TermZ is a native terminal and connection manager for SSH, Telnet, serial, raw TCP, and local shells, with an encrypted credential vault, saved sessions, split panes, SFTP, and session logging. This handbook walks through every part of it. New here? Start with Install & first launch.
Install & first launch
Download the installer for your platform from the downloads
page — a .dmg on macOS, an .exe or .msi on
Windows, or an .AppImage/.deb/.rpm on Linux.
Installers are small and native; there is no Electron runtime and no account to create.
Current builds are unsigned, so your OS asks you to confirm on the first launch only:
- macOS — right-click TermZ in Applications → Open → Open, or run
xattr -dr com.apple.quarantine /Applications/TermZ.apponce. - Windows — at the SmartScreen prompt, choose More info → Run anyway.
.sha256 next to each installer so you can verify the download is intact. See the downloads page for the exact command.Set up the vault
TermZ stores connection secrets — passwords, key passphrases, and private keys — in an encrypted local vault. The first time you save something sensitive, you'll set a master password. That password derives the key that unlocks the vault; it is never stored, so choose something you'll remember and keep a backup of it.
You can use TermZ without saving any secrets at all (type credentials each time), but the vault is what makes saved sessions one-click. See Credential vault for how the encryption works.
Your first connection
- Open a new session (the terminal icon in the activity rail, or ⌘/Ctrl+K → “New session”).
- Pick SSH, enter the host and username, and choose an auth method (password, key file, or a saved credential).
- On first connect to a new host you'll be asked to trust its host key — this is the TOFU prompt (see Host-key pinning). Confirm the fingerprint, accept, and you're in.
- Save the session so it's one click next time (see Saving sessions).
Saving sessions
A saved session remembers the host, port, protocol, username, auth choice, and any per-session options (key exchange, logging, notes). Saved sessions appear in the sidebar and open with a single click or from the command bar.
Credentials are stored by reference, not copied into each session — a session points at a named credential in the vault, so rotating a password in one place updates every session that uses it. Editing a session never exposes the stored secret.
Folders, tags & equipment types
With hundreds of saved hosts, organization matters. TermZ gives you three orthogonal ways to sort:
- Folders — a familiar tree for grouping by site, customer, or environment.
- Tags — lightweight labels a session can have many of (e.g.
prod,core,dc-east), great for cross-cutting filters. - Equipment types — classify a host by device kind (router, switch, firewall, server…), each with its own icon, so the sidebar is scannable at a glance. You can add custom types.
Bulk operations let you move, tag, or retag many sessions at once — handy when importing an inventory.
Tabs, panes & views
Sessions open in tabs, and any tab can be split into multiple panes so you can watch several hosts side by side. Drag a tab into a pane edge to split; drag it out to reorganize.
A view saves an entire layout — which sessions are open and how the panes are arranged — so you can restore a working set (say, “evening change window”) in one action.
SSH
TermZ speaks modern SSH with sensible legacy fallbacks for older network gear. Authentication options:
- Password — typed each time, or saved as a named credential in the vault.
- Private key — point at a key file; encrypted keys prompt for (or store) the passphrase.
- Stored credential — reuse a vault credential across many sessions.
Key exchange, ciphers, and host-key algorithms are negotiated automatically but can be controlled per session for legacy devices — see Key exchange. Every new host goes through host-key pinning.
Telnet, serial & raw TCP
Beyond SSH, TermZ connects to the gear that doesn't:
- Telnet — for legacy devices and consoles. Unencrypted; TermZ flags that clearly in the connect form.
- Serial — console-cable access to switches, routers, and embedded devices. Pick the port and baud/parity/stop-bit settings.
- Raw TCP — open a bare socket to any host/port (terminal servers, custom services).
Local shell
TermZ also runs your local shell in a fast, true-color (24-bit) WebGL terminal, so it doubles as your everyday terminal emulator — same tabs, panes, logging, and themes as your remote sessions.
The credential vault
Secrets live in a SQLCipher database encrypted at rest. The encryption key is derived from your master password with Argon2id (a memory-hard KDF that resists brute-forcing), and the database is sealed with authenticated encryption (ChaCha20-Poly1305). Plaintext secrets are never written to disk.
The vault holds a library of named credentials that sessions reference, so a password lives in exactly one place. Nothing leaves your machine unless you opt into cross-device sync, which is end-to-end encrypted.
App lock
You can require the master password to open the app itself (a configuration lock, SecureCRT-style). When enabled, TermZ shows a lock screen on launch and the rest of the app never mounts behind it. Changing the master password transparently re-keys the encrypted database — your saved data is preserved.
