Security & data

Trusted hosts (known_hosts)

The first connection to a host captures its public-key fingerprint (SHA-256) and stores it after you confirm. Subsequent connections compare the fingerprint — if it ever changes you get a clear alert.

Manage the list in Settings → Security → Trusted hosts — you can remove entries, see the algorithm (Ed25519, RSA, ECDSA…) and the first-seen date.

Where secrets live

Passwords, private keys and passphrases never get serialised into connection JSON. They go straight to the platform's secure store:

• Android — EncryptedSharedPreferences, backed by the hardware Keystore.
• iOS — Keychain (biometry-protected if you enabled it).
• Desktop — AES-256-GCM encrypted file, key derived from the user profile.

Encrypted configuration backup

Settings → Configuration → Export backup creates a password-protected .drterminal file. It contains: connections, groups, trusted hosts, keys, settings. Import backup restores the same bundle — useful when moving between machines.

Format: JSON encrypted with AES-256-GCM, metadata header (version, date). The password is never stored in the file — only used to derive the key (PBKDF2).

Import ~/.ssh/config

On Desktop you can bulk-import hosts from an existing OpenSSH config. The importer parses Host, HostName, User, Port, IdentityFile and ProxyJump entries and adds them as saved connections. Key files referenced by IdentityFile are loaded from disk into SecureStorage.

Log levels

In Settings → Terminal → File log level pick what reaches ~/.dr-terminal/logs/ (Desktop) or the equivalent on mobile. Default: ERROR — minimal noise. For diagnostics switch to DEBUG or TRACE.