🌐 Website • 💬 Discord • Download • Features • Security • Languages
| 🇻🇳 Tiếng Việt | 🇮🇩 Bahasa Indonesia | 🇨🇳 中文 | 🇰🇷 한국어 |
| 🇯🇵 日本語 | 🇫🇷 Français | 🇩🇪 Deutsch | 🇪🇸 Español |
| 🇹🇭 ภาษาไทย | 🇲🇾 Bahasa Melayu | 🇷🇺 Русский | 🇵🇭 Filipino |
| 🇧🇷 Português |
- Developers & DevOps engineers managing multiple servers
- System administrators who value security and efficiency
- Security-conscious users who don't trust cloud-based solutions
- Anyone who wants full control over their SSH credentials
YOU ARE RESPONSIBLE FOR YOUR OWN DATA.
Marix stores all data locally on your device with strong encryption. However:
- We cannot recover your data if you lose your backup password
- We have no servers - there is no "forgot password" option
- Backup regularly - hardware can fail
- You own your security - we provide the tools, you make the decisions
By using Marix, you accept full responsibility for your data security.
"Your keys. Your servers. Your privacy."
Marix is designed for the following security assumptions:
⚠️ Marix assumes a local, non-compromised host environment.
It does not attempt to defend against malicious OS-level adversaries or compromised runtimes.
In scope (protected against):
- Theft of backup files without password
- Brute-force password attacks on encrypted backups
- Data tampering in transit or storage (detected via AEAD)
- Cloud provider access to your data (client-side encryption)
Out of scope (not protected against):
- Malware with root/admin access on your device
- Physical access to unlocked device with app running
- Keyloggers or screen capture malware
- Compromised operating system or Electron runtime
| ❌ | Description |
|---|---|
| No remote key storage | Private keys never leave your device |
| No key escrow | We cannot recover your keys under any circumstance |
| No recovery without password | Lost password = lost backup (by design) |
| No network calls during encryption | Crypto operations are 100% offline |
| No cloud servers | We don't operate any infrastructure |
| No telemetry | Zero analytics, zero tracking, zero data collection |
| Principle | Description | |
|---|---|---|
| 🔐 | 100% Offline | All credentials stored locally on your device—never uploaded |
| ☁️ | No Cloud | We don't have servers. Your data never touches the internet |
| 📊 | No Telemetry | Zero tracking, zero analytics, zero data collection |
| 🔓 | Open Source | Fully auditable code under GPL-3.0, no hidden backdoors |
| Feature | Technology | Description | |
|---|---|---|---|
| 🛡️ | Local Storage | Argon2id + AES-256 | Credentials encrypted at rest on your device |
| 📦 | File Backup | Argon2id + AES-256-GCM | Export encrypted `.marix` files with authenticated encryption |
| 🔄 | Cloud Sync | Argon2id + AES-256-GCM | Client-side encryption—cloud providers store only encrypted blobs |
Marix is optimized to run smoothly on low-end machines:
Marix uses auto-calibration for Argon2id parameters—a widely-adopted best practice in applied cryptography:
| Feature | Description |
|---|---|
| Target Time | ~1 second (800-1200ms) on user's machine |
| Auto-Calibration | Memory and iterations auto-tuned at first run |
| Adaptive | Works optimally on both weak and powerful machines |
| Background Calibration | Runs on app startup for seamless UX |
| Stored Parameters | KDF params saved with encrypted data for cross-machine decryption |
| Security Floor | Minimum 64MB memory, 2 iterations (exceeds OWASP 47MB) |
Why ~1 second? This is the standard recommendation in practical cryptography. It provides strong brute-force resistance while remaining acceptable for user experience. Parameters adapt to each machine automatically—no need to guess "standard" settings.
