Security & data

Trusted hosts (known_hosts)

The first connection to a host captures its public-key fingerprint (SHA-256) and stores it after you confirm. Subsequent connections compare the fingerprint — if it ever changes you get a clear alert.

Manage the list in Settings → Security → Trusted hosts — you can remove entries, see the algorithm (Ed25519, RSA, ECDSA…) and the first-seen date.

How the connection is protected

DR-Terminal uses its own SSH implementation, hardened against active attackers and hostile servers:

These protections are on automatically. You only interact with them through the trusted-hosts prompt above.

Exported keys

When you convert or export a private key (SSH keys → Convert) and set a passphrase, the encryption uses a strong key-derivation function chosen per format — bcrypt for OpenSSH, PBKDF2 for PKCS#8, Argon2id for PuTTY PPK v3 — and every salt and IV comes from a cryptographically secure random generator. The converter reads and writes OpenSSH, PKCS#8, PKCS#1 and PuTTY PPK (v2/v3), from both PEM and binary DER.

Where secrets live

Passwords, private keys and passphrases never get serialised into connection JSON. They go straight to the platform's secure store:

Encrypted configuration backup

Settings → Configuration → Export backup creates a password-protected .drterminal file. It contains: connections, groups, trusted hosts, keys, settings. Import backup restores the same bundle — useful when moving between machines.

Format: JSON encrypted with AES-256-GCM, metadata header (version, date). The password is never stored in the file — only used to derive the key (PBKDF2).

Import ~/.ssh/config

On Desktop you can bulk-import hosts from an existing OpenSSH config. The importer parses Host, HostName, User, Port, IdentityFile and ProxyJump entries and adds them as saved connections. Key files referenced by IdentityFile are loaded from disk into SecureStorage.

Log levels

In Settings → Terminal → File log level pick what reaches ~/.dr-terminal/logs/ (Desktop) or the equivalent on mobile. Default: ERROR — minimal noise. For diagnostics switch to DEBUG or TRACE.

Previous
Desktop CLI
Next
Settings & platforms