Zero-Knowledge Encrypted SSH Client
Secure, self-hosted, cross-platform terminal and SFTP manager
SSHVault is a cross-platform SSH terminal and SFTP file manager that encrypts all data client-side before syncing. The server never sees your plaintext credentials, keys, or session data.
| Feature | Description |
|---|---|
| SSH Terminal | Split view, tabs, multiple simultaneous sessions, xterm-256color emulation |
| SFTP File Manager | Browse, transfer, rename, chmod, symlinks, archive extraction, bookmarks |
| Zero-Knowledge Encryption | AES-256-GCM with Argon2id key derivation |
| Host Key Verification | Trust On First Use (TOFU) with known hosts management |
| SSH Key Management | Ed25519, RSA, ECDSA key generation and import |
| SSH Config Import | Import hosts and keys from ~/.ssh/config on desktop |
| Jump Hosts | ProxyJump support for multi-hop connections |
| Proxy Support | SOCKS5 and HTTP CONNECT, global or per-server configuration |
| Code Snippets | Save and organize frequently used commands |
| Server Organization | Folders, tags, color codes, icons, search and filtering |
| Post-Connect Commands | Auto-run commands after connection |
| Biometric Lock | Fingerprint/Face ID with PIN fallback and duress PIN |
| Cross-Device Sync | End-to-end encrypted via self-hosted backend |
| Keep-Alive & Timeouts | Configurable keep-alive interval and connection timeout |
| SSH Compression | Optional compression toggle for slow connections |
| Export & Import | Full backup and restore of all data |
| No Tracking | No analytics, no telemetry, no ads, no in-app purchases |
| Platform | Status |
|---|---|
| Android | Supported |
| iOS / iPadOS | Supported |
| macOS | Supported |
| Linux | Supported (Flatpak) |
| Windows | Supported |
Add the Kiefer Networks F-Droid repository to your F-Droid client:
https://fdroid.kiefer-networks.de/fdroid/repo/
You can install SSHVault directly from GitHub releases using Obtainium:
- Open Obtainium and tap Add App
- Enter the source URL:
https://github.com/Kiefer-Networks/sshvault - Set Release asset filter to
arm64-v8a(or your architecture) - Tap Add — Obtainium will track new releases and notify you of updates
| Layer | Implementation |
|---|---|
| Encryption | AES-256-GCM, 12-byte counter nonces |
| Key Derivation | Argon2id (256 MiB, 3 iterations, p=1) |
| SSH Transport | CSPRNG padding, SHA-256 fingerprints, constant-time MAC |
| Server Attestation | Ed25519 TOFU key pinning (official + self-hosted) |
| DNS | DNS-over-HTTPS with multi-provider cross-verification |
| Storage | Platform keychain (Keystore / Keychain / libsecret / DPAPI) |
| PIN | Argon2id hashed, brute-force lockout, duress wipe |
| Server | Response padding, timing equalization, PoW challenges |
Weak algorithms (DH-group1, CBC ciphers, HMAC-MD5/SHA1, ssh-rsa) are excluded from default negotiation.
- Client: Flutter 3.11+ / Dart 3.11+
- Backend: sshvault-server — Go 1.26+, PostgreSQL 16+, chi router
- State Management: Riverpod (no setState)
- Local Database: Drift (SQLite) + Platform Secure Storage
- Routing: go_router (declarative)
- SSH: dartssh2 (hardened fork)
- Design: Material 3 on all platforms
Clean Architecture with feature-based folder structure. Structured logging only.
- Flutter SDK 3.11+ (install guide)
- Android SDK with
minSdk 33(Android 13+) - Java 17+ (for Android builds)
- For Linux:
sudo dnf install libsecret-devel(Fedora) orsudo apt install libsecret-1-dev(Debian/Ubuntu)
git clone https://github.com/Kiefer-Networks/sshvault.git
cd sshvaultflutter pub get
dart run build_runner build --delete-conflicting-outputs
flutter gen-l10n# Per-ABI builds (~30 MB each, recommended)
flutter build apk --release --split-per-abi
# Universal build (~80 MB, all architectures)
flutter build apk --releasePer-ABI APKs will be at build/app/outputs/flutter-apk/app-{arm64-v8a,armeabi-v7a,x86_64}-release.apk.
flutter build appbundle --releaseflutter build ipa --release # iOS
flutter build linux --release # Linux
flutter build macos --release # macOS
flutter build windows --release # Windowsflutter testThe self-hosted backend handles encrypted vault sync and authentication. It never processes plaintext user data.
See sshvault-server for setup instructions.
Available in 28 languages:
Arabic, Chinese, Czech, Danish, Dutch, English, Finnish, French, German, Greek, Hebrew, Hindi, Hungarian, Indonesian, Italian, Japanese, Korean, Norwegian, Polish, Portuguese, Romanian, Russian, Spanish, Swedish, Thai, Turkish, Ukrainian, Vietnamese
Translation files are in lib/l10n/.
If you find SSHVault useful, consider supporting development:
Copyright (C) 2024-2026 Kiefer Networks
This program is licensed under the GNU Affero General Public License v3.0.
The bundled dartssh2 fork (packages/dartssh2/) is licensed under the MIT License.