH
04

Server layer

If sync is enabled, the server receives and stores only encrypted blobs. Even a full server compromise yields no usable credentials.

Never sees plaintext

Security
principles.

Six decisions made early. Each one shapes what Termique will and will not do.

01

Local-first, always

The terminal surface and all credentials live on your device. Optional sync exists but is never required. Termique works fully offline.

02

AES-256-GCM encryption

Every credential is encrypted with AES-256-GCM before it leaves the renderer process. The encryption key never touches the network.

03

PBKDF2 key derivation

Your master password is never stored. The encryption key is derived locally via PBKDF2 with a high iteration count. Each vault has a unique salt.

04

OS keychain storage

Encrypted blobs live in the OS keychain - macOS Keychain, Windows Credential Manager, or libsecret. The server never receives plaintext.

05

No clipboard exposure

Termique connects using decrypted credentials in memory, in-process. Passwords are never written to the clipboard.

06

Command audit logs

Every command run in every session is timestamped and logged locally. Useful for compliance, shared hosts, and post-incident review.

Vulnerability reporting

Found a security issue?

We take security reports seriously and respond within 48 hours. Please do not open a public GitHub issue - use our responsible disclosure process instead.

Read the disclosure policy ⟶