Host-key pinning (TOFU)
TermZ uses trust-on-first-use: the first time you connect to a host it records the server's host-key fingerprint. On every later connection it checks the key matches. If a key changes, TermZ hard-blocks the connection and warns you — that's the signature of a man-in-the-middle or a rebuilt host, and it's your call whether to re-trust.
Every trust decision you make is written to an append-only audit log, so there's a durable record of what you accepted and when.
Key exchange & algorithms
Modern negotiation by default — Curve25519, ECDH P-256/384/521, and DH group14/16 — with legacy fallbacks available for older switches and routers that haven't been updated. You can control the offered algorithms per session, so you can reach old gear without weakening security everywhere else.
Output masking
Mask rules let you define patterns (regular expressions) that are redacted from session logs — passwords echoed during a config push, SNMP communities, keys, and the like. The live terminal still shows everything; the masking applies to what's written to disk, so transcripts are safe to keep and share.
SFTP transfers
On an SSH session you can open an SFTP panel to browse the remote filesystem and move files both directions — upload, download, make directories, rename, and delete — over the same authenticated connection. No separate login required.
Session logging
Any session can log its transcript to disk. Logging is configurable:
- Path templates — build the log path from variables like the session name, host, and date, so logs file themselves automatically.
- Clean transcripts — control-sequence noise is stripped so logs are readable text.
- Per-line timestamps — optional, for audit trails.
- Masking — apply mask rules so secrets never hit disk.
A built-in log viewer reads your transcripts (including gzip-compressed ones) and is searchable — see Search.
Command bar & search
Press ⌘/Ctrl+K to open the command bar — a quick switcher for jumping to any saved session, view, or action without reaching for the mouse.
Search (across sessions and logs) understands a simple filter syntax you can combine:
| Filter | Matches |
|---|---|
user: | sessions with that username |
port: | a specific port |
tag: | a tag label |
type: | an equipment type |
Plain words match names and hosts; combine filters to narrow quickly (e.g. tag:prod type:switch).
Snippets
Save frequently-used commands or config blocks as snippets and send them into a session on demand — useful for show commands, health checks, or a standard change preamble you run on every device.
Keyboard shortcuts
TermZ is built to drive from the keyboard. The essentials:
| Action | Shortcut |
|---|---|
| Open the command bar / quick switcher | ⌘/Ctrl+K |
| New session | command bar → “New session” |
| Toggle light / dark theme | from the theme menu |
The command bar lists every available action with its current shortcut — it's the fastest way to discover and trigger anything.
Themes & highlighting
TermZ ships light and dark themes and a theme editor for building your own; you can import themes too. Everything — chrome, terminal, and the mockup — retints together.
Keyword highlighting lets you colorize matching text in the terminal (error/warn keywords, interface names, your own patterns). Highlights are theme-aware, so they stay legible when you switch palettes.
The plugin store
TermZ has an in-app plugin store (the + button on the plugin dock). Browse official plugins, search and sort, and install in a click. Plugins run in a sandboxed frame and can only do what you grant them.
You can also install an unofficial plugin from a manifest URL at the bottom of the store — these aren't reviewed or signed by TermZ, so the app warns you and requires confirmation before installing.
Plugin trust & capabilities
Two things keep plugins safe, and they're independent:
- Trust tier — official plugins are cryptographically signed by the project (an Ed25519 signature verified against a key embedded in the app); community plugins are unsigned and install behind a warning. The badge tells you which.
- Capabilities — every plugin declares exactly what it needs (list sessions, modify sessions, its own storage…), and you approve each grant. A plugin can never do more than you've allowed, regardless of its trust tier.
A plugin's working surface lives in a draggable, resizable dock “plugged in” to the app — expand it for text-heavy plugins.
Cross-device sync Paid · coming soon
The free app is fully featured on a single machine. Optional Sync adds end-to-end encrypted synchronization of your sessions, folders, tags, and themes across devices — zero-knowledge, so the service never sees your secrets. See pricing.
Updating
TermZ checks for new versions on launch and shows a banner when one is available, with a link to download it. Updates are never forced silently; you choose when to install. If a release ever drops support for very old versions, the app tells you clearly.
FAQ
Is the app really free?
Yes — the full TermZ app is free and Apache-2.0 licensed. Optional paid plans only add cloud services like sync.
Why does my OS warn me on first launch?
Builds aren't code-signed yet, so macOS and Windows ask you to confirm once. See Install & first launch for the one-time step; signing will remove it in a future release.
Where are my passwords stored?
In an encrypted local vault on your machine (details) — never in plaintext, and never uploaded unless you turn on sync.
Can I use it as my everyday terminal?
Yes — the local shell runs in the same fast terminal as remote sessions.
Getting help
Questions, bugs, or feature ideas? Email admin@termz.app. Pro Support adds priority help and early access to new features.