Security
All terminal data in taiku is encrypted before it leaves your machine. The server relays ciphertext it cannot read.
How it works
Section titled “How it works”When you start a session, the CLI generates a random encryption key and embeds it in the session URL. This key never reaches the server — it stays in the URL fragment, which browsers don’t send over the network. Anyone you share the URL with gets the key automatically.
The key is strengthened using Argon2id (a memory-hard key derivation function) to produce a 128-bit AES key. Terminal data is then encrypted with AES-128-CTR, a fast stream cipher. Each shell and input stream gets its own initialization vector, preventing cross-stream collisions.
What gets encrypted
Section titled “What gets encrypted”| Data | Encrypted? |
|---|---|
| Terminal output | Yes |
| Keyboard input | Yes |
| User names | No |
| Window layout | N/A (browser-local) |
User names are metadata the server needs to broadcast. They don’t contain terminal content.
What the server sees
Section titled “What the server sees”The server stores and relays encrypted byte streams. It knows:
- That a session exists
- How many users are connected
- The size of terminal data (but not its content)
It does not know:
- What’s being typed
- What’s displayed in the terminal
- The encryption key
For details on how data flows between components, see the Architecture reference.