Skip to main content
TerminalSync
ESEN
TerminalSyncBack to home

Security

How we protect the data you sync with TerminalSync, what architecture we use, and how to report vulnerabilities.

Last updated: May 4, 2026

1. Zero-knowledge model

TerminalSync is designed so that we can never access the content you sync. Everything is encrypted locally on your Mac before leaving.

  • Algorithm: AES-256-GCM (Galois/Counter Mode), a standard authenticated symmetric cipher. Random 96-bit nonce per file.
  • Master key: 256-bit, generated locally the first time you open the app. Persisted in the OS keychain (macOS Keychain). Never touches plain disk.
  • Optional passphrase: the master key can be wrapped with your passphrase using Argon2id (m=19MiB, t=2, p=1). Without the passphrase, there is no unlock path.

2. Your cloud, not ours

Encrypted files travel to the storage provider you pick: Google Drive, iCloud Drive, or Dropbox. TerminalSync does not operate storage servers. Content never passes through our infrastructure.

If you want to switch providers, just configure it in the app — files are re-uploaded encrypted to the new destination.

3. Secrets vault

API keys, credentials, and sensitive secrets that live in .env files within synced folders can be marked as vault and get an additional encryption layer independent of the master key. Per-folder lock/unlock with one click.

4. Third-party API keys (Claude, OpenAI)

When you connect Claude Code or Codex, the API keys are stored in the OS Keychain, NEVER on plain disk or in JSON files. The configuration uses apiKeyHelper which reads them on-demand at call time.

5. Transport

All communication with our services uses TLS 1.3. HSTS preload active (max-age=63072000; includeSubDomains; preload). No downgrades, no cleartext.

6. HTTP headers

The site implements the following defensive headers:

  • Strict Content-Security-Policy (own origin + explicitly allowed domains)
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: camera, microphone, geolocation disabled
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Strict-Transport-Security with preload

7. Vulnerability reporting

If you've found a vulnerability, email security@terminalsync.ai with details. We reply within 48 business hours.

We ask for responsible disclosure: give us ≥90 days to patch before making the detail public. Researchers are credited in the security advisory.

8. Future audit

The crypto engine will be publicly auditable. We're working on open-sourcing the crypto module so any expert can verify the claims on this page.

9. Contact

For security matters: security@terminalsync.ai. PGP key available upon request.