| System RAM | Baseline Memory | Then Auto-Tuned |
|---|---|---|
| ≥ 16 GB | 512 MB | → Calibrated to ~1s |
| ≥ 8 GB | 256 MB | → Calibrated to ~1s |
| ≥ 4 GB | 128 MB | → Calibrated to ~1s |
| < 4 GB | 64 MB | → Calibrated to ~1s |
| Optimization | Technology | Benefit |
|---|---|---|
| V8 Heap Limit | `--max-old-space-size=256MB` | Prevents memory bloat |
| Background Throttling | `--disable-renderer-backgrounding` | Keeps connections alive |
| Terminal Buffer | Scrollback: 3,000 lines | 70% memory reduction vs default |
| Lazy Loading | On-demand component loading | Faster startup |
| GC Hints | Manual garbage collection triggers | Reduced memory footprint |
| Component | Technology | Purpose |
|---|---|---|
| Framework | Electron 39 + React 19 | Cross-platform desktop app |
| Terminal | xterm.js 6 | High-performance terminal emulation |
| SSH/SFTP | ssh2 + node-pty | Native SSH protocol implementation |
| Code Editor | CodeMirror 6 | Lightweight syntax highlighting |
| Encryption | Argon2 + Node.js Crypto | Strong client-side encryption |
| Styling | Tailwind CSS 4 | Modern, minimal CSS |
| Build | Webpack 5 + TypeScript 5 | Optimized production bundles |
 Windows Download .exe |
 macOS Intel .zip Apple Silicon |
 Linux .AppImage • .deb • .rpm |
⚠️ Linux Users: When upgrading, usesudo dpkg -r marixto uninstall the old version before installing the new one. Using Software Center may leave old files behind.
| Protocol | Technology | Description |
|---|---|---|
| SSH | ssh2 + node-pty | Secure Shell with password & private key authentication |
| SFTP | ssh2 | Dual-pane file manager with drag-and-drop |
| FTP/FTPS | basic-ftp | Standard and secure FTP support |
| RDP | xfreerdp3 / mstsc | Remote Desktop (xfreerdp3 on Linux, mstsc on Windows) |
| Database | mysql2, pg, mongodb, redis, better-sqlite3 | Connect to MySQL, PostgreSQL, MongoDB, Redis, SQLite |
- 400+ color themes - From Dracula to Solarized, Catppuccin, Nord, and more
- Customizable fonts - Any system font, any size
- Full xterm.js 6 - Complete terminal emulation with Unicode support
- Session preservation - Tabs persist across reconnects
- OS detection - Auto-detect Linux distro & display system info
- Dual-pane interface - Local ↔ Remote side by side
- Integrated editor - CodeMirror 6 with 15+ language syntax highlighting
- Drag & drop - Upload/download files easily
- Permission management - chmod with visual interface
- Batch operations - Multi-select files for transfer
- Compress/Extract - Right-click to zip, tar.gz, extract archives
Install popular frameworks and CMS directly on your server via SSH.
| Category | Frameworks |
|---|---|
| PHP | Laravel, WordPress, Symfony, CodeIgniter 3/4 |
| JavaScript | Express.js, NestJS, Fastify, Vue.js, Nuxt.js, React, Next.js |
| TypeScript | TypeScript Node projects |
Features:
- Dynamic version fetching - Versions fetched from GitHub/npm APIs in real-time
- Auto-discover new versions - Laravel 13+, WordPress 7+, etc. automatically detected
- PHP version compatibility check - Warns if server PHP version doesn't match requirements
- Sub-version selection - Choose specific patch versions (e.g., Laravel 11.5.0)
- One-click installation - Installs framework with all dependencies
- Database configuration - Auto-configure .env or wp-config.php
LAN File Transfer
Share files instantly between devices on your local network.
- Sender: Select files → Show 6-digit code → Wait for receiver
- Receiver: Enter sender's code → Auto-find sender via UDP → Select save folder → Receive files
- Real-time transfer progress with speed display
- TCP-based reliable transfer (64KB chunks)
- Send multiple files and folders
- Works on WiFi and Ethernet
LAN Server Sharing
Share server configurations with nearby devices securely.
- Sender: Select servers → Show 6-digit code → Select peer device → Send encrypted data
- Receiver: Receive notification → Enter sender's code to decrypt → Import servers
- AES-256-CBC encryption with scrypt key derivation
- Auto-discover devices on local network
- Option to include/exclude passwords and private keys
DNS & Network Tools
- A / AAAA / MX / TXT / SPF / CNAME / NS / SOA / PTR lookups
- Ping & Traceroute
- TCP port testing
- HTTP/HTTPS checker with SSL info
- SMTP server testing
- IP Blacklist checker (10 RBLs)
- WHOIS lookup
- ARIN/IP ownership lookup
- Listening ports scanner
Cloudflare DNS Manager
Optional built-in tool for managing Cloudflare DNS directly from your SSH workspace.
