ShellMate is a modern SSH workspace with native terminal sessions, permission-aware team access, server-managed encrypted credentials, and auditable connection controls.
ShellMate started from a frustration I ran into almost every day. Connecting to servers via SSH was easy — everything around it wasn't.
Credentials were in password managers, notes were scattered across documents, access details lived in chat messages, and onboarding teammates was often a manual process. Finding the right server sometimes took longer than connecting to it.
So I built ShellMate, a desktop SSH workspace for developers, sysadmins, and DevOps teams. It brings hosts, credentials, terminal sessions, permissions, team collaboration, and access management into one place.
A quick note on security: I previously described the credential vault as "zero-knowledge." That wasn't accurate. ShellMate currently uses server-managed encryption and short-lived, session-bound access grants. The server remains part of the trust boundary, so it is not yet a true zero-knowledge or end-to-end encrypted system.
What ShellMate offers today:
🔐 Encrypted credential storage with session-bound access ⚡ Fast desktop SSH experience 🛡️ Permission-aware host access and short-lived grants 👥 Team workspaces, host groups, and RBAC 🖥️ Organized host and infrastructure management 📋 Activity logs and security events 🔑 SSH certificate support for enrolled hosts
I'm actively working toward a stronger end-to-end encrypted architecture while keeping the experience simple and fast.
I'd love your feedback:
👉 What's the biggest pain point in your current SSH workflow? 👉 What security controls would you expect from a tool like this? 👉 What would make you switch from your current solution?
Thanks for checking out ShellMate and supporting indie makers!
Report
Clean take on an SSH client, and the zero-knowledge encrypted vault is reassuring for credentials. I like that sync is built in. For a solo dev not on a team, does the vault still sync across my own Macs without setting up any workspace stuff?
You can use ShellMate as a solo user without creating a team workspace. Your credentials and hosts can sync securely across your own devices, so if you're switching between multiple Macs (or other devices), everything stays in sync and ready to use.
Also, ShellMate is free forever for individual users. The only things that may be part of a paid plan in the future are optional AI features. Everything else is built to be useful from day one without needing a subscription.
One thing I cared about a lot was keeping the onboarding simple. I didn't want another tool that takes an hour to configure before it's useful. You can install it, add or import your hosts, and start connecting in just a few minutes.
Team workspaces are there when you need them, but they're completely optional.
Out of curiosity, what are you using today for SSH and credential management? I'd love to hear if there are any pain points or missing features that annoy you in your current workflow.
Report
SSH credential sprawl is genuinely painful when managing multiple environments across a team. The team-based access model makes sense: keeping prod keys isolated from staging is something everyone knows they should do but it's rarely implemented cleanly. How does key rotation work? Do you push updates to all hosts automatically, or does each server need a manual sync?
@anand_thakkar1 That's a great question, and honestly one of the reasons I started building ShellMate.
Right now, ShellMate focuses on securely managing access, credentials, and collaboration around infrastructure. For key rotation, it doesn't automatically push changes to servers yet. My goal was to first solve the day-to-day pain of credential sprawl, sharing access safely, and keeping teams organized.
That said, automated key rotation and distribution is definitely on the roadmap. I'd love to get to a point where rotating access across environments becomes a few clicks instead of a manual process spread across dozens of servers.
I completely agree with you on the prod vs staging separation. Everyone knows it's the right thing to do, but once a team grows, it often turns into a mix of shared credentials, old keys, and tribal knowledge. Making those boundaries easier to enforce without adding operational overhead is something I'm thinking about a lot.
Out of curiosity, how are you handling key rotation today? Is it mostly manual, or are you using something like SSH certificates, Ansible, or another access management solution?
@anand_thakkar1 I just realized I missed part of your question! Within ShellMate, updates are synced automatically. If a credential, host, or permission changes, the update is pushed to all connected devices and shared workspace members in real time, so there's no need for anyone to manually sync.
Report
The zero-knowledge vault for SSH credentials is architecturally sound. Most SSH managers store secrets in a way that the vendor could access them, so client-side encryption is the right call. We've dealt with credential sprawl ourselves: private keys shared over Slack is a scary common default. How does cross-device sync work under zero-knowledge constraints? Is the vault key derived from a passphrase with the encrypted blob synced, or something different?
