Docs / Getting Started

What is NetShell

NetShell is a free, security-first SSH client for iPhone, iPad & Mac, built around a hardware-backed key vault so your servers and your secrets stay yours.

What NetShell is

NetShell is a complete remote-server toolkit that runs on iOS, iPadOS 17+ and Mac. At its core is an SSH terminal, but it grows well past that: a private key vault, file transfer over SFTP and SMB, Docker control, network and Bluetooth discovery, live server monitoring, and an AI assistant. It is free with no subscription, and it ships with no telemetry by default — analytics are strictly opt-in.

The guiding idea is simple. Most mobile SSH apps treat security as a checkbox. NetShell treats it as the architecture. Credentials are stored in the hardware-backed iOS Keychain, host verification happens before a single byte of authentication leaves your device, and a command guard sits between you and the kind of mistake you only make once.

The key vault

Everything starts with keys. NetShell can generate ed25519 and RSA key pairs directly on-device, and it imports existing OpenSSH keys — including encrypted ed25519 and RSA private keys protected by a passphrase.

Private keys and passphrases live in the hardware-backed iOS Keychain, protected by Face ID.
They sync only through Apple's end-to-end encrypted iCloud Keychain — across your own devices, never through a NetShell server.
Host (known-hosts) keys stay device-local and do not sync, so trust decisions made on one device aren't silently exported to another.

Tip. Generate one ed25519 key, add its public half to each server's ~/.ssh/authorized_keys, and you never type a server password again. See Generate & import SSH keys.

The terminal

NetShell gives you a full SSH terminal with real terminal emulation, multiple concurrent sessions, and 16 themes to match how you like to read a screen. For layered networks it supports multi-hop / jump-host chaining, so you can reach a server that's only accessible through a bastion without leaving the app.

Terminal basics — sessions, input, and gestures.
Jump hosts — chain through a bastion.
Port forwarding — tunnel local and remote ports.

Files: SFTP and SMB

NetShell includes an SFTP browser for moving files over your existing SSH connection — upload, download, and navigate remote directories with the same credentials you already trust. It also speaks SMB, so you can browse Windows and NAS file shares on your network. See SFTP transfers and SMB shares.

Discovery: network and Bluetooth

Two scanners help you understand what's actually around you.

The network scanner combines Bonjour service discovery with a port scan to find devices on your LAN and flag which ones are running an SSH server — turning discovery into a one-tap connection. See Network scanner.
The Bluetooth scanner classifies nearby devices live and performs CVE lookups so you can see known vulnerabilities at a glance. See Bluetooth scanner.

Monitoring and Docker

NetShell can keep an eye on your servers with dashboards showing CPU, memory, disk and uptime, plus custom alerts when something crosses a threshold you care about. For containerized workloads it manages Docker containers and Compose stacks — start, stop, inspect, and read logs without dropping to a manual command. See Server monitoring and Docker guide.

AI, on your terms

NetShell's assistant can run two ways. Use Apple Intelligence on-device (private, no account required, iOS 26+), or bring your own model — Claude, OpenAI, or a local Ollama endpoint. Either way the choice is yours, and the on-device path keeps your context off the network entirely. See Apple Intelligence and Bring your own model.

Security by default

The security model is the reason NetShell exists, not an afterthought bolted on.

Host verification at handshake time, fails closed. If a host is unknown or its key has changed, credentials are never sent. You approve new hosts (trust-on-first-use). See Host verification.
Destructive-command guard. NetShell intercepts commands like rm -rf, DROP/TRUNCATE TABLE, git push --force, git reset --hard, shutdown/reboot, kubectl delete namespace, helm uninstall, and pipe-to-bash. See Command guard.
Face ID lock. The app auto-relocks behind Face ID after it's been idle. See Face ID lock.

For the full picture of how data is protected end to end, see Encryption.

Sync across your devices

Your setup follows you. Connections, snippets, folders, groups and tags sync via iCloud key-value store, while passwords and private keys sync via iCloud Keychain instead — keeping the sensitive material under Apple's end-to-end encryption rather than ordinary app sync. See Sync across devices and Key sync.

Siri and widgets

NetShell integrates with Siri Shortcuts and offers home-screen widgets, so frequent connections and at-a-glance server status are a tap or a phrase away.

What makes it different

Security-first by design — fail-closed host verification, a command guard, and Keychain-backed secrets.
Free — no subscription, the full feature set included.
No telemetry by default — analytics are opt-in, not on. See Privacy & telemetry.
One app, three platforms — iPhone, iPad & Mac.

Tip. Ready to try it? Grab NetShell from the App Store, then follow the Quickstart.

Next
Quickstart → Related
Privacy & telemetry →