Sync & Security
Learn about Kerminal's multi-device synchronization and security features.
Multi-Device Sync
Kerminal allows you to synchronize your SSH profiles, saved commands, and settings across multiple devices.
Supported Databases
| Database | Description |
|---|---|
| MySQL | Full-featured relational database |
| PostgreSQL | Advanced open-source database |
| MongoDB | NoSQL document database |
Setting Up Sync
- Click the Sync Manager button (Cloud icon) in the top bar
- Choose your database type
- Enter connection details:
- Host
- Port
- Database name
- Username
- Password
- Click Test Connection
- Enable sync
Setting Up MongoDB Atlas
Kerminal supports MongoDB Atlas for sync. Map your connection string to the fields:
Connection String Example:mongodb+srv://user:[email protected]/?retryWrites=true&w=majority
Enter in Kerminal:
- Protocol:
mongodb+srv - Host:
cluster0.abcde.mongodb.net - Port:
27017(Default) - Username:
user - Password:
pass - Options:
retryWrites=true&w=majority
What Gets Synced
- ✅ SSH profiles and groups
- ✅ Saved commands
- ✅ Port forwarding configurations
- ✅ Application settings
- ❌ SSH private keys (never synced)
- ❌ Master password
Sync Behavior
Auto-Sync
Enable automatic synchronization:
- Sync on startup
- Sync on profile changes
- Background sync interval
Manual Sync
Trigger sync manually:
- Click the sync button in status bar
- Use keyboard shortcut
- Sync Manager > Settings > Sync Now
Conflict Resolution
When the same item is modified on multiple devices:
| Strategy | Description |
|---|---|
| Last Write Wins | Most recent change is kept |
| Ask | Prompt user to choose |
| Keep Local | Always prefer local changes |
| Keep Remote | Always prefer remote changes |
Device Management
Manage connected devices:
- Open Sync Manager (Cloud icon)
- Go to the Devices tab
- View all registered devices
- Revoke access for lost/stolen devices
- Rename devices for identification
Security Architecture
Encryption at Rest
All sensitive data is encrypted before storage:
Data → AES-256-GCM Encryption → Encrypted StorageProtected data includes:
- SSH passwords
- Private key passphrases
- Sync credentials
- Saved command variables
Master Password
The master password is the key to all encrypted data:
- Never stored - only a verification hash is kept
- Cannot be recovered - if forgotten, encrypted data is lost
- Used to derive encryption keys via Argon2
Setting Master Password
- First launch prompts for master password
- Or click Master Password Settings (Shield icon) in the top bar
- Enter a strong password
- Confirm the password
- Optionally store in system keychain
Changing Master Password
- Click Master Password Settings (Shield icon)
- Click Change Master Password
- Enter current password
- Enter new password
- All data is re-encrypted with new key
Key Derivation
Kerminal uses Argon2id for key derivation:
Master Password + Salt → Argon2id → Encryption KeyArgon2 parameters are tuned for security:
- Memory: 64 MB
- Iterations: 3
- Parallelism: 4
Device-Specific Keys
Each device has unique encryption that prevents data access from other devices:
- Device generates unique key pair on first run
- Sync data is encrypted with device-specific key
- Other devices cannot decrypt without proper key exchange
Synced Data Encryption
Data synced to cloud databases is always encrypted:
Local Data → Encrypt with Master Key → Sync to DatabaseThe server never sees unencrypted:
- Passwords
- Private key data
- Sensitive configuration
Session Security
Auto-Lock
Automatically lock Kerminal after inactivity:
- Click Master Password Settings (Shield icon)
- Enable Auto-Lock
- Set timeout (e.g., 5 minutes)
- Choose lock behavior:
- Close all connections
- Keep connections (lock UI only)
Unlock
When locked, enter your master password to unlock.
Keychain Integration
Store master password in system keychain for auto-unlock:
| Platform | Keychain |
|---|---|
| Windows | Windows Credential Manager |
| macOS | Keychain Access |
| Linux | Secret Service (GNOME Keyring, KWallet) |
Enable auto-unlock:
- Click Master Password Settings (Shield icon)
- Enable Store in Keychain
- Enter master password when prompted
SSH Key Security
Private Key Storage
Private keys are stored with encryption:
Private Key → Encrypt with Device Key → Secure StorageKey Passphrases
When importing passphrase-protected keys:
- Passphrase can be stored encrypted
- Or prompted each time (more secure)
Never Exported
Private keys are never:
- Synced to cloud
- Exported without explicit action
- Logged or transmitted
Best Practices
Master Password
- Use a strong password (12+ characters, mixed case, numbers, symbols)
- Don't reuse passwords from other services
- Consider a passphrase (easier to remember, still secure)
- Store backup in a secure password manager
Sync Security
- Use TLS/SSL for database connections
- Strong database passwords
- Regular device audit - revoke unknown devices
- Encrypt database backups
Key Management
- Use Ed25519 for new keys (more secure, faster)
- Protect with passphrase
- Different keys for different environments
- Regular rotation (yearly recommended)
General
- Keep Kerminal updated for security patches
- Lock when away from computer
- Review connected devices regularly
- Backup encrypted exports securely