Termix is built to run on your own infrastructure, so the security of your data is entirely in your hands. This page explains the protections Termix puts in place by default and the controls available to you as a user or administrator — without assuming any prior knowledge of how each feature works internally.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Termix-SSH/Termix/llms.txt
Use this file to discover all available pages before exploring further.
Data encryption at rest
Every Termix database is stored as an encrypted SQLite file on disk. Even if someone gains access to your server’s filesystem, the database cannot be read without the key used to encrypt it. Within that encrypted database, each user’s sensitive data — including SSH passwords, private keys, TOTP secrets, and OIDC identifiers — is encrypted with a separate key derived from that user’s own password. This means that individual user records are protected independently: no single key unlocks all user data.For OIDC (single sign-on) users, encryption keys are managed automatically by Termix since those users authenticate via an external provider rather than a local password.
Authentication
JWT sessions
Termix authenticates sessions using JSON Web Tokens stored in secure,
httpOnly cookies, which are not accessible to JavaScript running in the page.Rate limiting
Login attempts are rate-limited to prevent brute-force attacks against local accounts.
Two-factor authentication
Enable TOTP-based 2FA on your account for an additional login requirement beyond your password.
OIDC support
Delegate authentication to an external identity provider using OpenID Connect, including access control rules.
Two-factor authentication (2FA)
When TOTP-based 2FA is enabled on your account, you are asked for a time-based one-time code from your authenticator app at each login. Termix also generates backup codes when you enable 2FA so you can recover access if you lose your authenticator device. Trusted devices: After entering a valid TOTP code, you can mark a device as trusted. Termix will skip the 2FA prompt for that device until the trust period expires. Trusted devices are tracked per user and can be reviewed or revoked at any time.Session management
Termix tracks every active login session across all of your devices and clients (browser, desktop, mobile). You can view and revoke any session from your account settings.Review active sessions
Each session shows the device type, client info, creation time, and last active time.
SSH security
Host key verification
Host key verification
Termix verifies the SSH host key of each server you connect to. If a host key changes unexpectedly — which could indicate a man-in-the-middle attack or a server rebuild — Termix warns you before allowing the connection to proceed.
Encrypted credentials at rest
Encrypted credentials at rest
SSH passwords and private keys saved to Termix hosts or credential sets are encrypted with your user key before being written to the database. They are decrypted in memory only when a connection is being established.
OPKSSH (OpenPubkey)
OPKSSH (OpenPubkey)
Termix supports OPKSSH, which allows SSH authentication using OpenPubkey-signed certificates. This enables identity-backed SSH access without distributing long-lived SSH keys.