How Tempest Protects Your Privacy

Tempest is built on zero-knowledge end-to-end encryption (E2EE). Your SSH keys, passwords, snippets, and connection metadata are encrypted on your device before anything is uploaded for cloud sync — meaning we couldn't read them even if compelled to. This is the same security model that 1Password, Bitwarden, and Signal use.

What that means in practice

• You hold the only key that can decrypt your data — your vault password, which never leaves your device.

• Tempest's servers see only ciphertext. We sync it between your devices but cannot read it.

• If you forget your vault password, your data is unrecoverable. We don't have a backdoor and we can't make one. See Reset Your Tempest Password.

The cryptography

The crypto layer will be open-sourced so anyone can audit it.

What is not encrypted

A small amount of operational metadata is necessarily plaintext on our servers:

• Your sync account email (so we can sign you in)

• Document IDs and revision counters (so the sync engine can replicate)

• Approximate document sizes (limit enforcement)

We never see hostnames, usernames, passwords, key contents, snippet text, or any other connection detail.

What about Tempest Monitoring?

Monitoring data is parsed locally inside your Tempest tab and is never sent anywhere — not even to your other devices via sync. It's a render-only feature.

What about Tempest AI Assistant?

AI requests are sent to the model provider you've configured (OpenAI, Anthropic, Google, or your self-hosted endpoint). Tempest acts as a transport — we don't proxy or log the requests. You can also point Tempest at a fully local model.

See also

• Reset Your Tempest Password — sync vs. vault passwords explained

• SSH Cert Storage — short-lived certs are stored as paths, not contents, when possible