SSH keys and certificates
This page describes how to manage SSH keys and certificates in Termius, including FIDO2 hardware keys and biometric keys.
Overview
Termius Keychain lets you generate, store, and organize credentials such as usernames, passwords, SSH keys, and certificates. It helps you avoid duplication and manage credentials across multiple servers.
For SSH keys in particular, Termius can:
Import SSH keys and certificates
Generate SSH keys, FIDO2 keys, and Biometric keys
Provide a convenient way to export the public keys to the
authorized_keysfile on your servers
SSH keys
Termius allows you to import your existing SSH keys and generate a new one using a built-in SSH key generator.
Generate SSH keys
Termius can generate Ed25519, ECDSA, RSA, and ML-DSA keys.
To generate SSH keys on the desktop:
Navigate to the
Keychainscreen and selectGenerate Keyat the key drop-down
Specify a name for the key in the
Labelfield and choose theKey type
For extra security, set a passphrase. Turn on
Save passphraseto avoid passphrase prompts when you connect.
Click
Generate & save
To generate SSH keys on iOS:
Tap the back arrow button
<to open the Vaults screen, then open theKeychainscreen
Tap the
+button and selectGenerate Keyin the context menu
Specify the key
Labeland choose theKey type
For extra security, set a passphrase. Turn on
Save passphraseto avoid passphrase prompts when you connect.
Tap the
Savebutton
To generate SSH keys on Android:
Tap
< All vaultsto open the Vaults screen, then open theKeychainscreen
Tap the
+button and selectNew SSH Keyin the context menu
Select
Generate new SSH Key
Specify the key
Nameand choose theKey type
For extra security, set a passphrase. Turn on
Save passphraseto avoid passphrase prompts when you connect.
Tap the
Generatebutton
Import SSH keys
Termius can import SSH keys from a file or by pasting a private key from the clipboard.
Paste a key on the desktop
Navigate to the
Keychainand clickKey
Paste your private key from the clipboard
Specify a name for the key in the
Labelfield. The key will be auto-saved
Import from a file on the desktop
Navigate to the
Keychainand clickKeyDrag and dropyour key file or clickImport from key file
Specify a name for the key in the
Labelfield. Termius auto-saves the key
If your key is protected with a Passphrase you can specify it in a corresponding field. Otherwise, you will be prompted for a passphrase on every connection.
Paste a key on iOS
Tap the back arrow button
<to open the Vaults screen, then open theKeychainscreenTap the
+button and selectPaste keyin the context menu
Paste your private key from the clipboard and specify a name for the key in the
Labelfield
Savethe key
Import from a file
Tap the back arrow button
<to open the Vaults screen, then open theKeychainscreenTap the
+button and selectImport keyin the context menu
Select your key file
Savethe key
If your key is protected with a Passphrase you can specify it in a corresponding field. Otherwise, you will be prompted for a passphrase on every connection.
Paste a key on Android
Tap
< All vaultsto open the Vaults screen, then open theKeychainscreenTap the
+button and selectNew SSH Keyin the context menuSelect
Paste SSH key. Termius tries to paste a key automatically. If you have no private key in your clipboard, copy and paste it into the corresponding field
Tap
Validatethe private key
Specify the
Nameof the key
Tap
✓to save the key
Import from a file on Android
Tap
< All vaultsto open the Vaults screen, then open theKeychainscreenTap the
+button and selectNew SSH Keyin the context menuSelect
Import SSH key from file
Select a key from the filesystem
Tap
Validatethe private key
Specify the
Nameof the key
Click
✓to save the key
If your key is protected with a Passphrase you can specify it in a corresponding field. Otherwise, you will be prompted for a passphrase on every connection.
Export an SSH key to a server
Termius provides a convenient way to export SSH keys to your servers. When you export a key, its public portion is added to the authorized_keys file on your server.
Upon successful export, the key is linked to the corresponding host in Termius, allowing you to connect with one click.
If you want to link keys to your hosts manually, see SSH with an SSH key.
