Skip to content

Cross-device sync

TermZ is fully featured on a single machine. Optional Sync keeps your sessions, folders, tags, and credentials in step across devices — end-to-end encrypted, using storage you own.

TermZ’s Cross-device sync settings (Settings → Sync): endpoint, bucket, region, keys, and the enable toggle.

TermZ uploads an encrypted snapshot to any S3-compatible bucket you control. The snapshot is encrypted with a key derived from your master password before it leaves your machine, so the storage provider only ever sees ciphertext. To read it on another device you use the same master password — the key itself never travels.

Any S3-compatible storage works; this guide uses Cloudflare R2 because it’s cheap (generous free tier), fast, and has no egress fees. Snapshots are tiny, so this typically costs nothing.

Part 1 · Create a bucket on Cloudflare R2

Section titled “Part 1 · Create a bucket on Cloudflare R2”
  1. Create an R2 bucket. In the Cloudflare dashboardR2 → Create bucket. Name it something like termz-sync and pick a location. (If you don’t have R2 yet, you’ll be prompted to enable it — the free tier is fine.)

  2. Find your S3 API endpoint. It has the form:

    https://<ACCOUNT-ID>.r2.cloudflarestorage.com

    Your account ID is shown in the R2 overview (and in each bucket’s Settings → S3 API). This is the Endpoint URL TermZ needs.

  3. Create an API token. R2 → Manage R2 API TokensCreate API token:

    • Permission: Object Read & Write
    • Scope it to only your sync bucket (termz-sync) — least privilege.
    • Optionally set a TTL and rotate it periodically.

    On creation you’ll get an Access Key ID and a Secret Access Key. Copy both now — the secret is shown only once.

In TermZ, open Settings → Sync and fill in the fields to match your bucket:

Field Value
Endpoint URL https://<ACCOUNT-ID>.r2.cloudflarestorage.com
Bucket name termz-sync (whatever you named it)
Region auto (correct for R2)
Access key the Access Key ID from Part 1
Secret key the Secret Access Key (stored encrypted in your vault; leave blank later to keep the saved one)
  • Skip local-only sessions — leave this on (default). It excludes local-shell and serial sessions, whose device paths (e.g. COM3, /dev/tty.usbserial-…, /usr/local/bin/zsh) differ per machine and would break elsewhere. Turn it off only if every device uses identical paths.
  • Sync enabled — turn on once the fields above are filled, then Save.
  1. On your first device (the one with your data), click Push now to upload the encrypted snapshot.
  2. On each other device, repeat Part 2 with the same bucket, same credentials, and the same master password, then click Pull now to bring the data down.
  3. After that, use Push after making changes and Pull to pick up changes from another device.
  • Scope the R2 token to only the sync bucket, with Object Read & Write and nothing more.
  • If a device or token is lost or compromised, rotate the R2 token in Cloudflare and update the Secret key in TermZ on your remaining devices.
  • Because everything is encrypted client-side, a leaked bucket or token exposes only ciphertext — but rotating still prevents further writes.