Master password
On first launch, you set a master password. This password:- Is used to derive an encryption key (with a random per-user salt).
- Never leaves your device.
- Is never sent to any server.
- Cannot be recovered if lost — there is no reset mechanism.
Data Encryption Key (DEK)
At setup, Termique generates a random DEK. The DEK is:- Wrapped (encrypted) using the key derived from your master password.
- Stored locally and, if sync is enabled, in the API backend as an encrypted blob.
- Used to encrypt every credential (SSH passwords and private keys) before storage.
Credential encryption
Every credential stored by Termique is encrypted using the DEK. Encryption is performed before the credential reaches any storage layer — local or remote. The app does not retain plaintext credentials after the encryption step.Unlock flow
- You enter your master password in the unlock screen.
- Termique derives the encryption key using your stored salt.
- The wrapped DEK is fetched from local storage (or the backend on a fresh install) and unwrapped.
- A verification blob is checked to confirm the master password is correct before proceeding.
What Termique stores server-side
| Data | Stored as |
|---|---|
| Hosts, groups, snippets | Plaintext (non-sensitive metadata) |
| SSH passwords | Encrypted ciphertext |
| SSH private keys | Encrypted ciphertext |
| Wrapped DEK | Encrypted ciphertext (wrapped with your master password key) |
| Salt + verification blob | Stored to enable unlock on new devices |