To export SSH keys to a server on the desktop:
Navigate to the
KeychainandRight-clicka key you'd like to export, then clickExport to hostin the context menu
Click
Select Hostand select the host you want the public key to be exported to
If your authorized keys are stored in a custom directory, update the folder path in the
Locationfield and specify the authorized keys file using theFilenamefieldClick
Export and Attach
To export SSH keys to a server on iOS:
Tap the back arrow button
<to open the Vaults screen, then open theKeychainscreenTap the key you want to export, then select the host you want the public key to be exported to
If your authorized keys are stored in a custom directory, update the folder path in the
Locationfield and specify the file containing the authorized keysTap
Export
To export SSH keys to a server on Android:
Tap
< All vaultsto open the Vaults screen, then open theKeychainscreenTap the key you want to export and select
Export to…in the context menu
Select a host from the list
If your authorized keys are stored in a custom directory, update the folder path in the
SSH Keys locationfield and specify theFile containing public keysTap
Export
SSH certificates
To authenticate with an SSH certificate, you need both a private key and a corresponding certificate. Typically, these are stored as two separate files on your file system. Termius stores certificates as part of the SSH key since they won't work without each other.
Import SSH Certificate
To import an SSH certificate on the desktop:
Navigate to the
Keychainand clickCertificate
Paste your private key and certificate into the corresponding fields
Termius auto-saves them
To import an SSH certificate on iOS:
Tap the back arrow button
<to open the Vaults screen, then open theKeychainscreenTap the
+button and selectPaste Keyin the context menuPaste your private key and certificate into the corresponding fields
Savethe key with the certificate
Paste a certificate
Tap
< All vaultsto open the Vaults screen, then open theKeychainscreenTap the
+button and selectNew certificatein the context menu
Select
Paste certificate. Termius tries to paste a certificate automatically. If you have no certificate in your clipboard, copy and paste it into the corresponding field
Once a certificate is added, tap
Add private key, then selectPaste. Termius tries to paste a private key automatically. If you have no private key in your clipboard, copy and paste it into the corresponding field
Tap
✓to save the key with the certificate
Import from a file
Tap
< All vaultsto open the Vaults screen, then open theKeychainscreenTap the
+button and selectNew certificatein the context menuSelect
Import certificate from file
Select a certificate from the filesystem
Once a certificate is added, tap
Add private key, then selectImport from fileSelect a key from the filesystem
Tap
✓to save the key with the certificate
Assign an SSH certificate to a host
To assign an SSH certificate to a host on the desktop:
Navigate to the
Hostsscreen and open theHost Detailsfor a selected host
In the Credentials section, click
+ SSH ID, Key, Certificate, FIDO2and selectCertificateas the authentication method
Select one of the certificates that you previously saved
Termius auto-saves the changes
To assign SSH certificate to a host on iOS:
Navigate to the
Hostsscreen and open theHost Detailsscreen for a selected host
In the Credentials section, tap
SSH ID, Key, Certificate, FIDO2
Select one of the certificates that you previously saved
Tap to save the host changes
To assign SSH certificate to a host on Android:
Navigate to the
Hostsscreen and open theHost Detailsscreen for a selected host
In the Credentials section, tap
SSH.id, Key, Certificate, FIDO2
Select one of the certificates that you previously saved
Tap
✓to save the host changes
FIDO2 keys
Hardware keys provide one of the industry's most secure methods for SSH authentication. They're designed to make it impossible to extract private keys and protect them against compromise. Hardware keys can also offer additional security features, such as user-presence confirmation, providing an extra factor during authentication.
Termius simplifies the use of hardware keys for SSH connections, allowing you to generate non-resident FIDO2 keys within the app and syncing it across your devices.
