# SSH keys and certificates ## Overview Termius Keychain lets you generate, store, and organize credentials such as usernames, passwords, SSH keys, and certificates. It helps you avoid duplication and manage credentials across multiple servers. For SSH keys in particular, Termius can: * Import SSH keys and certificates * Generate SSH keys, FIDO2 keys, and Biometric keys * Provide a convenient way to export the public keys to the `authorized_keys` file on your servers ## SSH keys Termius allows you to import your existing SSH keys and generate a new one using a built-in SSH key generator. ### Generate SSH keys Termius can generate Ed25519, ECDSA, RSA, and ML-DSA keys. {% tabs %} {% tab title="Desktop" %} To generate SSH keys on the desktop: 1. Navigate to the `Keychain` screen and select `Generate Key` at the key drop-down
2. Specify a name for the key in the `Label` field and choose the `Key type`
3. For extra security, set a passphrase. Turn on `Save passphrase` to avoid passphrase prompts when you connect.
4. Click `Generate & save` {% endtab %} {% tab title="iOS" %} To generate SSH keys on iOS: 1. Tap the back arrow button `<` to open the **Vaults** screen, then open the `Keychain` screen
2. Tap the `+` button and select `Generate Key` in the context menu
3. Specify the key `Label` and choose the `Key type`
4. For extra security, set a passphrase. Turn on `Save passphrase` to avoid passphrase prompts when you connect.
5. Tap the `Save` button {% endtab %} {% tab title="Android" %} To generate SSH keys on Android: 1. Tap `< All vaults` to open the **Vaults** screen, then open the `Keychain` screen
2. Tap the `+` button and select `New SSH Key` in the context menu
3. Select `Generate new SSH Key`
4. Specify the key `Name` and choose the `Key type`
5. For extra security, set a passphrase. Turn on `Save passphrase` to avoid passphrase prompts when you connect.
6. Tap the `Generate` button {% endtab %} {% endtabs %} ### Import SSH keys Termius can import SSH keys from a file or by pasting a private key from the clipboard. {% tabs %} {% tab title="Desktop" %} #### Paste a key on the desktop 1. Navigate to the `Keychain` and click `Key`
2. Paste your private key from the clipboard
3. Specify a name for the key in the `Label` field. The key will be auto-saved #### Import from a file on the desktop 1. Navigate to the `Keychain` and click `Key`
2. `Drag and drop` your key file or click `Import from key file`
3. Specify a name for the key in the `Label` field. Termius auto-saves the key {% hint style="info" %} If your key is protected with a `Passphrase` you can specify it in a corresponding field. Otherwise, you will be prompted for a passphrase on every connection. {% endhint %} {% endtab %} {% tab title="iOS" %} #### Paste a key on iOS 1. Tap the back arrow button `<` to open the **Vaults** screen, then open the `Keychain` screen
2. Tap the `+` button and select `Paste key` in the context menu
3. Paste your private key from the clipboard and specify a name for the key in the `Label` field
4. `Save` the key #### Import from a file 1. Tap the back arrow button `<` to open the **Vaults** screen, then open the `Keychain` screen
2. Tap the `+` button and select `Import key` in the context menu
3. Select your key file
4. `Save` the key {% hint style="info" %} If your key is protected with a `Passphrase` you can specify it in a corresponding field. Otherwise, you will be prompted for a passphrase on every connection. {% endhint %} {% endtab %} {% tab title="Android" %} #### Paste a key on Android 1. Tap `< All vaults` to open the **Vaults** screen, then open the `Keychain` screen
2. Tap the `+` button and select `New SSH Key` in the context menu
3. Select `Paste SSH key` . Termius tries to paste a key automatically. If you have no private key in your clipboard, copy and paste it into the corresponding field
4. Tap `Validate` the private key
5. Specify the `Name` of the key
6. Tap `✓` to save the key #### Import from a file on Android 1. Tap `< All vaults` to open the **Vaults** screen, then open the `Keychain` screen
2. Tap the `+` button and select `New SSH Key` in the context menu
3. Select `Import SSH key from file`
4. Select a key from the filesystem
