A product by SOMTIK

The secure SSH terminal
for teams

Collaborative vaults, encrypted at rest and self-hosted. Manage every server and network device โ€” even the ones behind NAT โ€” from one place your whole team can share, safely.

TermAR root@core-01:~# uptime 14:22:05 up 87 days, load 0.04 root@core-01:~# _ ๐Ÿ”’ secrets AES-256-GCM ยท session over TLS ยท via jump ๐ŸŒ‰

Security, by design

Every credential your team stores is encrypted before it ever touches disk. Nothing about the way you work should mean trusting a third party with your keys.

๐Ÿ”’

Encrypted at rest

Every password and private key is sealed with AES-256-GCM on your server. Stored secrets are never plaintext.

๐Ÿ›ก๏ธ

Hardened passwords

Account passwords are scrypt-hashed and compared in constant time โ€” never stored, never logged.

๐Ÿ‘ฅ

Role-based access

Grants over companies and folders decide who sees what. Personal vaults stay private to their owner.

๐Ÿ“ฒ

2-step sign-in

Optional Telegram one-time codes at login stop brute-force and stolen-password attacks.

๐Ÿข

Self-hosted

Runs on your infrastructure. Your vaults, sessions and audit log never leave your server.

๐ŸŒ‰

Zero inbound ports

Jump agents dial out and are pinned to a public key โ€” reach private devices without exposing them.

Built for real infrastructure

One place for your whole fleet โ€” servers, routers, switches โ€” shared with the right people.

Shared team vaults

Store an SSH login once as a reusable credential, then attach it to any host. Organize devices in nested folders per company, and grant teammates exactly the access they need.

Encryption you can trust

Secrets are encrypted with AES-256-GCM using a key that lives on your server; passwords are scrypt-hashed. Access is enforced by a role model, so people only ever decrypt what they're allowed to.

youLAN๐ŸŒ‰

Reach anything, safely

Deploy a lightweight jump agent inside a private network. It dials out to your server (no inbound ports, no NAT rules) and the server tunnels your session through it โ€” with the agent identified by a pinned key.

A terminal that keeps up

GPU-accelerated rendering, split panes and broadcast-to-all typing. Colour-highlight the output โ€” mark errors, IPs or any keyword with your own rules and saved profiles so problems jump out at a glance โ€” plus side-by-side diff of two sessions and one-click quick commands.

How your data is protected

๐Ÿ”
Encrypted at rest. Host and vault secrets are sealed with AES-256-GCM before being written to disk. The encryption key is generated and kept on your server; secrets are only decrypted in memory for a user who is authorized to use them.
#๏ธโƒฃ
Passwords never stored. Account passwords are hashed with scrypt and verified with a constant-time comparison, so they can't be recovered from the database or leaked through timing.
๐Ÿงญ
Least-privilege access. A grant model over companies and folders governs visibility and management. Personal vaults are readable only by their owner โ€” not even other admins.
๐Ÿ“ฒ
Optional 2-step login. Turn on Telegram one-time codes to require a second factor at sign-in for linked users โ€” a strong defense against brute force and credential stuffing.
๐ŸŒ‰
Safe remote reach. Jump agents open only outbound connections and authenticate with a pinned public key, so a private network is reachable without exposing it and a leaked enrollment token alone can't impersonate an agent.
๐Ÿข
You hold the keys. TermAR is self-hosted: the server, the encrypted store, the sessions and the connection log all stay on infrastructure you control.