trustmux
NEW Now available on Ubuntu PPA, PyPI, and Homebrew
Trustmux lets you monitor and interact with your tmux or Byobu sessions from any browser — privately, over your Tailscale network. No relay server. No cloud. Point to point. Your data is always private and TLS encrypted.
# First, launch tmux or byobu
$ byobu
$ trustmux start
Trustmux started.
$ trustmux enable
Trustmux enabled at login.
$ trustmux pair
Pairing code: 847-293 (expires in 60s)
Scan or visit: https://your-machine.tail1234.ts.net:7432
See it on your phone.
Five screens that show what Trustmux looks like as a PWA on Android.
Live terminal output
Stream real-time output from any tmux or Byobu pane. Full ANSI color rendering. Swipe up to scroll back through history.
The byobu status line at the bottom mirrors your workstation — distro, uptime, CPU, memory, load, and clock.
Pair in seconds
No SSH keys, no certificates, no configuration. Run trustmux pair on your workstation and enter the 6-digit code — that's it.
The code expires in 60 seconds and is single-use. Long-lived tokens are stored locally and never leave your devices.
Manage sessions from your phone
Tap + to create a new pane, window, or session. Use ‹ › in the header to step through all your live panes. Tap the pane name to rename it.
Biometric lock
Require fingerprint, face, or PIN to unlock when you return to the app — so your terminal is safe if someone picks up your phone. Once enabled, it stays on.
Uses WebAuthn platform authenticator. No biometric data ever leaves your device.
Terminal mode & text mode
Tap $_ to toggle into text mode — autocorrect and spellcheck turn on so you can type naturally for longer messages or AI prompts.
Tap Aa to go back to terminal mode with autocorrect and autocapitalize fully disabled.
Install
Pick your preferred package manager.
$ sudo add-apt-repository ppa:byobu/ppa
$ sudo apt update && sudo apt install byobu
$ byobu
$ trustmux start
Trustmux started.
$ trustmux enable
Trustmux enabled at login.
$ trustmux pair
Pairing code: 847-293 (expires in 60s)
Scan or visit: https://your-machine.tail1234.ts.net:7432
$ pip install trustmux
Successfully installed trustmux-7.0a7
$ tmux
$ trustmux start
Trustmux started.
$ trustmux enable
Trustmux enabled at login.
$ trustmux pair
Pairing code: 847-293 (expires in 60s)
Scan or visit: https://your-machine.tail1234.ts.net:7432
$ brew tap dustinkirkland/trustmux
$ brew install dustinkirkland/trustmux/trustmux
$ tmux
$ trustmux start
Trustmux started.
$ trustmux enable
Trustmux enabled at login.
$ trustmux pair
Pairing code: 847-293 (expires in 60s)
Scan or visit: https://your-machine.tail1234.ts.net:7432
Requires Tailscale for secure HTTPS transport and tmux ≥ 1.5. On Ubuntu and Debian, trustmux ships inside the byobu package — no separate trustmux package needed. Use pip or Homebrew if you want trustmux without byobu.
How it works
Three steps from install to your terminal on your phone.
Your workstation Your phone ┌──────────────────────────┐ ┌────────────────┐ │ tmux / Byobu sessions │ │ │ │ ↕ libtmux │ Tailscale │ Trustmux │ │ ┌──────────────────┐ │ WireGuard │ PWA (or app) │ │ │ trustmux daemon │◄───┼──── (TLS) ────►│ │ │ └──────────────────┘ │ │ browser or │ │ ~/.config/trustmux/ │ │ home screen │ │ tokens + pairing │ │ │ └──────────────────────────┘ └────────────────┘ ↑ your machine, your data, point to point — no cloud
Step 01
Install
Install via Ubuntu PPA, pip, or Homebrew. Trustmux runs as a lightweight background daemon alongside your existing Byobu or tmux setup. Coming soon to all distros that package Byobu.
Step 02
Enable & start
Run trustmux enable to start at login, then trustmux start. The daemon uses libtmux to communicate with tmux, binds to your Tailscale IP, and serves over HTTPS via tailscale serve.
Step 03
Pair your phone
Run trustmux pair to generate a 6-digit code. Open the URL on your phone, enter the code, and tap Add to Home Screen for a native app feel.
Nine problems every mobile terminal user knows.
We solved all nine — free, in the PWA, today.
| The pain | Status | How Trustmux fixes it |
|---|---|---|
| SSH session dies when network drops or phone backgrounds | ✓ SOLVED | Your tmux session keeps running on your workstation. The phone is a viewer, not a connection endpoint — reconnect in a tap. |
| SSH key management on phone is painful | ✓ SOLVED | Replaced entirely by a 6-digit pairing code. No keys to copy, no secrets to sync, no password manager. |
| NAT, firewalls, and dynamic IPs block access from anywhere | ✓ SOLVED | Tailscale handles NAT traversal automatically — works on mobile data, hotel Wi-Fi, and conference networks with no port forwarding. |
| App Store required, expensive subscriptions, abandoned apps | ✓ SOLVED | Free PWA. No App Store. No subscription. One tap to add to home screen on iOS and Android — works full-screen like a native app. |
| Copy-paste from a terminal on phone is broken | ✓ SOLVED | Browser-native copy-paste. Touch-select text the same as any webpage — no terminal drag-selection fighting you. |
| Font is too small; can't zoom without breaking layout | ✓ SOLVED | Pinch-to-zoom works natively in the browser. No terminal re-flow or layout breakage. |
| Scrollback requires tmux copy mode + phantom arrow keys | ✓ SOLVED | Swipe up with your thumb. It's a browser — scrollback works like any webpage. tmux copy mode never needed. |
| Autocorrect and autocapitalize corrupt terminal commands | ✓ SOLVED | The keyboard toggle disables autocorrect, autocapitalize, and spellcheck when you're typing into the terminal. |
| Swipe to navigate between sessions, windows, and panes | ✓ SOLVED | Swipe left/right to move between panes and windows. Tap the S:/W:/P: picker in the header to jump directly to any session, window, or pane by name. |
Everything you need, nothing you don't.
