trustmux trustmux
NEW Now available on Ubuntu PPA, PyPI, and Homebrew

Your workstation terminal,
in your pocket.

Trustmux lets you monitor and interact with your tmux or Byobu sessions from any browser — privately, over your Tailscale network. No relay server. No cloud. Point to point. Your data is always private and TLS encrypted.

Get started View on GitHub
# First, launch tmux or byobu
$ byobu
$ trustmux start
Trustmux started.
$ trustmux enable
Trustmux enabled at login.
$ trustmux pair
Pairing code: 847-293   (expires in 60s)
Scan or visit: https://your-machine.tail1234.ts.net:7432

See it on your phone.

Five screens that show what Trustmux looks like as a PWA on Android.

Main terminal UI Device pairing screen New pane / window / session Biometric lock screen Text mode with Claude Code

Live terminal output

Stream real-time output from any tmux or Byobu pane. Full ANSI color rendering. Swipe up to scroll back through history.

The byobu status line at the bottom mirrors your workstation — distro, uptime, CPU, memory, load, and clock.

Pair in seconds

No SSH keys, no certificates, no configuration. Run trustmux pair on your workstation and enter the 6-digit code — that's it.

The code expires in 60 seconds and is single-use. Long-lived tokens are stored locally and never leave your devices.

Manage sessions from your phone

Tap + to create a new pane, window, or session. Use ‹ › in the header to step through all your live panes. Tap the pane name to rename it.

Biometric lock

Require fingerprint, face, or PIN to unlock when you return to the app — so your terminal is safe if someone picks up your phone. Once enabled, it stays on.

Uses WebAuthn platform authenticator. No biometric data ever leaves your device.

Terminal mode & text mode

Tap $_ to toggle into text mode — autocorrect and spellcheck turn on so you can type naturally for longer messages or AI prompts.

Tap Aa to go back to terminal mode with autocorrect and autocapitalize fully disabled.

Install

Pick your preferred package manager.

# Ubuntu / Debian — trustmux is included in the byobu package
$ sudo add-apt-repository ppa:byobu/ppa
$ sudo apt update && sudo apt install byobu
 
# Launch tmux or byobu first
$ byobu
 
# Start the daemon
$ trustmux start
Trustmux started.
 
# Enable at login
$ trustmux enable
Trustmux enabled at login.
 
# Ensure Tailscale is running on both this machine and your phone
# Pair your phone
$ trustmux pair
Pairing code: 847-293   (expires in 60s)
Scan or visit: https://your-machine.tail1234.ts.net:7432
# Requires Python 3.9+ and Tailscale
$ pip install trustmux
Successfully installed trustmux-7.0a7
 
# Launch tmux or byobu first
$ tmux
 
# Start the daemon
$ trustmux start
Trustmux started.
 
# Enable at login
$ trustmux enable
Trustmux enabled at login.
 
# Ensure Tailscale is running on both this machine and your phone
# Pair your phone
$ trustmux pair
Pairing code: 847-293   (expires in 60s)
Scan or visit: https://your-machine.tail1234.ts.net:7432
# macOS (requires tmux and Tailscale)
$ brew tap dustinkirkland/trustmux
$ brew install dustinkirkland/trustmux/trustmux
 
# Launch tmux first
$ tmux
 
# Start the daemon
$ trustmux start
Trustmux started.
 
# Enable at login
$ trustmux enable
Trustmux enabled at login.
 
# Ensure Tailscale is running on both this machine and your phone
# Pair your phone
$ trustmux pair
Pairing code: 847-293   (expires in 60s)
Scan or visit: https://your-machine.tail1234.ts.net:7432

Requires Tailscale for secure HTTPS transport and tmux ≥ 1.5. On Ubuntu and Debian, trustmux ships inside the byobu package — no separate trustmux package needed. Use pip or Homebrew if you want trustmux without byobu.

How it works

Three steps from install to your terminal on your phone.

  Your workstation                              Your phone
  ┌──────────────────────────┐                ┌────────────────┐
  │   tmux / Byobu sessions  │                │                │
  │         ↕ libtmux        │   Tailscale    │   Trustmux     │
  │  ┌──────────────────┐    │   WireGuard    │   PWA (or app) │
  │  │  trustmux daemon │◄───┼──── (TLS) ────►│                │
  │  └──────────────────┘    │                │  browser or    │
  │  ~/.config/trustmux/     │                │  home screen   │
  │  tokens + pairing        │                │                │
  └──────────────────────────┘                └────────────────┘
          ↑ your machine, your data, point to point — no cloud
Step 01

Install

Install via Ubuntu PPA, pip, or Homebrew. Trustmux runs as a lightweight background daemon alongside your existing Byobu or tmux setup. Coming soon to all distros that package Byobu.

