Self-Hosted Tempest Server & Web Mode
Run your own Tempest sync server — keep encrypted vault sync inside your network and access SSH from any browser via Tempest's Web Mode.
Tempest can run as a self-hosted server — a Node.js process that handles encrypted vault sync, SSH session multiplexing, and Tempest Push routing for the devices you connect to it. Combined with Tempest's Web Mode (the same UI running in a browser), this lets you SSH from any device that has a browser — without installing anything on it — while keeping all the encrypted sync inside your own infrastructure.
This is the right setup for:
Privacy-sensitive teams that want zero data on third-party servers
Air-gapped or restricted networks
"I want to SSH from my Chromebook / iPad without installing apps"
Homelab enthusiasts who already self-host everything
Configure on the welcome screen
When you first launch Tempest desktop or open a fresh browser tab to your server URL:
Welcome screen → Self-hosted server section
Enter your server URL (e.g.
https://tempest.example.com)Sign in with your account credentials
After this, all sync, scheduled runs, and notifications flow through your server.
Web Mode — Tempest in any browser
Self-hosted server + Web Mode is the killer combo: visit your server URL in any browser, sign in, and you get the full Tempest UI — host list, terminal tabs, SFTP, AI assistant — running entirely in the browser.
This is great for:
SSH from a Chromebook or iPad
Quick access from a borrowed machine without installing the desktop client
Mobile-friendly access in a pinch
The browser → server channel uses WebSockets; the server holds the SSH connections (per the C/S architecture), and the browser receives pre-rendered terminal frames.
Auto-reconnect
The browser ↔ server WebSocket reconnects automatically if your network blips, with visible "disconnected, reconnecting…" / "reconnected" toasts so you know what's happening.
Privacy & E2E with self-hosting
Even when you self-host:
Your vault encryption keys never leave your devices.
The server still only sees ciphertext (it's the same E2EE design as the cloud sync — see End-to-End Encryption).
The benefit of self-hosting isn't a different security model — it's that you are the operator of the relay, with full audit log access and no third-party data residency questions.
Backend responsibilities
The Tempest server runs:
Encrypted vault sync endpoint — receives encrypted vault docs from your devices
SSH multiplexing — holds the actual SSH connections so the browser doesn't (browsers can't speak SSH directly)
Snippet scheduler — fires scheduled snippet runs even when no client is connected
Tempest Push relay — forwards encrypted notification payloads to APNs / FCM
Notification module — local channels (webhook, Pushover, SMTP) sent directly from the server
What the server does not hold
Your vault encryption keys (only your devices do)
OAuth2 tokens (those stay in the browser / desktop client per the C/S design)
See the Tempest Knowledge Base for what each layer does.
Deployment
Tempest server is a Docker image. Detailed deployment configs please contact support for early access.
See also
End-to-End Encryption — applies whether sync is cloud or self-hosted
Tempest Push Notifications — works through self-hosted server
Last updated