Skip to content

The credential vault

TermZ stores connection secrets — passwords, key passphrases, and private keys — in an encrypted local vault. Plaintext secrets are never written to disk.

  • Secrets live in a SQLCipher database, encrypted at rest.
  • The encryption key is derived from your master password with Argon2id — a memory-hard key-derivation function that resists brute-forcing.
  • The database is sealed with authenticated encryption (ChaCha20-Poly1305), so tampering is detectable.

The master password itself is never stored; it only ever exists long enough to derive the key.

The vault holds a library of named credentials that sessions reference. A password lives in exactly one place, so rotating it updates every session that uses it — you never copy a secret into each session.

The vault is entirely local. Nothing is uploaded unless you opt into cross-device sync, which is end-to-end encrypted — the storage bucket only ever sees ciphertext.