5. Tap `Validate` the private key
6. Specify the `Name` of the key
7. Click `✓` to save the key {% hint style="info" %} If your key is protected with a `Passphrase` you can specify it in a corresponding field. Otherwise, you will be prompted for a passphrase on every connection. {% endhint %} {% endtab %} {% endtabs %} ### Export an SSH key to a server Termius provides a convenient way to export SSH keys to your servers. When you export a key, its public portion is added to the `authorized_keys` file on your server. {% hint style="success" %} Upon successful export, the key is linked to the corresponding host in Termius, allowing you to connect with one click. If you want to link keys to your hosts manually, see [SSH with an SSH key](/organize-and-connect-to-hosts/connecting-to-a-server.md#ssh-with-an-ssh-key). {% endhint %} {% tabs %} {% tab title="Desktop" %} To export SSH keys to a server on the desktop: 1. Navigate to the `Keychain` and `Right-click` a key you'd like to export, then click `Export to host` in the context menu
2. Click `Select Host` and select the host you want the public key to be exported to
3. If your authorized keys are stored in a custom directory, update the folder path in the `Location` field and specify the authorized keys file using the `Filename` field 4. Click `Export and Attach`
{% endtab %} {% tab title="iOS" %} To export SSH keys to a server on iOS: 1. Tap the back arrow button `<` to open the **Vaults** screen, then open the `Keychain` screen
2. Tap the key you want to export, then select the host you want the public key to be exported to
3. If your authorized keys are stored in a custom directory, update the folder path in the `Location` field and specify the file containing the authorized keys 4. Tap `Export`
{% endtab %} {% tab title="Android" %} To export SSH keys to a server on Android: 1. Tap `< All vaults` to open the **Vaults** screen, then open the `Keychain` screen
2. Tap the key you want to export and select `Export to…` in the context menu
3. Select a host from the list
4. If your authorized keys are stored in a custom directory, update the folder path in the `SSH Keys location` field and specify the `File containing public keys` 5. Tap `Export`
{% endtab %} {% endtabs %} ## SSH certificates To authenticate with an SSH certificate, you need both a private key and a corresponding certificate. Typically, these are stored as two separate files on your file system. Termius stores certificates as part of the SSH key since they won't work without each other. ### Import SSH Certificate {% tabs %} {% tab title="Desktop" %} To import an SSH certificate on the desktop: 1. Navigate to the `Keychain` and click `Certificate`
2. Paste your private key and certificate into the corresponding fields
3. Termius auto-saves them {% endtab %} {% tab title="iOS" %} To import an SSH certificate on iOS: 1. Tap the back arrow button `<` to open the **Vaults** screen, then open the `Keychain` screen
2. Tap the `+` button and select `Paste Key` in the context menu
3. Paste your private key and certificate into the corresponding fields
4. `Save` the key with the certificate {% endtab %} {% tab title="Android" %} #### Paste a certificate 1. Tap `< All vaults` to open the Vaults screen, then open the `Keychain` screen
2. Tap the `+` button and select `New certificate` in the context menu
3. Select `Paste certificate`. Termius tries to paste a certificate automatically. If you have no certificate in your clipboard, copy and paste it into the corresponding field
4. Once a certificate is added, tap `Add private key` , then select `Paste` . Termius tries to paste a private key automatically. If you have no private key in your clipboard, copy and paste it into the corresponding field
5. Tap `✓` to save the key with the certificate
#### Import from a file 1. Tap `< All vaults` to open the **Vaults** screen, then open the `Keychain` screen
2. Tap the `+` button and select `New certificate` in the context menu
3. Select `Import certificate from file`
4. Select a certificate from the filesystem
5. Once a certificate is added, tap `Add private key` , then select `Import from file`
6. Select a key from the filesystem
7. Tap `✓` to save the key with the certificate
