Skip to content
VaultTerm
Browse docs

Get Started

Credential Vault

Terminal & SSH

Teams & Organizations

Browser Extension

Privacy-First AI

Self-Hosting

Administration

Configuration Reference

Security & Architecture

API & Integrations

Troubleshooting & FAQ

terminal-ssh

Connecting to hosts

Create an SSH connection profile that points at a vault credential, then run a command, open an interactive shell, or transfer files over SFTP — without ever putting a key on the device.

Updated Jun 23, 2026

A connection profile is a saved target: where to connect and which vault credential to authenticate with. You build it once, then run commands, open shells, and move files through the brokered path. The credential comes from the vault — it is never stored on the connecting device.

Create a connection profile

  1. Store the login secret first. Add the SSH key or password to the vault as a credential. SSH keys may carry an optional passphrase, also stored in the vault. See Credential Vault.
  2. Add a connection. Give it a name and fill in the target:
    • Host — hostname or IP of the target (for example host.example.com or 192.0.2.10).
    • Port — the SSH port, default 22.
    • Username — the remote login user.
    • Auth method — select a stored credential from the vault. A credential of type SSH key uses the stored private key (and passphrase if present); a credential of type password uses the stored password. The broker injects whichever applies.
  3. Save. The profile stores only a reference to the credential, not the secret itself. Access to the credential is re-checked on every use against the vault’s role permissions.

The connecting device holds none of this. The host, port, and username are metadata; the actual secret stays in the vault and is decrypted in memory only for an authorized session.

Step-up and risk gating

Sensitive operations can require a fresh WebAuthn step-up before they proceed. Social-login sessions must step up before reaching brokered SSH at all. When you run a command, VaultTerm classifies its risk; a high-risk command is intercepted and blocked until you complete a step-up proof, and the decision is audited either way. You can also pre-check a command’s risk without running it.

Run a command

Send a single command to the host. The broker authenticates with the vault credential, runs the command, and returns stdout, stderr, and the exit code. The command and its exit code are written to your command history and to the audit trail. If a secret leaks into the command output, VaultTerm flags it.

Open an interactive session

Open a full interactive shell over a live connection. You type, the host responds, in real time. While the session is open:

  • Terminal output can be recorded to the audit trail where session recording is enabled for your plan.
  • Output is scanned for exposed secrets.
  • The session can be shared read/write with teammates for real-time collaboration, with input control handed off explicitly.

When the session ends, the in-memory credential is discarded.

Transfer files over SFTP

File transfer runs over the same brokered connection and the same credential — no separate keys. From a connection you can:

  • List a remote directory.
  • Download a remote file (streamed).
  • Upload a file (up to 50 MB per file).
  • Create, rename, and delete files and directories.

Every SFTP operation is audited with its path and size, exactly like a command.

Where to go next

All docs · Ask a question