Security First

Security at JumpTerm

We built JumpTerm with the assumption that our own servers could be compromised. Your data remains safe regardless.

End-to-End Encryption

Every piece of sensitive data in your vault is encrypted on your device before it ever leaves. This includes SSH connection details, private keys, passwords, TOTP secrets, and snippets. The encryption happens in-process using well-audited cryptographic libraries, and only ciphertext is transmitted to our sync servers.

We use XChaCha20-Poly1305 as our symmetric encryption algorithm. It provides authenticated encryption with a 256-bit key and a 192-bit nonce, eliminating practical nonce-collision risks even at high volumes. Each vault item is encrypted with a unique nonce.

Zero-Knowledge Server

Our servers never have access to your encryption keys or plaintext data. The server stores and relays encrypted blobs between your devices, but it cannot decrypt them. Even our database backups contain only ciphertext.

Authentication to the server uses a separate credential from your vault passphrase. Your vault passphrase is never sent to the server in any form -- it is used only locally to derive your encryption key.

Key Derivation

Your vault encryption key is derived from your passphrase using Argon2id, the winner of the Password Hashing Competition. We use memory-hard parameters (64 MB memory, 3 iterations, 4 parallelism) to make brute-force attacks computationally expensive even with specialized hardware.

A unique salt is generated per vault and stored alongside the encrypted data. Changing your passphrase re-derives the encryption key and re-encrypts your vault master key without needing to re-encrypt every item individually.

Passphrase + Salt
      |
      v
  Argon2id (m=65536, t=3, p=4)
      |
      v
  Master Key (256-bit)
      |
      v
  XChaCha20-Poly1305
      |
      v
  Encrypted Vault Items

Device Verification

Each device generates its own X25519 key pair when it is first set up. When you add a new device, you verify it from an existing trusted device by comparing a short verification code. Once verified, the vault master key is securely transferred to the new device using the X25519 key exchange.

You can view all authorized devices in your device management dashboard and revoke access at any time. Revoking a device rotates the vault master key and re-encrypts the key material, ensuring the revoked device can no longer decrypt new vault updates.

What is encrypted

Encrypted (E2EE)

  • SSH connection details (host, port, username)
  • Private keys and passwords
  • TOTP / 2FA secrets
  • Snippets and commands
  • Port-forward configurations
  • Connection notes and tags
  • Shared vault contents

Not encrypted (server-visible)

  • Your email address (for account login)
  • Device names and public keys
  • Vault item count and sizes (not contents)
  • Timestamps of sync events
  • Billing and subscription status

Security Bug Bounty

We believe in responsible disclosure and reward researchers who help us improve our security. If you find a vulnerability in JumpTerm, please report it to our security team.

security@jumpterm.comRead Full Security Docs

Bounties range from $100 to $5,000 depending on severity. We aim to respond within 48 hours.