{% endtab %} {% endtabs %} ### Assign an SSH certificate to a host {% tabs %} {% tab title="Desktop" %} To assign an SSH certificate to a host on the desktop: 1. Navigate to the `Hosts` screen and open the `Host Details` for a selected host
2. In the Credentials section, click `+ SSH ID, Key, Certificate, FIDO2` and select `Certificate` as the authentication method
3. Select one of the certificates that you previously saved
4. Termius auto-saves the changes {% endtab %} {% tab title="iOS" %} To assign SSH certificate to a host on iOS: 1. Navigate to the `Hosts` screen and open the `Host Details` screen for a selected host
2. In the Credentials section, tap `SSH ID, Key, Certificate, FIDO2`
3. Select one of the certificates that you previously saved
4. Tap 􀁢 to save the host changes {% endtab %} {% tab title="Android" %} To assign SSH certificate to a host on Android: 1. Navigate to the `Hosts` screen and open the `Host Details` screen for a selected host
2. In the Credentials section, tap `SSH.id, Key, Certificate, FIDO2`
3. Select one of the certificates that you previously saved
4. Tap `✓` to save the host changes {% endtab %} {% endtabs %} ## FIDO2 keys Hardware keys provide one of the industry's most secure methods for SSH authentication. They're designed to make it impossible to extract private keys and protect them against compromise. Hardware keys can also offer additional security features, such as user-presence confirmation, providing an extra factor during authentication. Termius simplifies the use of hardware keys for SSH connections, allowing you to generate non-resident FIDO2 keys within the app and syncing it across your devices. #### **Prerequisites** * You'll need a hardware security key that supports the FIDO2 protocol, such as [YubiKey](https://www.yubico.com/), [Solo](https://solokeys.com/), [OnlyKey](https://onlykey.io/), or [Google Titan](https://store.google.com/product/titan_security_key). Most other FIDO2-compatible security keys should also work with Termius * FIDO2 requires OpenSSH 8.4 or higher to be installed on your server * Hardware keys usually need to be set up before their first use. Some require a PIN code, while others use a biometric scanner and require you to enroll your fingerprint. Make sure you finish setting up your hardware key before following the steps below ### Generate a FIDO2 SSH key {% tabs %} {% tab title="Desktop" %} To generate a FIDO2 key in Termius on the Desktop: 1. Navigate to the `Keychain` screen and click `FIDO2`
2. Plug in your hardware key and select it from the device list. Enter a PIN if required
3. Adjust optional configuration settings such as `Require User Presence` or `Require PIN code` and `Passphrase` for better security
4. Click `Generate` #### Configuration Settings `Require User Presence` - when enabled, Termius prompts you to touch the hardware key when logging in to a server. This option is used for 2FA to ensure authentication doesn't occur without your intent. `Require PIN code` - when enabled, Termius prompts you to enter the hardware key's PIN code. This option is available only when your hardware key has a PIN code set. `Passphrase` provides an additional layer of security. Termius will prompt you for the passphrase on every connection; toggle **Save passphrase** to avoid passphrase prompts. {% endtab %} {% tab title="iOS" %} To generate a FIDO2 key on iOS: 1. Tap the back arrow button `<` to open the **Vaults** screen, then open the `Keychain` screen
2. Tap the `+` button and select `New FIDO2 Key` in the context menu
3. Specify a name for the key 4. For extra security, set a passphrase. Turn on `Save passphrase` to avoid passphrase prompts when you connect. 5. Tap `Generate`, then plug in the hardware key or hold it close to the top of your device if it supports NFC
6. Tap 􀁢 to save
{% endtab %} {% tab title="Android" %} To generate a FIDO2 key in Termius on Android: 1. Tap `< All vaults` to open the Vaults screen, then open the `Keychain` screen
2. Tap the `+` button and select `New FIDO2 key` in the context menu
3. Specify a name for the key 4. For extra security, set a passphrase. Turn on `Save passphrase` to avoid passphrase prompts when you connect.
