Docs / Key Vault

iCloud Keychain sync (E2E)

Your private keys and passwords ride Apple's end-to-end encrypted iCloud Keychain to your own devices — never a NetShell server.

Two different sync paths

NetShell deliberately splits your data across two separate Apple sync channels, because secrets and settings deserve different protection:

  • Secrets — private keys and passphrases — sync through iCloud Keychain, which is end-to-end encrypted by Apple.
  • Everything else — connections, snippets, folders, groups, and tags — syncs through iCloud Key-Value Storage (KVS). See Sync across devices for that path.

This means a connection record can travel to your iPad while its password takes the stronger, separate Keychain route. Neither path ever touches a server we operate.

Where your secrets actually live

When you generate a key (ed25519 or RSA) or import an OpenSSH private key, NetShell writes the private material into the hardware-backed iOS Keychain, protected by Face ID. The same is true for connection passwords. The Keychain is the operating system's own secure credential store — NetShell asks for an item by name at connect time and the system returns it only after you have authenticated.

Tip. Because secrets are held by the OS Keychain and gated by Face ID, deleting and reinstalling NetShell on a device that is signed into the same iCloud account restores your keys without you re-typing anything.

How end-to-end encryption works here

iCloud Keychain is one of the iCloud data classes Apple protects with end-to-end encryption. In practice that means:

  • Your secrets are encrypted on-device before they leave it.
  • The encryption keys are derived from your trusted devices and account security — not from anything NetShell holds.
  • Apple's servers relay the encrypted blob between your devices but cannot read it, and neither can we.

So a key you create on your iPhone becomes available on your iPad and Mac, while staying readable only by you across your own hardware.

Requirements

  1. The same Apple Account signed in on every device you want to sync.
  2. iCloud Keychain enabled in Settings → [your name] → iCloud → Passwords and Keychain.
  3. Two-factor authentication on your Apple Account, and a device passcode set — Apple requires both for Keychain sync.

With those in place, syncing is automatic. There is no NetShell account to create and nothing to configure inside the app.

What does NOT sync

One class of key stays put on purpose: host keys (the known-hosts entries NetShell records the first time you trust a server). These remain device-local and do not sync.

Trust-on-first-use is a decision tied to the device that made it. Propagating a "this host is trusted" record to your other devices would weaken host verification — so each device builds its own known-hosts list and verifies independently. The first time you connect from a new device, you approve the host there too.

The privacy guarantee

Putting it plainly: NetShell runs no sync server, no key escrow, and no telemetry by default (analytics are strictly opt-in). Your private keys and passwords move only between your own devices, only through Apple's end-to-end encrypted iCloud Keychain. We never see them, never store them, and never relay them.

Note. Secrets sync across the devices you own and trust — they are not locked to a single device. Combined with on-device generation and Face ID protection, that gives you portability without handing your keys to anyone in the middle.

Turning sync off

If you would rather keep secrets on one device, disable iCloud Keychain in iOS Settings. NetShell will continue to store keys and passwords in the local hardware-backed Keychain behind Face ID — they simply won't travel to your other devices. Re-enabling iCloud Keychain later resumes syncing automatically.

Next
Sync across devices → Related
SSH keys →