Prerequisites
You'll need a hardware security key that supports the FIDO2 protocol, such as YubiKey, Solo, OnlyKey, or Google Titan. Most other FIDO2-compatible security keys should also work with Termius
FIDO2 requires OpenSSH 8.4 or higher to be installed on your server
Hardware keys usually need to be set up before their first use. Some require a PIN code, while others use a biometric scanner and require you to enroll your fingerprint. Make sure you finish setting up your hardware key before following the steps below
Generate a FIDO2 SSH key
To generate a FIDO2 key in Termius on the Desktop:
Navigate to the
Keychainscreen and clickFIDO2
Plug in your hardware key and select it from the device list. Enter a PIN if required
Adjust optional configuration settings such as
Require User PresenceorRequire PIN codeandPassphrasefor better security
Click
Generate
Configuration Settings
Require User Presence - when enabled, Termius prompts you to touch the hardware key when logging in to a server. This option is used for 2FA to ensure authentication doesn't occur without your intent.
Require PIN code - when enabled, Termius prompts you to enter the hardware key's PIN code. This option is available only when your hardware key has a PIN code set.
Passphrase provides an additional layer of security. Termius will prompt you for the passphrase on every connection; toggle Save passphrase to avoid passphrase prompts.
To generate a FIDO2 key on iOS:
Tap the back arrow button
<to open the Vaults screen, then open theKeychainscreenTap the
+button and selectNew FIDO2 Keyin the context menu
Specify a name for the key
For extra security, set a passphrase. Turn on
Save passphraseto avoid passphrase prompts when you connect.Tap
Generate, then plug in the hardware key or hold it close to the top of your device if it supports NFC
Tap to save
To generate a FIDO2 key in Termius on Android:
Tap
< All vaultsto open the Vaults screen, then open theKeychainscreenTap the
+button and selectNew FIDO2 keyin the context menu
Specify a name for the key
For extra security, set a passphrase. Turn on
Save passphraseto avoid passphrase prompts when you connect.
Tap
Generate, then plug in the hardware key or hold it close to the top of your device if it supports NFC
Set a PIN for your security key, if required
Click
✓to save the key
Connect using FIDO2 keys
Once the FIDO2 key is generated, make sure to export its public part to the hosts that you want to access with this FIDO2 key, see Export an SSH key to a server.
To connect using a FIDO2 key:
Make sure the FIDO2 key is exported to the host
Plug in your hardware key
Double-click the host to connect
During the connection, Termius may prompt you to confirm your presence. Touch your hardware key to confirm
Once the FIDO2 key is generated, make sure to export its public part to the hosts that you want to access with this FIDO2 key, see Export an SSH key to a server.
To connect using a FIDO2 key:
Make sure the FIDO2 key is exported to the host
Tap on the host to connect
Enter a PIN, then use NFC for authentication
During the connection, Termius may prompt you to confirm your presence. If you’re using a USB key, insert then touch it. If you have an NFC key, bring it near the top of your device
Once the FIDO2 key is generated, make sure to export its public part to the hosts that you want to access with this FIDO2 key, see Export an SSH key to a server.
To connect using a FIDO2 key:
Make sure the FIDO2 key is exported to the host
Tap on the host to connect
Enter a password or use USB/NFC for authentication
During the connection, Termius will prompt for your hardware key. If you’re using a USB key, insert then touch it. If you have an NFC key, bring it near the top of your device
Biometric keys
Biometric SSH Keys are securely stored on your device in a trusted execution environment and protected by biometric authentication. They never leave your device and remain inaccessible to others, even if someone gains unauthorized access to it.
Since the biometric keys are stored in an isolated hardware subsystem, they are not synchronized, as it's impossible to get the contents of the private key parts.
Windows Hello
Termius for Windows lets you generate Biometric SSH keys within the Trusted Platform Module (TPM). TPM is an isolated hardware subsystem that generates and stores private keys. No one, including Termius or Windows, can export, copy, or access these keys directly.
For SSH connections using such a key, Termius requests TPM to sign the data using the private key. Whenever this happens, Windows prompts you to authorize access to a key stored in TPM with fingerprint authentication.
