v2.0 · For DevOps, SRE & sysadmins · Private beta

The SSH client
that doesn't leak your keys.

One native macOS app for SSH, SFTP, FTP and Telnet — with the encrypted vault, the audit log, and the cloud sync that keeps your operators in sync without giving up zero-knowledge. Built by ops for ops.

See pricing See preview

macOS first · Windows & Linux next · Native Rust · Apache 2.0 core · Swiss-hosted sync

<1 ms
Native keystroke latency · no Electron
0 keys
leave your device — server holds ciphertext only
100%
of vault changes audited & rollback-able
🇨🇭
Sync hosted in Switzerland · ILYGO operated

One client. All your protocols.

No more switching between iTerm + Cyberduck + 1Password. Hawser handles SSH, SFTP, FTP, Telnet, plus your credentials, in one native binary.

SSH that doesn't lag

Native Rust SSH engine. Sub-millisecond keystroke latency, no Electron overhead, no JS bridge. Your terminal feels local even on a transatlantic link.

SFTP, FTP & Telnet

One UI for every transfer protocol. Drag-and-drop file transfers, side-by-side panes, dashboard for Docker and Kubernetes hosts.

Encrypted vault, local-first

SSH keys, passwords, host configs. AES-256-GCM at rest, Argon2id key derivation. No cloud dependency — your secrets stay on your disk.

Zero-knowledge sync

Optional. Off by default. The server stores opaque ciphertext — we cannot decrypt your vault, even if compelled by court order.

Pre-save backups

Every save snapshots the previous version, kept locally. Roll back any corruption (cloud sync collision, disk hiccup) in one click. 5 versions retained.

Session recording

Replay any past terminal session with full ANSI fidelity. Useful for incident postmortems and onboarding new engineers.

A glimpse

Mockups based on the current build — final UI may evolve before public release.

Hawser SSH terminal

SSH terminal

Native xterm-compatible engine, ANSI 256-color theme tuned for readability on dark.

Hawser encrypted vault

Encrypted vault

Hosts, SSH keys, secrets, TOTP codes — all in one .ivault file. Touch ID unlock.

Hawser SFTP browser

SFTP browser

Two-pane local/remote, drag-and-drop transfers with live queue and per-file progress.

Hawser Docker dashboard

Docker & K8s dashboards

Live stack overview from the SSH session: CPU, memory, network, container health.

Simple pricing. No hidden quotas.

The desktop app is free. Cloud sync starts free for one vault, scales when you add devices & teammates. Self-host the server if you want full control.

Free · Personal
0 €
Everything local-first, forever.
  • Native SSH, SFTP, FTP & Telnet client
  • Local encrypted vault (.ivault)
  • Touch ID unlock + auto-lock
  • Session recording & replay
  • 2 MB cloud sync (1 vault, 1 device)
  • no daily backups
Get started
Most popular
Pro · Multi-device
5 € / month
Cloud sync & daily backups for serious operators.
  • Everything in Free
  • 5 GB zero-knowledge cloud sync
  • Unlimited devices, unlimited cloud vaults
  • Daily backups, 30-day retention
  • 10 MB max per vault file
  • Priority support & early features
Request access
Self-hosted · Teams
Apache 2.0
Run the sync server on your own infra.
  • Open source Rust + axum server
  • SQLite or Postgres + S3-compatible blobs
  • No external dependencies, audit-friendly
  • Configurable quotas & retention
  • Air-gap-ready (LAN-only deployments)
  • Supported integrations on demand
View on GitLab

Quotas indicatives — final pricing may evolve before public release. Self-hosting is permanent & free under Apache 2.0.

Built for people who don't trust the cloud.

Hawser is designed under a strict threat model: the server is hostile, your laptop may be lost, and credentials must survive both.

The server can't read your vault.

The master key never leaves your devices. Cloud sync only sees AES-256-GCM ciphertext. Even with full server access, an attacker gets opaque blobs.

Account compromise ≠ vault compromise.

Stealing your sync account password lets an attacker download your ciphertext. Without the (separate) vault password, it stays unreadable.

Versioning as a safety net.

Every save creates a new version, both locally (5 last) and on the cloud (30-day window). Corruption rolls back instantly.

Open format, no lock-in.

The .ivault format is documented and shared across the ILYGO suite. Export, audit, script — your data is portable.

Memory hygiene.

Master keys live in zeroized memory, scrubbed on drop. Auto-lock after configurable idle. No JS heap leaks.

Native code, audited stack.

Rust core, no Electron. Crypto via the RustCrypto org — battle-tested aes-gcm and argon2.

How Hawser compares

Same job, different priorities. Here's where we draw the line.

Hawser Termius Royal TSX iTerm + 1Password
SSH / SFTP / FTP / TelnetAll fourYesYesSSH only
Native (no Electron)RustElectronNativeNative
Zero-knowledge syncYesServer-side encryptionNoVia 1Password
Vault format openYesNoNoNo
Docker & K8s dashboardsBuilt-inNoPluginNo
Cross-platformmacOS first · Win/Linux soonYesmacOS onlymacOS only
Local-firstYesCloud-firstYesYes
Price (single user)Free desktop · Sync from 4€/mo10€/mo99€ one-time2 apps to buy

How the sync works

Three steps. The server learns nothing about your vault contents.

# 1. Open Hawser → Settings → Cloud sync (off by default) # 2. Configure server URL Server: https://hawser.ilygo-app.ch # 3. Register an account (your account password ≠ vault password) Email: alice@example.com Account password: ████████████ # Argon2 hashed server-side # 4. Pair this device with a remote vault. From now on: # - Push: uploads ciphertext blob (server sees no plaintext) # - Pull: downloads latest, atomic write to local file # - Versions: roll back to any of the last N saves

The server's source code is open. Read it on GitLab to verify the zero-knowledge claim yourself.

Hawser is in private beta.

Native binaries are in the works. The desktop app will be free; cloud sync is optional and starts free for 1 vault.

macOS Universal Soon Windows Soon Linux Soon

Want early access? Drop us a line.