- Manage all your domains
- Create/Edit/Delete DNS records
- Support for A, AAAA, CNAME, MX, TXT, SRV, CAA records
- Toggle Cloudflare proxy (orange cloud)
- TTL management
- API key included in encrypted backups
SSH Key Manager
- Generate RSA-4096, Ed25519, ECDSA-521 keys
- Import existing keys from file
- Export public/private keys
- Secure local storage in ~/.marix/ssh_keys
- Key fingerprint display
- Keys included in encrypted backups
Known Hosts Manager
- View all SSH fingerprints
- Import from host
- Remove untrusted hosts
- Verify host authenticity
Command Snippets
Save and organize frequently-used commands with optional keyboard shortcuts.
- Quick command library - Store commands you use often with descriptions
- Keyboard shortcuts - Assign
Ctrl+Shift+[key](orCmd+Shift+[key]on Mac) for instant execution - Categories - Organize by System, Docker, Git, Network, Database, or Custom
- Scope-based - Global snippets or specific to a host/group
- Snippet Panel - Side panel in terminal for quick access
- Search & filter - Find snippets by name, command, or tags
- Included in backup - Snippets are encrypted and backed up with your data
How to use:
- Open Snippets menu from the sidebar
- Click Add to create a new snippet
- Enter name, command, category, and optional hotkey
- In SSH terminal:
- Click snippet in the panel to insert command
- Or press
Ctrl+Shift+[key]to execute with hotkey
- Dark & Light themes - Follow system or toggle manually
- 14 languages supported
- Server tagging - Organize with colored tags
- Quick connect - Cmd/Ctrl+K to search servers
- Connection history - Quick access to recent connections
All backups use Argon2id (winner of the Password Hashing Competition) and AES-256-GCM (authenticated encryption):
| Data | Included | Encrypted |
|---|---|---|
| Server list (hosts, ports, credentials) | ✅ | ✅ AES-256-GCM |
| SSH private keys | ✅ | ✅ AES-256-GCM |
| Cloudflare API token | ✅ | ✅ AES-256-GCM |
| Command snippets | ✅ | ✅ AES-256-GCM |
| 2FA TOTP entries | ✅ | ✅ AES-256-GCM |
| Port forwarding configs | ✅ | ✅ AES-256-GCM |
| App settings & preferences | ✅ | ✅ AES-256-GCM |
| Known hosts | ❌ | — |
- 🔐 Password never stored — Not in the file, not on GitHub, not anywhere
- 🔒 Client-side encryption — All encryption happens locally before data leaves your device
- 🛡️ Brute-force resistant — Argon2id requires 64-512MB RAM per attempt (auto-adjusted)
- ✅ Tamper-evident — AES-GCM (AEAD) authentication detects any modification to encrypted data
- 🔄 Cross-machine compatible — Backup stores KDF parameters for portability
Export all your data as an encrypted `.marix` file:
- Go to Settings → Backup & Restore
- Create password meeting requirements:
- Minimum 10 characters
- 1 uppercase, 1 lowercase, 1 number, 1 special character
- Export - File is encrypted before saving
- Store safely - Keep the backup file and remember your password
Securely sync your encrypted backup to your Google Drive:
📘 Setup Guide: Google Drive Setup Documentation
ℹ️ Pre-packaged Version: If you're using the pre-built release (AppImage, RPM, etc.), Google credentials are already included. You can skip step 1 and connect directly.