Generate a biometric Key
Navigate to the
Keychainscreen and clickWindows Hello
Specify the name of the key in the
Labelfield
Click
Generate
Export the biometric key to a host
Navigate to the
Keychainscreen and open theKey Detailsfor a selected key
Click
Export to host, then clickSelect Hostto choose the host you want the public key to be exported to
If your authorized keys are stored in a custom directory, update the folder path in the
Locationfield and specify the authorized keys file using theFilenamefieldClick
Export and Attach
Once the key is exported to the host and is attached to the host in Termius, you will be able to use it for connections.
Connect using biometric keys
Navigate to the
HostsscreenClick the host where you set up biometric keys for authentication
Complete the biometric authentication
Apple Secure Enclave (Face ID/ Touch ID)
Termius on macOS, iOS, and iPadOS lets you generate Biometric SSH keys in the Secure Enclave (SE). Secure Enclave is an isolated hardware subsystem that generates and stores private keys. No one, including Termius or OS, can directly export, copy, or access these keys.
For SSH connections using such a key, Termius requests SE to sign the data with the private key. Whenever this happens, the OS prompts you to authorize access to a key stored in SEP using Touch ID/Face ID.
Generate a biometric key
Navigate to the
Keychainscreen and clickTOUCH ID
Specify the name of the key in the
Labelfield
Click
Generate
Export biometric key to a host
Navigate to the
Keychainscreen and open theKey Detailsfor a selected key
Click
Export to host, then clickSelect Hostto choose the host you want the public key to be exported to
If your authorized keys are stored in a custom directory, update the folder path in the
Locationfield and specify the authorized keys file using theFilenamefieldClick
Export and Attach
Once the key is exported to the host and is linked with the host in Termius, you will be able to use it for connections.
Connect using biometric keys
Navigate to the
HostsscreenTap on the host where you set up biometric keys for authentication
Complete the biometric authentication
Apple Secure Enclave (Face ID/ Touch ID)
Termius on macOS, iOS, and iPadOS lets you generate Biometric SSH keys in the Secure Enclave (SE). Secure Enclave is an isolated hardware subsystem that generates and stores private keys. No one, including Termius or OS, can directly export, copy, or access these keys.
For SSH connections using such a key, Termius requests SE to sign the data with the private key. Whenever this happens, the OS prompts you to authorize access to a key stored in SEP using Touch ID/Face ID.
Generate a biometric key
Tap the back arrow button
<to open the Vaults screen, then open theKeychainscreenKeyTap the
+button and selectNew Face ID Key/New Touch ID Keyin the context menu
Specify the name of the key in the
Labelfield
Tap
Generate
Export the biometric key to a host
When the biometric key is generated, tap the biometric key on the Keychain screen, then select the host you want the public key to be exported to
If your authorized keys are stored in a custom directory, update the folder path in the
Locationfield and specify the file containing the authorized keysTap
Export
Once the key is exported to the host and is linked with the host in Termius, you will be able to use it for connections.
Connect using biometric keys
Navigate to the
HostsscreenTap on the host where you set up biometric keys for authentication
Complete the biometric authentication
Android Keystore
Termius for Android lets you generate Biometric SSH keys in the Keystore. It's an isolated hardware subsystem that generates and stores private keys. No one, including Termius or Android, can export, copy, or access these private keys directly.
For SSH connections using such a key, Termius requests that Keystore sign the data with the private key. Whenever this happens, Android prompts you to authorize access to the key stored in the Keystore using biometric authentication.
Generate a biometric key
Tap
< All vaultsto open the Vaults screen, then open theKeychainscreenTap the
+button and selectNew biometric keyin the context menu
Specify the
Nameof the key and tapGenerate
Tap to save a biometric key
Export the biometric key to a host
When the biometric key is generated, tap the biometric key on the Keychain screen
Select
Export to…, then select a host from the list
If your authorized keys are stored in a custom directory, update the folder path in the
SSH Keys locationfield and specify theFile containing public keysTap
Export
Once the key is exported to the host and is attached to the host in Termius, you will be able to use it for connections.
Connect using biometric keys
Navigate to the
HostsscreenTap on the host where you set up biometric keys for authentication
Complete the biometric authentication
Last updated
Was this helpful?