@retain_dev The encrypted vault is synced through the server, so your devices don't need to be online at the same time. When you sign in on a new device, it downloads the latest encrypted vault automatically.
Updates are also synced across your connected devices and shared workspace members in real time, so everyone stays up to date without manual syncing.
The important part is that ShellMate only stores encrypted data. The actual decryption happens locally on your device, so the server never sees your plaintext credentials. Security is one area where I'm probably overly cautious. I'm still actively refining this part of the architecture to make it as robust and bulletproof as possible while keeping the user experience simple.
Report
nice product!
does it work with completely air gapped environments with no internet access like isolated DBs?
The target servers themselves don't need internet access. As long as your device can reach them over a VPN, private network, or local network, ShellMate can connect.
For a completely air-gapped setup with no access to the ShellMate API at all, that's not supported yet. Self-hosted support is something I'm actively exploring since it's a common requirement for security-focused teams.
Report
ShellMate's import/onboarding story is the piece I'd test first, especially if it can pull an existing ~/.ssh/config into a cleaner vault without breaking aliases. For teams, the zero-knowledge vault and workspace model make sense, but the practical tradeoff is migration friction. Do you preserve ProxyJump, per-host identity files, and agent-forwarding settings when importing existing SSH config?
@0xvaleria Great question. ShellMate can import hosts, but preserving every advanced ~/.ssh/config option, including ProxyJump, per-host identity files, and agent forwarding, is not fully supported yet. Improving migration fidelity is a priority.
One correction: ShellMate’s saved credentials are server-encrypted, but the current system is not zero-knowledge. I previously described it incorrectly and have updated the product messaging.
Report
Appreciate the clarification, especially on the zero-knowledge wording. For migration, even a dry-run report of unsupported ~/.ssh/config directives would be useful before import; teams can decide what to keep manual instead of discovering it after the vault is built. ProxyJump and identity files feel like the high-impact ones to land first.
Report
Congrats on the launch bro,
Are there any compliance stuff that proves that shellmte is safe? EG. Soc2, Hippa
Replies
ShellMate
Hey Product Hunt! 👋
ShellMate started from a frustration I ran into almost every day. Connecting to servers via SSH was easy — everything around it wasn't.
Credentials were in password managers, notes were scattered across documents, access details lived in chat messages, and onboarding teammates was often a manual process. Finding the right server sometimes took longer than connecting to it.
So I built ShellMate, a desktop SSH workspace for developers, sysadmins, and DevOps teams. It brings hosts, credentials, terminal sessions, permissions, team collaboration, and access management into one place.
A quick note on security: I previously described the credential vault as "zero-knowledge." That wasn't accurate. ShellMate currently uses server-managed encryption and short-lived, session-bound access grants. The server remains part of the trust boundary, so it is not yet a true zero-knowledge or end-to-end encrypted system.
What ShellMate offers today:
🔐 Encrypted credential storage with session-bound access
⚡ Fast desktop SSH experience
🛡️ Permission-aware host access and short-lived grants
👥 Team workspaces, host groups, and RBAC
🖥️ Organized host and infrastructure management
📋 Activity logs and security events
🔑 SSH certificate support for enrolled hosts
I'm actively working toward a stronger end-to-end encrypted architecture while keeping the experience simple and fast.
I'd love your feedback:
👉 What's the biggest pain point in your current SSH workflow?
👉 What security controls would you expect from a tool like this?
👉 What would make you switch from your current solution?
Thanks for checking out ShellMate and supporting indie makers!
Clean take on an SSH client, and the zero-knowledge encrypted vault is reassuring for credentials. I like that sync is built in. For a solo dev not on a team, does the vault still sync across my own Macs without setting up any workspace stuff?
ShellMate
@ianhxu Thanks Ian!
Yep, absolutely 😊
You can use ShellMate as a solo user without creating a team workspace. Your credentials and hosts can sync securely across your own devices, so if you're switching between multiple Macs (or other devices), everything stays in sync and ready to use.
Also, ShellMate is free forever for individual users. The only things that may be part of a paid plan in the future are optional AI features. Everything else is built to be useful from day one without needing a subscription.
