Security First

Your credentials stay local,
encrypted, and private.

Built with security as a core principle, not an afterthought. Zero telemetry, Keychain integration, and complete transparency.

Zero
Data Collection
AES-256
Keychain Encryption
SSH-2
Protocol Standard
Native
macOS App
"We sell software, not your data."
Common Risks
$ cat ~/.ssh/id_rsa
> Private key exposed in logs...

How credentials get leaked

  • Plain text storage in config files
  • Keys copied to clipboard and forgotten
  • Passwords in shell history
  • Telemetry capturing sensitive data
  • Verbose logging exposing secrets
Protected
Storm Tunnel
Encrypted
Stored in macOS Keychain

How we protect you

  • Credentials stored in macOS Keychain
  • Zero telemetry or analytics
  • Secure memory clearing
  • Host key verification
  • Code signature validation

Security Architecture

Multiple layers of protection for your infrastructure access.

macOS Keychain Integration

All SSH keys and passwords are stored in macOS Keychain with AES-256 encryption. Your credentials are protected by your macOS login password and never stored in plain text. Access requires biometric authentication or your system password.

Zero Telemetry

No tracking, no analytics, no data collection. Your tunnel configurations, connection history, and usage patterns stay completely private on your device.

Host Key Verification

Strict SSH host key verification is enabled by default. Storm Tunnel warns you if a server's fingerprint changes, protecting against man-in-the-middle attacks.

Code Signature Validation

External binaries like AWS Session Manager plugin are validated with Apple code signatures before execution, preventing malicious code injection.

Secure Memory Handling

Sensitive data like passwords and private keys are cleared from memory immediately after use, minimizing exposure time.

Minimal Permissions

Storm Tunnel requests only the permissions necessary for its core functionality.

SSH Directory

~/.ssh/
Required

Reading your SSH keys, known hosts file, and SSH configuration. Only files you explicitly select.

AWS Directory

~/.aws/
Optional

Only if you use AWS Session Manager feature. For accessing EC2 instances through AWS Systems Manager.

App Storage

~/Library/Application Support/
Required

Storing tunnel configurations locally. Never synced to external services.

Full Control

Revoke permissions anytime via macOS System Settings → Privacy & Security → Files and Folders.

Third-Party Services

Minimal dependencies, carefully selected for security and privacy compliance.

PCI DSS Level 1

LemonSqueezy

License validation and payment processing. We never see or store your payment information.

  • HTTPS-only communication
  • No personal data stored in app
  • Payment handled exclusively by LemonSqueezy
AWS Signed

AWS SSM Plugin

Optional component for AWS infrastructure tunnel connections. Developed and signed by Amazon.

  • Code signature verified before execution
  • Uses AWS IAM authentication
  • Credentials managed through AWS CLI/SSO

Security by Design

Storm Tunnel is built with security as a foundation, not an afterthought. We follow industry best practices and continuously improve our security posture.

Found a Vulnerability?

We respond to security reports within 24 hours. Please report vulnerabilities privately.

Report Privately

Built with proven security technologies

AES-256
SSH-2
macOS Keychain
CryptoKit
LocalAuthentication
Code Signing

Questions About Security?

We're committed to transparency. If you have questions about our security practices, please reach out.

Contact Us Read Documentation