The credential vault
TermZ stores connection secrets — passwords, key passphrases, and private keys — in an encrypted local vault. Plaintext secrets are never written to disk.
How the encryption works
Section titled “How the encryption works”- Secrets live in a SQLCipher database, encrypted at rest.
- The encryption key is derived from your master password with Argon2id — a memory-hard key-derivation function that resists brute-forcing.
- The database is sealed with authenticated encryption (ChaCha20-Poly1305), so tampering is detectable.
The master password itself is never stored; it only ever exists long enough to derive the key.
Named credentials, referenced by sessions
Section titled “Named credentials, referenced by sessions”The vault holds a library of named credentials that sessions reference. A password lives in exactly one place, so rotating it updates every session that uses it — you never copy a secret into each session.
Nothing leaves your machine
Section titled “Nothing leaves your machine”The vault is entirely local. Nothing is uploaded unless you opt into cross-device sync, which is end-to-end encrypted — the storage bucket only ever sees ciphertext.
