Vault Setup

Configure your encrypted vault, set a strong passphrase, and understand how your data is protected.

What is the Vault?

The vault is JumpTerm's encrypted container for all your sensitive data. It holds your SSH connection profiles, private keys, passwords, TOTP secrets, snippets, and port-forward configurations. Everything in the vault is encrypted on your device using XChaCha20-Poly1305 before being synced to the cloud.

Choosing a Passphrase

Your vault passphrase is used to derive the encryption key via Argon2id. Choose a strong, unique passphrase that you can remember. We recommend a passphrase of at least 4-5 random words. Avoid reusing passwords from other services.

JumpTerm does not enforce specific passphrase rules, but the app will display an estimated strength indicator. Remember: if you lose your passphrase and have no authorized devices, your data is unrecoverable by design.

Vault Locking

Your vault locks automatically after a configurable period of inactivity (default: 15 minutes). You can also lock it manually from the app menu or with Cmd+L / Ctrl+L. When locked, all decrypted data is cleared from memory.

On mobile devices, the vault locks when the app moves to the background. You can configure biometric unlock (Face ID, Touch ID, or fingerprint) for convenience -- biometric auth unlocks a locally stored key, it does not replace your passphrase.

Changing Your Passphrase

You can change your vault passphrase at any time from Settings > Security > Change Passphrase. This re-derives the encryption key and re-wraps the vault master key. Your vault items are not individually re-encrypted because they are encrypted with the master key, which remains the same -- only its protective wrapper changes.