Step 02

Enable & start

Run trustmux enable to start at login, then trustmux start. The daemon uses libtmux to communicate with tmux, binds to your Tailscale IP, and serves over HTTPS via tailscale serve.

Step 03

Pair your phone

Run trustmux pair to generate a 6-digit code. Open the URL on your phone, enter the code, and tap Add to Home Screen for a native app feel.

Nine problems every mobile terminal user knows.

We solved all nine — free, in the PWA, today.

The pain Status How Trustmux fixes it
SSH session dies when network drops or phone backgrounds ✓ SOLVED Your tmux session keeps running on your workstation. The phone is a viewer, not a connection endpoint — reconnect in a tap.
SSH key management on phone is painful ✓ SOLVED Replaced entirely by a 6-digit pairing code. No keys to copy, no secrets to sync, no password manager.
NAT, firewalls, and dynamic IPs block access from anywhere ✓ SOLVED Tailscale handles NAT traversal automatically — works on mobile data, hotel Wi-Fi, and conference networks with no port forwarding.
App Store required, expensive subscriptions, abandoned apps ✓ SOLVED Free PWA. No App Store. No subscription. One tap to add to home screen on iOS and Android — works full-screen like a native app.
Copy-paste from a terminal on phone is broken ✓ SOLVED Browser-native copy-paste. Touch-select text the same as any webpage — no terminal drag-selection fighting you.
Font is too small; can't zoom without breaking layout ✓ SOLVED Pinch-to-zoom works natively in the browser. No terminal re-flow or layout breakage.
Scrollback requires tmux copy mode + phantom arrow keys ✓ SOLVED Swipe up with your thumb. It's a browser — scrollback works like any webpage. tmux copy mode never needed.
Autocorrect and autocapitalize corrupt terminal commands ✓ SOLVED The keyboard toggle disables autocorrect, autocapitalize, and spellcheck when you're typing into the terminal.
Swipe to navigate between sessions, windows, and panes ✓ SOLVED Swipe left/right to move between panes and windows. Tap the S:/W:/P: picker in the header to jump directly to any session, window, or pane by name.

Everything you need, nothing you don't.

Trustmux is purpose-built for one job: your terminal, on your phone.

📱

Progressive Web App (PWA)

A PWA is a website that installs like a native app — one tap to add to your home screen on iOS or Android, no App Store, no review process, no download waiting. It launches full-screen, works offline for the UI shell, and updates silently in the background whenever you connect. Just a thin, fast wrapper around your mobile browser.

🔒

Private by design

Point to point over your Tailscale WireGuard network. No relay, no cloud, no third party. TLS encrypted end to end.

⌨️

Send keystrokes

Type commands, navigate panes, and interact with running processes directly from your phone keyboard.

🖥️

Live terminal output

Stream real-time output from any tmux pane. Swipe left and right to move between panes and windows.

🔑

Pairing-code auth

Secure pairing with a time-limited 6-digit code. No passwords to manage, no SSH keys to copy.

🐧

Byobu-native

Built by the Byobu maintainer. First-class support for Byobu sessions, profiles, and status lines.

Mobile App

Free for personal use. More power when you need it.

Free

Progressive Web App (PWA)

$0

Install in one tap — no App Store, no subscription. A full-featured terminal client that lives on your home screen.

  • Live terminal output with full ANSI color rendering
  • Send keystrokes & commands
  • Create & name sessions, windows, and panes
  • Navigate between all panes with ‹ › swipe
  • Pairing-code authentication (6-digit, expires in 60s)
  • Biometric lock — always on once enabled (Face ID / fingerprint / PIN via WebAuthn)
  • Byobu status line on the phone
  • One-tap install to home screen (iOS & Android)
  • Send control characters (Ctrl-C, Ctrl-Z, …)
  • Push notifications on output match
  • Native Flutter app
  • Multi-machine dashboard
Install free

Pro — Native App

Coming
soon

A native Flutter app for iOS and Android that does what no browser ever can: stay connected in the background, push you when jobs finish, and live on your Lock Screen.