5. Tap `Generate`, then plug in the hardware key or hold it close to the top of your device if it supports NFC
6. Set a PIN for your security key, if required 7. Click `✓` to save the key {% endtab %} {% endtabs %} ### Connect using FIDO2 keys {% tabs %} {% tab title="Desktop" %} Once the FIDO2 key is generated, make sure to export its public part to the hosts that you want to access with this FIDO2 key, see [Export an SSH key to a server](#export-an-ssh-key-to-a-server). To connect using a FIDO2 key: 1. Make sure the FIDO2 key is exported to the host 2. Plug in your hardware key 3. Double-click the host to connect 4. During the connection, Termius may prompt you to confirm your presence. Touch your hardware key to confirm
{% endtab %} {% tab title="iOS" %} Once the FIDO2 key is generated, make sure to export its public part to the hosts that you want to access with this FIDO2 key, see [Export an SSH key to a server](#export-an-ssh-key-to-a-server). To connect using a FIDO2 key: 1. Make sure the FIDO2 key is exported to the host 2. Tap on the host to connect 3. Enter a PIN, then use NFC for authentication
1. During the connection, Termius may prompt you to confirm your presence. If you’re using a USB key, insert then touch it. If you have an NFC key, bring it near the top of your device {% endtab %} {% tab title="Android" %} Once the FIDO2 key is generated, make sure to export its public part to the hosts that you want to access with this FIDO2 key, see [Export an SSH key to a server](#export-an-ssh-key-to-a-server). To connect using a FIDO2 key: 1. Make sure the FIDO2 key is exported to the host 2. Tap on the host to connect 3. Enter a password or use USB/NFC for authentication
4. During the connection, Termius will prompt for your hardware key. If you’re using a USB key, insert then touch it. If you have an NFC key, bring it near the top of your device {% endtab %} {% endtabs %} ## Biometric keys Biometric SSH Keys are securely stored on your device in a trusted execution environment and protected by biometric authentication. They never leave your device and remain inaccessible to others, even if someone gains unauthorized access to it. {% hint style="info" %} Since the biometric keys are stored in an isolated hardware subsystem, they are not synchronized, as it's impossible to get the contents of the private key parts. {% endhint %} {% tabs %} {% tab title="Windows" %} #### Windows Hello Termius for Windows lets you generate Biometric SSH keys within the Trusted Platform Module (TPM). TPM is an isolated hardware subsystem that generates and stores private keys. No one, including Termius or Windows, can export, copy, or access these keys directly. For SSH connections using such a key, Termius requests TPM to sign the data using the private key. Whenever this happens, Windows prompts you to authorize access to a key stored in TPM with fingerprint authentication. #### **Generate a biometric Key** 1. Navigate to the `Keychain` screen and click `Windows Hello`
2. Specify the name of the key in the `Label` field
3. Click `Generate` #### Export the biometric key to a host 1. Navigate to the `Keychain` screen and open the `Key Details` for a selected key
2. Click `Export to host` , then click `Select Host` to choose the host you want the public key to be exported to
3. If your authorized keys are stored in a custom directory, update the folder path in the `Location` field and specify the authorized keys file using the `Filename` field 4. Click `Export and Attach`
Once the key is exported to the host and is attached to the host in Termius, you will be able to use it for connections. #### Connect using biometric keys 1. Navigate to the `Hosts` screen 2. Click the host where you set up biometric keys for authentication 3. Complete the biometric authentication {% endtab %} {% tab title="macOS" %} #### Apple Secure Enclave (Face ID/ Touch ID) Termius on macOS, iOS, and iPadOS lets you generate Biometric SSH keys in the [Secure Enclave (SE)](https://support.apple.com/en-nz/guide/security/sec59b0b31ff/web). Secure Enclave is an isolated hardware subsystem that generates and stores private keys. No one, including Termius or OS, can directly export, copy, or access these keys. For SSH connections using such a key, Termius requests SE to sign the data with the private key. Whenever this happens, the OS prompts you to authorize access to a key stored in SEP using Touch ID/Face ID. #### **Generate a biometric key** 1. Navigate to the `Keychain` screen and click `TOUCH ID`
