Security Architecture
Your servers are your life's work. We built Tapssh with the assumption that your device is the only place your secrets should ever live.
🔑Private Keys Never Leave
When you generate or import an SSH key in Tapssh, it is stored in the iOS Keychain, protected by the Secure Enclave. We do not have a server-side "vault" for your keys. They are never uploaded, never cached in the cloud, and never accessible by us.
// LocalStorage: YES (Encrypted)
// Cloud Sync: NO (Keys excluded)
🛡️Hardware-Level Protection
Tapssh leverages FaceID, TouchID, and the device Passcode to gate access to the Secure Enclave. This means even if someone unlocks your phone, they cannot see your server passwords or use your keys unless they pass a biometric check specifically for Tapssh.
☁️What We Sync (and What We Don't)
Cloud Sync is designed for convenience without compromise. We only sync the metadata of your server connections:
✅ Synced
- • Server Labels (e.g. "Prod DB")
- • IP Addresses & Hostnames
- • SSH Ports & Usernames
❌ NEVER Synced
- • Private SSH Keys (.pem, .key)
- • Server Passwords
- • Personal Identity Data
Questions about our security?
We are open about our architecture. Reach out to our engineering team.
[email protected]