Security

Zync is a local-first desktop SSH workspace. This page summarizes how vault encryption, sync, and credentials work — and what you should know as a user or operator.

Data ownership

Zync does not run a hosted SSH service. Your hosts, tunnels, snippets, terminal sessions, and credentials are stored on your devices unless you explicitly enable encrypted backup to your own Google Drive.

Where it livesWhat that means
Your machineHosts, tunnels, snippets, and settings in your Zync data folder
Encrypted VaultPasswords and keys encrypted on-device; you hold passphrase and recovery key
Your Google accountOptional encrypted sync collections in drive.appdata

No Zync account is required. Install, work offline, unlock the vault when you need secrets, and turn on sync only if you want encrypted backup across your own devices.

Vault encryption

  • Argon2id + AEAD — Vault records are encrypted at rest; see Vault for setup and usage.
  • Stable credential identity — Hosts reference credentialId instead of embedding raw secrets; relink and repair paths handle stale references on load.
  • Revision history — Prior credential revisions can be reviewed and restored without breaking host references.
  • Session unlock cache — Optional OS keychain storage with hardened restore edge cases.

Passphrase and recovery

Choose a strong vault passphrase. Store the recovery key offline before relying on the vault for production hosts. Losing both passphrase and recovery key means local vault data cannot be recovered.

Google Drive sync

Sync collections are encrypted with a separate passphrase before upload to Google drive.appdata. OAuth uses Google's desktop installed-app flow — user data access still requires per-user consent and scoped tokens.

Official release builds embed GOOGLE_CLIENT_ID for the Zync desktop OAuth client. For installed apps, Google does not treat the client secret as confidential inside a distributed binary — this is expected for desktop OAuth and is not equivalent to leaking a server-side secret. See the full security notes on GitHub for operator detail.

Connect and tab behavior

  • Vault-backed hosts prompt for unlock on connect/test instead of failing silently.
  • Opening a tab with a vault-backed connection does not auto-connect until you reconnect explicitly.
  • Atomic writes and concurrency guards protect vault/sync state during overlapping operations.

Plugins and telemetry

Marketplace plugins do not receive raw vault secrets by design. The Zync app itself does not phone home with your hosts or credentials; see the Privacy Policy for analytics and site telemetry scope.

Report a vulnerability

If you discover a security issue in Zync, report it privately to the maintainers rather than opening a public issue with exploit details.

Maintainer reference: SECURITY.md · VAULT.md