Search...

Product

Log in

Sign Up

Search...

Vault

Security

Pricing

Log in

Sign Up

Getting Started
Keychain
Vault
Overview
Define the Vault Structure
Create, Share and Manage Vaults
Sharing via Vaults
Encryption
Account and Subscription
Getting Started
Keychain
Vault
Overview
Define the Vault Structure
Create, Share and Manage Vaults
Sharing via Vaults
Encryption
Account and Subscription

Search...

On this page

Title

On this page

Title

Vault Encryption

Vault Encryption

This page describes the encryption of different vaults. Please follow this link to start a security assessment of Termius for your company.

Personal Vault

Termius uses a hybrid approach for the encryption of Personal vault. The key steps of the encryption algorithm are below:

  1. Termius generates a random key pair during account creation.

  2. Using the key pair, the app generates the user's personal encryption key.

  3. The personal encryption key is used to encrypt all the user data like hosts, groups, keys, etc.

  4. The private key is encrypted using the user's encryption password.

  5. The app syncs the encrypted key via Termius Cloud to other devices.

Your encryption password always stays with you. It is never stored alongside your data, and never sent over the network. Hence all the data in the Personal vault could not be read by anyone without the encryption password.

If you lose your encryption password, it is not possible to recover the data.

Team Vaults

Termius uses the hybrid encryption approach for all team vaults.

On the Team Member's Side

  1. When a team member joins Termius, the app generates a key pair. It is used for their Personal vault; see above.

  2. Public keys of each team member then shared with the team owner.

On the Team Owner's Side

  1. When a team owner starts a team, the app generates a separate encryption key for each vault.

  2. The app encrypts vault encryption keys using the public keys of the team member. The app utilizes the team owner's private key for creating MAC.

  3. Encrypted vault keys are then sent to team members via Termius cloud.

On the Team Member's Side

  1. Termius sends encrypted vault keys to all members with access to these vaults.

  2. The app decrypts vault keys using the private key of a member stored in their Personal vault and uses the team owner's public key to verify the MAC.

Technical details

Termius uses the 1.0.17 version of Libsodium and custom C++ binding for iOS, Android, and Desktop applications. Termius uses the following APIs in Libsodium:

  • For public-key encryption: crypto_box_keypair, crypto_box_easy and crypto_box_open_easy – it uses X25519 key exchange, XSalsa20 stream cipher, and Poly1305 MAC.

  • For secret key encryption: crypto_secretbox_keygen, crypto_secretbox_easy, crypto_secretbox_open_easy – it uses XSalsa20 stream cipher and Poly1305 MAC.

  • For password hashing: crypto_pwhash with options: OPSLIMIT_INTERACTIVE, MEMLIMIT_INTERACTIVE, and ARGON2ID13.

  • For generating a nonce: randombytes_buf.

Termius uses SRP implementation from Botan and GRPC over TLS as a transport for SRP protocol. Termius uses the ​2.14.0 version of Botan and custom C++ binding for iOS, Android, and Desktop applications.

The encryption key and key pair are stored on devices, namely in:

  • iOS: Keychain.

  • Android: shared preferences, encrypted by a key stored in Android Keystore.

  • Desktop: Electron IndexedDB encrypted by a key stored in OS Keychain when Keychain is available and in localStorage as a fallback.

Please, email us at security@termius.com, if you have any security concerns.