SUPPORT
Find answers to common questions about ZestSSH.
Tap the + button on the home screen, enter your server's hostname or IP address, port (default 22), and choose your authentication method (password or SSH key). Tap Connect and you're in.
Go to Identities in the app, tap "Create New Key", choose your algorithm (Ed25519 recommended), optionally set a passphrase, and tap Generate. You can then copy the public key to add to your server's authorized_keys file.
ZestSSH can import PuTTY .ppk key files directly. Go to Identities, tap "Import Key", and select your .ppk file. ZestSSH supports both PuTTY v2 and v3 key formats. OpenSSH PEM format is also supported.
Password authentication sends your password to the server each time you connect. Key authentication uses a cryptographic key pair — you keep the private key on your device and add the public key to the server. Key authentication is more secure and convenient (no typing passwords), and is the recommended method.
Yes. ZestSSH Squeezed ($9.99) and Juiced ($24.99) are one-time purchases. No subscriptions, no recurring fees, no annual renewals. You pay once and get all future updates included.
Yes. All updates — bug fixes, new features, and platform updates — are included for the lifetime of the product. "Lifetime" means the lifetime of ZestSSH as a product.
Yes. Juiced is an independent purchase. It works with both the Free and Squeezed tiers. With Free + Juiced, you can sync your connections, identities, and snippets across devices. Bundle ($29.99) gives you both Squeezed and Juiced together at a $5 discount.
Bundle ($29.99) bundles both Squeezed ($9.99) and Juiced ($24.99) into a single purchase. It's the easiest way to get everything ZestSSH has to offer.
Install ZestSSH on your new device using the same Google Play or Apple ID account. Open the app, go to Settings, and tap "Restore Purchases". Your Squeezed and/or Juiced access will be restored automatically.
The Free tier includes unlimited saved connections, 2 concurrent sessions, SSH/Telnet/Mosh/Local Shell, 3 terminal themes, SSH key generation and import, 49 built-in command snippets, SFTP file browser, and PIN/biometric app lock. It's a fully functional SSH client.
Zero-knowledge encryption means your data is encrypted on your device using your master password before it ever leaves your device. Our servers store only encrypted data that we cannot read, even if we wanted to. If our servers were compromised, attackers would get only unreadable encrypted blobs.
Because of zero-knowledge encryption, we cannot recover your master password or decrypt your data. However, when you set up Juiced, you receive a recovery key. Store this recovery key somewhere safe — it's the only way to regain access to your synced data if you forget your master password.
No. Your data is encrypted end-to-end on your device before upload. We store only encrypted blobs on our servers. We cannot see your connections, passwords, SSH keys, or any other synced data. This is by design — zero-knowledge architecture.
Install ZestSSH on your new device, restore your Juiced purchase, then go to Juiced settings and sign in with your account. Enter your master password (or recovery key) to decrypt your data. Your connections, identities, and snippets will sync automatically.
ZestSSH offers three sync modes: Automatic (syncs in the background whenever changes are made), Manual (sync only when you tap the sync button), and Off (no syncing, local only). You can switch between modes at any time in Settings.
The recovery key is a unique code generated when you set up Juiced. It serves as a backup way to decrypt your data if you forget your master password. Store it somewhere safe (password manager, printed copy, etc.) — without it and your master password, your encrypted data cannot be recovered by anyone, including us.
SSH private keys are stored in your device's secure storage: iOS Keychain on Apple devices and EncryptedSharedPreferences on Android. This is the most secure storage available on each platform. Keys never leave your device unless you enable Juiced (in which case they're encrypted before upload).
Yes. Locally, sensitive credentials use platform-native encryption. With Juiced enabled, all synced data is encrypted end-to-end with AES-256 using your master password before leaving your device. Your SSH sessions are encrypted by the SSH protocol itself.
ZestSSH supports modern SSH algorithms including Ed25519, ECDSA (nistp256, nistp384, nistp521), RSA (2048, 4096), AES-128/256-CTR, AES-128/256-GCM, ChaCha20-Poly1305, and more. We follow current best practices and disable weak algorithms.
Yes. ZestSSH uses industry-standard SSH libraries and encryption. Your SSH connections go directly from your device to your server — we don't proxy, intercept, or log any traffic.
