Frequently Asked Questions

If you you're curious about something not explained here, please contact us at help@shellvault.io.

How does Shellvault work?

Shellvault uses a websocket to connect a client-side terminal emulator to an SSH process on Shellvault's servers. When you type a command, it goes through the websocket to the SSH client running on our servers, and the socket sends the response back to the terminal in your browser.

I've found a bug. What do I do?

For security-related bugs, please email us immediately at security@shellvault.io. If you have found a critical security bug (on par with remote code execution, database leakage, etc.), we will pay you a bounty of up to $500, depending on severity. We take security very seriously.

For cosmetic and usage bugs, please email us at bugs@shellvault.io.

Why do I need a full keypair instead of just a public key?

Shellvault executes an SSH process on your behalf, just like PuTTY or a local SSH client. Shellvault needs a public / private keypair to accurately behave as an SSH client.

That said, you should not upload the SSH keys you already use! Use Shellvault to generate new keys instead.

How does Shellvault store my keys?

Your public and private keys are encrypted at-rest with the AES-256-CBC cipher, which means they are only decrypted when you use them: in the event of a database leak, an attacker won't be able to access your keys.

Isn't sharing my SSH keys with any third party service dangerous?

Yes. This is a very important question.

An SSH keypair is made up of a public key (id_rsa.pub) and a private key (id_rsa). Sharing your public key is ok, but you should never share your private key (from the file id_rsa) with anyone. We don't want you to use your pre-existing SSH keypairs with Shellvault.

Instead, we've made it easy to create new Shellvault-specific keypairs (or upload your own fresh keypair) and authorize them on your remote server.

Can Shellvault read the commands I send?

Technically, yes: because the SSH process has to read your commands in order to send them to your SSH server, we're forced to be a potential Man In The Middle (MITM). However, we do NOT log, parse, track, or record your commands or server results in any way except to forward them to the SSH process (i.e. the service that we provide). This also applies to the security of your SSH keys.

If you have concerns, would like to know more, or have ideas for improving this situation, contact us at help@shellvault.io.