2. Specify the name of the key in the `Label` field
3. Click `Generate` #### Export biometric key to a host 1. Navigate to the `Keychain` screen and open the `Key Details` for a selected key
2. Click `Export to host` , then click `Select Host` to choose the host you want the public key to be exported to
3. If your authorized keys are stored in a custom directory, update the folder path in the `Location` field and specify the authorized keys file using the `Filename` field 4. Click `Export and Attach`
Once the key is exported to the host and is linked with the host in Termius, you will be able to use it for connections. #### Connect using biometric keys 1. Navigate to the `Hosts` screen 2. Tap on the host where you set up biometric keys for authentication 3. Complete the biometric authentication {% endtab %} {% tab title="iOS/iPadOS" %} #### Apple Secure Enclave (Face ID/ Touch ID) Termius on macOS, iOS, and iPadOS lets you generate Biometric SSH keys in the [Secure Enclave (SE)](https://support.apple.com/en-nz/guide/security/sec59b0b31ff/web). Secure Enclave is an isolated hardware subsystem that generates and stores private keys. No one, including Termius or OS, can directly export, copy, or access these keys. For SSH connections using such a key, Termius requests SE to sign the data with the private key. Whenever this happens, the OS prompts you to authorize access to a key stored in SEP using Touch ID/Face ID. #### **Generate a biometric key** 1. Tap the back arrow button `<` to open the **Vaults** screen, then open the `Keychain` screen
2. KeyTap the `+` button and select `New Face ID Key/New Touch ID Key` in the context menu
3. Specify the name of the key in the `Label` field
4. Tap `Generate` #### Export the biometric key to a host 1. When the biometric key is generated, tap the biometric key on the Keychain screen, then select the host you want the public key to be exported to\
2. If your authorized keys are stored in a custom directory, update the folder path in the `Location` field and specify the file containing the authorized keys 3. Tap `Export`
Once the key is exported to the host and is linked with the host in Termius, you will be able to use it for connections. #### Connect using biometric keys 1. Navigate to the `Hosts` screen 2. Tap on the host where you set up biometric keys for authentication 3. Complete the biometric authentication {% endtab %} {% tab title="Android" %} #### Android Keystore Termius for Android lets you generate Biometric SSH keys in the Keystore. It's an isolated hardware subsystem that generates and stores private keys. No one, including Termius or Android, can export, copy, or access these private keys directly. For SSH connections using such a key, Termius requests that Keystore sign the data with the private key. Whenever this happens, Android prompts you to authorize access to the key stored in the Keystore using biometric authentication. #### Generate a biometric key 1. Tap `< All vaults` to open the Vaults screen, then open the `Keychain` screen
2. Tap the `+` button and select `New biometric key` in the context menu
3. Specify the `Name` of the key and tap `Generate`
4. Tap 􀆅 to save a biometric key
#### Export the biometric key to a host 1. When the biometric key is generated, tap the biometric key on the Keychain screen
2. Select `Export to…` , then select a host from the list
3. If your authorized keys are stored in a custom directory, update the folder path in the `SSH Keys location` field and specify the `File containing public keys` 4. Tap `Export`
Once the key is exported to the host and is attached to the host in Termius, you will be able to use it for connections. #### Connect using biometric keys 1. Navigate to the `Hosts` screen 2. Tap on the host where you set up biometric keys for authentication 3. Complete the biometric authentication {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.termius.com/keychain/ssh-keys-and-certificates.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.