ZestSSH Squeezed lets external apps (Tasker, MacroDroid, iOS Shortcuts) run SSH commands through ZestSSH without opening the terminal. You can schedule health checks, trigger deployments, or run any command on your servers from other apps.
Yes. It's disabled by default, requires the Squeezed tier, and uses API key authentication. Keys are stored in your device's encrypted keystore with rate limiting and expiration support. See our security page for full details.
Yes. Batch execution lets you run the same command across multiple servers simultaneously. Use the Automation Wizard to build the URL.
Workflows run while ZestSSH is open. For scheduled automation, use MacroDroid or Tasker to trigger ZestSSH at specific times — the Automation Wizard generates the setup for you.
Yes. ZestSSH is available on Windows, macOS, and Linux. It is built with the same Flutter codebase as the mobile app, ensuring a consistent experience across all platforms. Head to our download page to get started.
Yes. If you have Juiced, your connections, identities, and snippets sync seamlessly between mobile and desktop. Same zero-knowledge encryption, same experience.
The desktop version includes split panes, tabbed sessions, and all features from the mobile version. It replaces the need for PuTTY (SSH), WinSCP (SFTP), and Pageant (key agent) in a single modern app.
Your Squeezed and Juiced purchases work across all platforms. Buy once, use everywhere — mobile and desktop.
Yes. On tablets and foldable phones, ZestSSH offers split terminal with two sessions side by side, a draggable divider, and adaptive layouts.
Yes. ZestSSH binds real TCP sockets and runs a foreground service to keep SSH connections alive when you switch apps. You can forward web UIs, databases, and other services and access them from your browser.
Port forwarding creates a secure tunnel between a port on your device and a service on a remote network, running through your existing SSH connection. It lets you access services like web UIs, databases, or VNC on the remote network without exposing them to the internet.
Common uses:
Local (most common) opens a port on your device that tunnels to a service on the remote network. If you want to reach something remote from your device, use Local.
Remote opens a port on the remote SSH server that tunnels back to your device. Rare — use if you want to expose something from your device to the remote server.
SOCKS5 creates a dynamic proxy. Configure a browser or app to use it and all traffic routes through the SSH tunnel to anywhere the remote server can reach. Useful for browsing many services on a remote network without setting up individual forwards.
If you're not sure: pick Local.
A jump host (also called a bastion host) is an SSH server you go through to reach other servers. You connect to the jump host first, then it forwards you to your actual target.
This is useful when you have one publicly-reachable SSH server but want to access other servers on the same private network without exposing them to the internet.
In ZestSSH, set the "Connect Via" field in a connection's Network section to the jump host. ZestSSH handles the multi-hop connection automatically.
The recommended setup combines Jump Host + Port Forwarding:
You'll be able to terminal into any LAN server and reach web UIs, VNC, databases, etc. from anywhere with internet. Only the jump host's SSH is exposed publicly — everything else stays private.
Most common causes:
curl localhost:<port> to verify the service is reachable.No. Juiced uses zero-knowledge end-to-end encryption. Your data is encrypted on your device with a key derived from your password — a key we never see and can't recover. The sync server stores only encrypted blobs. Even a full compromise of our infrastructure would expose data that is cryptographically unreadable without each user's individual password. Full technical details: Security Architecture
You can recover access using your one-time recovery key, issued during initial setup. The recovery key is an independent decryption path that can unlock your data and let you set a new password. If you lose both your password and your recovery key, your data is permanently unrecoverable. This is the inherent tradeoff of true end-to-end encryption — in exchange for a service that can't read your data, we also can't help you recover it. Store your recovery key somewhere safe.
Email [email protected] with details. Validated reports get a free ZestSSH Squeezed license or Juiced upgrade, and public credit if you want it. See the full Security Disclosure Policy for scope, safe harbor commitments, and response timing.
Yes, safely. Local .zest backup files are encrypted with a password you choose using AES-256-GCM and Argon2id key derivation. Third-party cloud providers can only see the encrypted blob — they cannot decrypt your backup even with full access to it. Do not forget the backup password; there is no recovery for backup files.
We're here to help.