One thing I cared about a lot was keeping the onboarding simple. I didn't want another tool that takes an hour to configure before it's useful. You can install it, add or import your hosts, and start connecting in just a few minutes.
Team workspaces are there when you need them, but they're completely optional.
Out of curiosity, what are you using today for SSH and credential management? I'd love to hear if there are any pain points or missing features that annoy you in your current workflow.
SSH credential sprawl is genuinely painful when managing multiple environments across a team. The team-based access model makes sense: keeping prod keys isolated from staging is something everyone knows they should do but it's rarely implemented cleanly. How does key rotation work? Do you push updates to all hosts automatically, or does each server need a manual sync?
ShellMate
@anand_thakkar1 That's a great question, and honestly one of the reasons I started building ShellMate.
Right now, ShellMate focuses on securely managing access, credentials, and collaboration around infrastructure. For key rotation, it doesn't automatically push changes to servers yet. My goal was to first solve the day-to-day pain of credential sprawl, sharing access safely, and keeping teams organized.
That said, automated key rotation and distribution is definitely on the roadmap. I'd love to get to a point where rotating access across environments becomes a few clicks instead of a manual process spread across dozens of servers.
I completely agree with you on the prod vs staging separation. Everyone knows it's the right thing to do, but once a team grows, it often turns into a mix of shared credentials, old keys, and tribal knowledge. Making those boundaries easier to enforce without adding operational overhead is something I'm thinking about a lot.
Out of curiosity, how are you handling key rotation today? Is it mostly manual, or are you using something like SSH certificates, Ansible, or another access management solution?
ShellMate
@anand_thakkar1 I just realized I missed part of your question! Within ShellMate, updates are synced automatically. If a credential, host, or permission changes, the update is pushed to all connected devices and shared workspace members in real time, so there's no need for anyone to manually sync.
The zero-knowledge vault for SSH credentials is architecturally sound. Most SSH managers store secrets in a way that the vendor could access them, so client-side encryption is the right call. We've dealt with credential sprawl ourselves: private keys shared over Slack is a scary common default. How does cross-device sync work under zero-knowledge constraints? Is the vault key derived from a passphrase with the encrypted blob synced, or something different?
ShellMate
@retain_dev The encrypted vault is synced through the server, so your devices don't need to be online at the same time. When you sign in on a new device, it downloads the latest encrypted vault automatically.
Updates are also synced across your connected devices and shared workspace members in real time, so everyone stays up to date without manual syncing.
The important part is that ShellMate only stores encrypted data. The actual decryption happens locally on your device, so the server never sees your plaintext credentials.
Security is one area where I'm probably overly cautious. I'm still actively refining this part of the architecture to make it as robust and bulletproof as possible while keeping the user experience simple.
ShellMate
@naresh_chandanbatve Thanks for pulling it! 😊
The target servers themselves don't need internet access. As long as your device can reach them over a VPN, private network, or local network, ShellMate can connect.
For a completely air-gapped setup with no access to the ShellMate API at all, that's not supported yet. Self-hosted support is something I'm actively exploring since it's a common requirement for security-focused teams.
ShellMate's import/onboarding story is the piece I'd test first, especially if it can pull an existing ~/.ssh/config into a cleaner vault without breaking aliases. For teams, the zero-knowledge vault and workspace model make sense, but the practical tradeoff is migration friction. Do you preserve ProxyJump, per-host identity files, and agent-forwarding settings when importing existing SSH config?
ShellMate
@0xvaleria Great question. ShellMate can import hosts, but preserving every advanced ~/.ssh/config option, including ProxyJump, per-host identity files, and agent forwarding, is not fully supported yet. Improving migration fidelity is a priority.
One correction: ShellMate’s saved credentials are server-encrypted, but the current system is not zero-knowledge. I previously described it incorrectly and have updated the product messaging.
Appreciate the clarification, especially on the zero-knowledge wording. For migration, even a dry-run report of unsupported ~/.ssh/config directives would be useful before import; teams can decide what to keep manual instead of discovering it after the vault is built. ProxyJump and identity files feel like the high-impact ones to land first.
Congrats on the launch bro,
Are there any compliance stuff that proves that shellmte is safe? EG. Soc2, Hippa