Security
The short version
- Your data is end-to-end encrypted. The encryption key lives only on your device and never travels over the network — not even to our relay.
- New devices can't connect automatically. Every new device must be explicitly approved from the host machine before it gets access.
- The relay, CLI, and app are all open source. You can read the code, audit it, or self-host the entire thing.
How it works
Shellular has three parts:
- Host (CLI) — runs on your machine or VPS. This is where your terminals, files, and agents actually live.
- Relay — a lightweight open source server that forwards encrypted traffic between your host and your phone. It cannot read your data; it only passes encrypted bytes through.
- Mobile app — connects to your host via the relay, using the key generated on your host.
Because the encryption key is generated and stored only on the host device, the relay (and by extension, us) has no way to decrypt your session, even if we wanted to.
Device approval
The first time a new device tries to connect to your host, it does not get in automatically. You have to explicitly approve it from the host machine.
Self-hosting
If you'd rather not rely on our hosted relay at all, you can run your own relay on your own infrastructure. The relay is open source — the server README is the best starting point.
Open source and verifiable
The CLI, relay, and mobile app source code are all publicly available. The server exposes the running commit SHA at api.shellular.dev. The CLI publishes to NPM via GitHub Actions — you can verify any release by cross-referencing the changelog and the Actions run that produced it.
What we don't have yet
We're an early-stage startup. We don't have SOC 2 or ISO 27001 certifications yet. We're not going to pretend otherwise.
What we do have is fully open source, auditable code and an architecture designed so that even our own servers never see your unencrypted data.
If your team needs something specific for a vendor review that isn't covered here, email us at team@shellular.dev and we'll get back to you directly.