-
Configure OAuth Credentials:
- Create a Google Cloud Project
- Enable Google Drive API
- Create OAuth 2.0 Client ID
- Download credentials JSON file
- Save as
src/main/services/google-credentials.json
-
Connect in Marix:
- Go to Settings → Backup & Restore → Google Drive
- Click "Connect to Google Drive"
- Browser opens for Google OAuth
- Grant permissions
- App receives secure token
-
Create Backup:
- Enter encryption password (10+ characters)
- Click "Create Backup"
- File uploaded to "Marix Backups" folder on Drive
-
Restore Backup:
- Click "Restore from Google Drive"
- Enter your backup password
- All servers and settings restored
[Your Data] → [Argon2id + AES-256] → [Encrypted Blob] → [Google Drive]
↑
Your Password
(never uploaded)
- ✅ End-to-end encrypted - Data encrypted before leaving your device
- ✅ Zero-knowledge - Google only sees encrypted blobs
- ✅ Your keys only - OAuth tokens stored locally
- ✅ Private backup folder - Files only accessible by your app
Securely sync your encrypted backup to a private GitHub repository:
-
Login with GitHub:
- Go to Settings → Backup & Restore → GitHub Backup
- Click "Login with GitHub"
- A device code will appear in the app
- Browser opens automatically - enter the code and authorize
- Done! A private repository `marix-backup` is automatically created
-
Backup:
- Click "Backup to GitHub"
- Enter your backup password
- Encrypted data is pushed to your repository
-
Restore on another device:
- Install Marix
- Login with GitHub (same steps as above)
- Click "Restore from GitHub"
- Enter your backup password to decrypt
| Layer | Protection |
|---|---|
| Client-side encryption | Data encrypted before leaving device |
| Argon2id KDF | 64-512MB memory (auto), 4 iterations, 1-4 parallel lanes |
| AES-256-GCM | AEAD with random IV (tamper-evident) |
| GitHub storage | Only encrypted ciphertext stored |
| No Marix server | Direct client ↔ GitHub communication |
⚠️ Important: If you lose your backup password, your backup is permanently unrecoverable. We cannot decrypt it. No one can.
| Component | Algorithm | Parameters |
|---|---|---|
| Key Derivation | Argon2id | 64-512MB memory (auto), 4 iterations, 1-4 lanes |
| Encryption | AES-256-GCM | 256-bit key, AEAD (tamper-evident) |
| Salt | CSPRNG | 32 bytes per backup |
| IV/Nonce | CSPRNG | 16 bytes per operation |
| Auth Tag | GCM | 16 bytes |
Argon2id Parameters (OWASP 2024 compliant):
- Memory: 64-512 MB (adaptive, minimum 64MB exceeds OWASP's 47MB recommendation)
- Iterations: 4 (within OWASP's 3-5 range)
- Parallelism: 1-4 (based on CPU cores)
| Algorithm | Key Size | Use Case |
|---|---|---|
| Ed25519 | 256-bit | Recommended (fast, secure) |
| RSA | 4096-bit | Legacy compatibility |
| ECDSA | 521-bit | Alternative to Ed25519 |
Your backup password must contain:
- ✅ Minimum 10 characters
- ✅ At least 1 uppercase letter (A-Z)
- ✅ At least 1 lowercase letter (a-z)
- ✅ At least 1 number (0-9)
- ✅ At least 1 special character (!@#$%^&*...)
```bash
git clone https://github.com/marixdev/marix.git cd marix
npm install
npm run dev
npm run build
npm run package:win # Windows (.exe) npm run package:mac # macOS (.zip) npm run package:linux # Linux (.AppImage, .deb, .rpm) ```
| Component | Minimum | Recommended |
|---|---|---|
| OS | Windows 10, macOS 10.15, Ubuntu 20.04 | Latest |
| RAM | 2 GB | 4 GB+ |
| Storage | 200 MB | 500 MB |
```bash
sudo apt install freerdp3-x11 xdotool
sudo dnf install freerdp xdotool
sudo pacman -S freerdp xdotool ```
This project is licensed under the GNU General Public License v3.0 (GPL-3.0).
This means:
- ✅ You can use, modify, and distribute this software
- ✅ You can use it for commercial purposes
⚠️ Any modifications must also be released under GPL-3.0⚠️ You must disclose source code when distributing⚠️ You must state changes made to the code
See LICENSE for the full license text.
Marix — A modern, zero-knowledge SSH client
Your data. Your responsibility. Your freedom.
If you want convenience at the cost of privacy, Marix is not for you.