  • Everything in Free
  • Send control characters (Ctrl-C, Ctrl-Z, Ctrl-D, …)
  • Kill panes, windows, and sessions
  • Multi-machine dashboard — all your servers in one place
  • Background connection — session stays live when app is backgrounded
  • Push notifications — job complete, output match, or terminal bell
  • Live Activities — build progress on your iPhone Lock Screen & Dynamic Island
  • Home screen widget — session count and last command status at a glance
  • Biometric app lock — Face ID / Touch ID backed by Secure Enclave, with configurable idle timeout and session TTL
  • Full hardware keyboard — all Ctrl+key chords, no browser interception
  • Siri & Shortcuts — "Connect to dev server" via voice or Action Button
  • Apple Watch / WearOS — wrist alert when your job finishes
  • iPad split view, Stage Manager & external display support
  • iCloud / Google Drive sync for machine profiles
⭐ Star on GitHub

Frequently asked questions

Everything you need to know to get the most out of Trustmux.

What exactly is Trustmux?

Trustmux is a lightweight background daemon that runs on your workstation and exposes your tmux or Byobu sessions as a Progressive Web App (PWA) — accessible from any browser on your phone or tablet. It talks directly to tmux via libtmux, streams live output to your device, and lets you send keystrokes back. No SSH client needed, no VPN configuration beyond Tailscale.

Do I need Byobu, or will plain tmux work?

Plain tmux works great — Trustmux speaks to tmux directly. Byobu is completely optional. That said, if you already use Byobu, Trustmux has first-class support for Byobu sessions, profiles, and status lines, since it's built and maintained by the Byobu author.

On Ubuntu and Debian, Trustmux ships inside the byobu package, so installing Byobu is the easiest path. On macOS or other platforms, install via pip or Homebrew alongside whichever tmux setup you already have.

What is Tailscale and why is it required?

Tailscale creates a private WireGuard mesh between your devices — your workstation, your phone, your laptop — without opening any firewall ports. Trustmux binds to your Tailscale IP and uses tailscale serve to provide HTTPS, so your terminal is reachable from anywhere on your Tailnet and nowhere else.

Tailscale is free for personal use (up to 3 users, 100 devices). Install it on your workstation and your phone, sign in with the same account, and both devices appear on the same private network automatically — even across NAT, mobile data, and hotel Wi-Fi.

What tmux version do I need?

tmux 1.5 or newer. In practice, most modern Linux distributions ship tmux 3.x — check with tmux -V. macOS users can install a current tmux via brew install tmux.

How do I install the app on my phone?

Run trustmux pair on your workstation. It prints a short URL and a 6-digit code (valid for 60 seconds). Open the URL in your phone's browser and enter the code to pair.

Once paired, add it to your home screen for a full-screen, app-like experience: on iOS, tap the Share button then "Add to Home Screen." On Android, tap the browser menu then "Add to Home Screen" or "Install app." It will launch without browser chrome, just like a native app.

How do I navigate between sessions, windows, and panes?

Swipe left or right on the terminal view to move between panes and windows. A picker in the top bar shows your current session, window, and pane — tap it to jump directly to any other one. If you use Byobu, named windows and sessions appear by their Byobu names.

How do I send keystrokes and commands from my phone?

Tap the terminal view to focus it and bring up your phone keyboard. Type normally — every keystroke is forwarded to the active tmux pane in real time. An on-screen toolbar provides one-tap access to common keys that are awkward on mobile: Tab, Escape, arrow keys, and the tmux prefix (Ctrl-b by default, or F12 in Byobu).

The Pro tier (coming soon) adds full control-character support: Ctrl-C, Ctrl-Z, Ctrl-D, and others.

Can I use Trustmux when I'm traveling or away from home?

Yes — that's one of the main use cases. As long as both your workstation and your phone are connected to Tailscale, Trustmux works anywhere: on mobile data, on a conference Wi-Fi, anywhere in the world. Tailscale handles NAT traversal and roaming automatically, so there's nothing extra to configure.

Is my terminal data private and secure?

Yes. Your terminal output travels directly from your workstation to your phone over your Tailscale WireGuard tunnel — TLS encrypted, point to point. Nothing passes through a relay server or any Trustmux infrastructure. The pairing code expires in 60 seconds and is single-use. Long-lived tokens are stored locally in ~/.config/trustmux/ and never leave your machines.

