Security Settings
Protect your connections and data with comprehensive security settings—from auto-lock to two-factor authentication.
Accessing Security Settings
Settings → Account → Security
or
Settings → Security (if separate tab)
Auto-Lock
Enable Auto-Lock
Auto-Lock:
[✓] Lock Xermius when inactive
Idle Timeout:
[15] minutes
Range: 1-60 minutes
Recommendations:
- Home: 15-30 min
- Office: 10-15 min
- Public: 5 min
- Shared computer: 1-5 min
Lock Behavior
When Locked:
[✓] Close all SSH connections
[✓] Clear clipboard
[ ] Hide window
[✓] Require password to unlock
Lock Screen:
● Show last activity time
○ Show nothing (blank)
Manual Lock
Quick lock:
Cmd+L (Mac) or Ctrl+L (Windows/Linux)
or
Menu → Lock Xermius
Password Protection
Master Password
Master Password:
[✓] Require password on startup
Set Password:
Current: [••••••••]
New: [••••••••]
Confirm: [••••••••]
Password Strength: ████████░░ Strong
[Change Password]
Password Rules
Requirements:
✓ Minimum 8 characters
✓ At least 1 uppercase
✓ At least 1 lowercase
✓ At least 1 number
○ Special character (recommended)
Password Tips:
- Use passphrase
- Don't reuse passwords
- Change regularly
Password Recovery
Recovery Options:
[✓] Email recovery code
[✓] Security questions
Recovery Email:
[your@email.com ]
[✓] Verified
[Send Test Email]
Two-Factor Authentication (2FA)
Enable 2FA
Two-Factor Authentication:
[ ] Disabled
[Enable 2FA]
Benefits:
✓ Extra security layer
✓ Protect from unauthorized access
✓ Required for enterprise
Setup Process
Step 1: Scan QR Code
┌─────────────────┐
│ ████ ██ ███ │
│ ██ ████ ███ │
│ ███ ██ ████ │
│ ████ ██ ███ │
└─────────────────┘
Use authenticator app:
- Google Authenticator
- Authy
- 1Password
- Microsoft Authenticator
Step 2: Enter Code
Code from app:
[123456]
[Verify]
Step 3: Save Recovery Codes
Keep these codes safe!
1. 1234-5678-90AB
2. CDEF-1234-5678
3. 90AB-CDEF-1234
...
[Download] [Print] [Continue]
2FA Settings
Two-Factor Authentication:
[✓] Enabled ●
[✓] Require on every login
[ ] Require once per device
[ ] Require once per 30 days
Recovery Codes:
[View Codes] [Regenerate]
[Disable 2FA]
SSH Key Management
Key Storage
SSH Key Storage:
● System keychain (recommended)
○ Xermius encrypted storage
○ Don't save keys
Keychain Access:
[✓] Use system keychain
[✓] Require unlock on use
Key Security
Private Key Protection:
[✓] Encrypt keys at rest
[✓] Require password for use
[ ] Auto-lock keys after: [30] min
Key Permissions:
Owner: Read/Write
Group: None
Other: None
Host Key Verification
Verification Settings
Host Key Verification:
[✓] Verify host keys (STRONGLY recommended)
[✓] Warn on key changes
[✓] Block revoked keys
On First Connection:
● Prompt to verify
○ Auto-trust (insecure)
○ Auto-reject
Trust Levels
Known Hosts Trust:
● Trusted (green checkmark)
○ Warning (prompt each time)
○ Revoked (block connection)
[Manage Known Hosts]
Password Storage
Save Passwords
Password Storage:
[✓] Save SSH passwords
[✓] Encrypt passwords
[✓] Require master password
Storage Location:
● System keychain (secure)
○ Local encrypted file
○ Don't save (enter each time)
Clear Saved Passwords
Clear Passwords:
This will delete:
- All saved SSH passwords
- SFTP passwords
- Proxy passwords
⚠️ Cannot be undone
[Clear All Passwords]
Session Security
Idle Sessions
Idle SSH Sessions:
[✓] Auto-disconnect after: [30] min
[✓] Show warning before disconnect
[✓] Send keepalive packets
Keepalive Interval:
[60] seconds
Multiple Sessions
Concurrent Sessions:
[✓] Allow multiple connections per host
[ ] Limit to [3] sessions per host
Session Isolation:
[✓] Separate terminal history
[✓] Separate environment
Network Security
Connection Security
Connection Options:
[✓] Use only SSH protocol v2
[✓] Verify SSL certificates
[✓] Reject weak encryption
Allowed Ciphers:
[✓] aes256-gcm
[✓] aes256-ctr
[✓] chacha20-poly1305
[ ] aes128-ctr (weaker)
[ ] 3des-cbc (deprecated)
[Configure Advanced...]
Proxy Security
SOCKS/HTTP Proxy:
[ ] Require authentication
[ ] Verify proxy certificate
[ ] Encrypt proxy connection
Firewall & Blocking
IP Whitelist
IP Whitelist:
[ ] Only allow specific IPs
Allowed IPs:
192.168.1.0/24 [✓] Home network
10.0.0.0/8 [✓] Office network
54.123.45.67 [✓] VPN server
[Add IP] [Remove]
Failed Attempts
Failed Login Protection:
[✓] Track failed attempts
[✓] Block after [3] failures
[✓] Block duration: [15] minutes
Current Blocked IPs:
203.0.113.10 (2 attempts, blocked 5 min ago)
[Unblock] [View Log]
Audit & Logging
Security Audit Log
Security Events:
[✓] Log all login attempts
[✓] Log password changes
[✓] Log 2FA events
[✓] Log key usage
Retention:
Keep logs for: [90] days
[View Security Log]
Security Log
┌──────────────────────────────────────┐
│ Security Audit Log │
├──────────────────────────────────────┤
│ 2024-01-17 10:45 Login successful │
│ 2024-01-17 09:30 2FA verified │
│ 2024-01-17 08:15 Password changed │
│ 2024-01-16 18:00 Failed login (3x) │
│ 2024-01-16 15:30 SSH key used │
└──────────────────────────────────────┘
[Export] [Clear Old Logs]
Data Encryption
At Rest
Data Encryption:
[✓] Encrypt application data
[✓] Encrypt saved passwords
[✓] Encrypt SSH keys
[✓] Encrypt logs
Encryption Method:
● AES-256-GCM (recommended)
○ AES-256-CBC
○ ChaCha20-Poly1305
In Transit
Network Encryption:
[✓] Always use encrypted connections
[✓] Verify server certificates
[ ] Allow unencrypted connections (NOT recommended)
TLS Version:
● TLS 1.3 only (most secure)
○ TLS 1.2+ (compatible)
○ TLS 1.0+ (insecure, not recommended)
Privacy Settings
Telemetry
Usage Data:
[ ] Send anonymous usage statistics
[ ] Send crash reports
[ ] Improve app with usage data
What's shared:
- App version
- OS version
- Feature usage (anonymous)
NOT shared:
✗ Your hosts
✗ Your passwords
✗ Your commands
✗ Personal information
Cloud Sync Privacy
Cloud Sync Security:
[✓] End-to-end encryption
[✓] Zero-knowledge encryption
[✓] Local encryption before upload
Sync Server Access:
✗ Cannot read your data
✗ Cannot decrypt your data
✓ You control encryption keys
Security Checklist
Essential Security
Must-have settings:
□ Enable auto-lock (15 min)
□ Set master password
□ Enable 2FA
□ Verify host keys
□ Use SSH key authentication
□ Enable password encryption
□ Regular security log review
Recommended Security
Additional protection:
□ Shorter idle timeout (10 min)
□ IP whitelist (if possible)
□ Failed attempt blocking
□ Audit logging
□ Regular password changes
□ Recovery email set up
Maximum Security
For sensitive environments:
□ 1-5 min auto-lock
□ Manual host key approval
□ Don't save passwords
□ Session recording
□ IP whitelist enforced
□ 2FA on every login
□ Clear clipboard on lock
□ Close connections on lock
Tips & Best Practices
1. Use Strong Master Password
Good: Correct-Horse-Battery-Staple-42
Bad: password123
Use:
- 12+ characters
- Passphrase
- Password manager
2. Enable 2FA Everywhere
2FA for:
✓ Xermius account
✓ Email account
✓ SSH jump servers
✓ Cloud services
Extra protection!
3. Regular Security Review
Monthly:
□ Review security log
□ Check saved passwords
□ Verify 2FA codes work
□ Update software
4. SSH Keys Over Passwords
Prefer SSH keys:
+ More secure
+ No password to type
+ Can't be guessed
+ Easier automation
Generate strong keys:
ssh-keygen -t ed25519
5. Keep Recovery Codes Safe
2FA recovery codes:
1. Print and store securely
2. Save encrypted copy
3. Store in password manager
4. DON'T lose them!
Without codes + phone lost = locked out
Troubleshooting
Forgot Master Password
Recovery:
1. Click "Forgot Password"
2. Check recovery email
3. Enter recovery code
4. Set new password
If no recovery:
- Data may be lost
- Contact support
- Fresh install needed
2FA Not Working
Verify:
1. Time synced on device?
2. Correct authenticator app?
3. Try recovery code
4. Regenerate codes
5. Contact support
Auto-Lock Too Aggressive
Adjust:
Settings → Security → Auto-Lock
Increase timeout: 15 → 30 min
or
Disable while working:
Cmd+Shift+L to toggle
Next Steps
- ⚙️ Settings Overview - All settings
- 🔐 SSH Keys - Key-based authentication
- 🛡️ Known Hosts - Host verification
- 🔔 Notifications - Security alerts