How does pairing work, and how do I revoke access?

Run trustmux pair to generate a one-time 6-digit code valid for 60 seconds. When your phone enters the code, Trustmux issues a long-lived token stored on that device. To revoke all paired devices at once, run trustmux unpair — this invalidates every token. You can then re-pair any device you want to keep.

Why not just SSH from my phone?

SSH apps on phones work, but they're awkward: you need to manage keys, each connection starts a fresh shell, and if your connection drops you lose whatever was running. With Trustmux, you're looking at a persistent tmux session that keeps running on your workstation regardless of network interruptions. Pick it up from your phone exactly where you left off — running builds, long logs, ongoing processes — without any reconnection ceremony.

Trustmux also renders in a browser, so pinch-to-zoom, copy-paste, and accessibility features all work naturally on mobile.

The daemon stopped. How do I restart it?

Run trustmux start. Check its current status with trustmux status. If you ran trustmux enable, the daemon is registered to start automatically at login — so a reboot will also bring it back. To stop it manually, run trustmux stop.

How does Trustmux compare to Mosh?

Mosh is a roaming-aware replacement for SSH — it handles spotty mobile connections gracefully and predicts your keystrokes locally so the terminal feels snappy even on a high-latency link. It's great technology, but it's still a connection to a remote shell. If that connection breaks long enough, your session can diverge; and because Mosh itself provides no multiplexing, most people run Mosh into a tmux session on the server anyway to get persistence.

Trustmux is a different layer entirely. Rather than replacing SSH, it replaces the phone client. There is no SSH, no Mosh — your phone's browser attaches directly to a tmux session that is already running on your workstation, over your Tailscale WireGuard tunnel. Both approaches have prerequisites; they're just different ones:

  • What Mosh needs. mosh-server installed on each remote machine you connect to, plus UDP ports 60000–61000 open in the firewall. If you SSH to machines you don't control, that can be a real barrier.
  • What Trustmux needs. The trustmux daemon running on your workstation, and Tailscale installed on both your workstation and your phone. These live entirely on your own devices, but it's still real software to install and keep running.
  • Browser, not a terminal app. Trustmux renders in a PWA, so pinch-to-zoom, copy-paste, and your phone's accessibility features all work naturally. Mosh requires a dedicated terminal emulator app.
  • Session persistence is built in. Both approaches benefit from tmux underneath, but Trustmux is designed around that model from the start — you're always looking at the live state of a session that never stops.
  • Local echo vs. live output. Mosh's local prediction makes typing feel faster on laggy links. Trustmux streams real terminal output with no prediction; over a Tailscale tunnel this is typically fast enough that the difference is imperceptible.

If you love Mosh for SSH access to remote servers, keep using it — Trustmux doesn't replace that workflow. What Trustmux replaces is reaching for a Mosh or SSH client on your phone just to peek at a build running on your own workstation.

Security model

Point-to-point, hardened pairing, and 256-bit session tokens — no cloud required.

🔢

Brute-force-resistant pairing

The 6-digit pairing code expires after 3 minutes and is invalidated after three wrong guesses — regardless of how fast the guesses arrive. An attacker has a 0.0003% chance of success per pairing window. A new window requires the machine owner to run trustmux pair again.

🗝️

256-bit session tokens

After pairing, Trustmux issues a secrets.token_urlsafe(32) session token — 256 bits of cryptographically secure entropy. Validated with a constant-time comparison to prevent timing attacks. Computationally impossible to brute-force.

🌐

Minimal network exposure

In default mode the daemon binds only to your Tailscale IP (100.x.x.x) — unreachable from the public internet or other local-network devices. The pairing endpoint is never exposed unless you explicitly run trustmux start-direct.

🔐

TLS everywhere

Traffic between your workstation and phone is TLS-encrypted end to end via tailscale serve. In start-direct mode a self-signed certificate is generated automatically. In start-local mode the SSH tunnel provides encryption.

💾

Tokens stored locally, 0600

Session tokens live in ~/.config/trustmux/tokens.json with mode 0600 — readable only by you. They are delivered to the browser as HttpOnly, SameSite=Strict cookies and automatically expire after 90 days of inactivity.

🚫

Instant revocation

Run trustmux unpair to immediately invalidate all paired devices or remove a specific one. Revoked tokens are rejected on the next request — no waiting, no TTL drift.