Trustmux is purpose-built for one job: your terminal, on your phone.
📱
Progressive Web App (PWA)
A PWA is a website that installs like a native app — one tap to add to your home screen on iOS or Android, no App Store, no review process, no download waiting. It launches full-screen, works offline for the UI shell, and updates silently in the background whenever you connect. Just a thin, fast wrapper around your mobile browser.
🔒
Private by design
Point to point over your Tailscale WireGuard network. No relay, no cloud, no third party. TLS encrypted end to end.
⌨️
Send keystrokes
Type commands, navigate panes, and interact with running processes directly from your phone keyboard.
🖥️
Live terminal output
Stream real-time output from any tmux pane. Swipe left and right to move between panes and windows.
🔑
Pairing-code auth
Secure pairing with a time-limited 6-digit code. No passwords to manage, no SSH keys to copy.
🐧
Byobu-native
Built by the Byobu maintainer. First-class support for Byobu sessions, profiles, and status lines.
Mobile App
Free for personal use. More power when you need it.
Free
Progressive Web App (PWA)
$0
Install in one tap — no App Store, no subscription. A full-featured terminal client that lives on your home screen.
- Live terminal output with full ANSI color rendering
- Send keystrokes & commands
- Create & name sessions, windows, and panes
- Navigate between all panes with ‹ › swipe
- Pairing-code authentication (6-digit, expires in 60s)
- Biometric lock — always on once enabled (Face ID / fingerprint / PIN via WebAuthn)
- Byobu status line on the phone
- One-tap install to home screen (iOS & Android)
- Send control characters (Ctrl-C, Ctrl-Z, …)
- Push notifications on output match
- Native Flutter app
- Multi-machine dashboard
Pro — Native App
Coming
soon
A native Flutter app for iOS and Android that does what no browser ever can: stay connected in the background, push you when jobs finish, and live on your Lock Screen.
- Everything in Free
- Send control characters (Ctrl-C, Ctrl-Z, Ctrl-D, …)
- Kill panes, windows, and sessions
- Multi-machine dashboard — all your servers in one place
- Background connection — session stays live when app is backgrounded
- Push notifications — job complete, output match, or terminal bell
- Live Activities — build progress on your iPhone Lock Screen & Dynamic Island
- Home screen widget — session count and last command status at a glance
- Biometric app lock — Face ID / Touch ID backed by Secure Enclave, with configurable idle timeout and session TTL
- Full hardware keyboard — all Ctrl+key chords, no browser interception
- Siri & Shortcuts — "Connect to dev server" via voice or Action Button
- Apple Watch / WearOS — wrist alert when your job finishes
- iPad split view, Stage Manager & external display support
- iCloud / Google Drive sync for machine profiles
Frequently asked questions
Everything you need to know to get the most out of Trustmux.
What exactly is Trustmux?
Trustmux is a lightweight background daemon that runs on your workstation and exposes your tmux or Byobu sessions as a Progressive Web App (PWA) — accessible from any browser on your phone or tablet. It talks directly to tmux via libtmux, streams live output to your device, and lets you send keystrokes back. No SSH client needed, no VPN configuration beyond Tailscale.
Do I need Byobu, or will plain tmux work?
Plain tmux works great — Trustmux speaks to tmux directly. Byobu is completely optional. That said, if you already use Byobu, Trustmux has first-class support for Byobu sessions, profiles, and status lines, since it's built and maintained by the Byobu author.
On Ubuntu and Debian, Trustmux ships inside the byobu package, so installing Byobu is the easiest path. On macOS or other platforms, install via pip or Homebrew alongside whichever tmux setup you already have.
What is Tailscale and why is it required?
Tailscale creates a private WireGuard mesh between your devices — your workstation, your phone, your laptop — without opening any firewall ports. Trustmux binds to your Tailscale IP and uses tailscale serve to provide HTTPS, so your terminal is reachable from anywhere on your Tailnet and nowhere else.
Tailscale is free for personal use (up to 3 users, 100 devices). Install it on your workstation and your phone, sign in with the same account, and both devices appear on the same private network automatically — even across NAT, mobile data, and hotel Wi-Fi.
What tmux version do I need?
tmux 1.5 or newer. In practice, most modern Linux distributions ship tmux 3.x — check with tmux -V. macOS users can install a current tmux via brew install tmux.
How do I install the app on my phone?
Run trustmux pair on your workstation. It prints a short URL and a 6-digit code (valid for 60 seconds). Open the URL in your phone's browser and enter the code to pair.
Once paired, add it to your home screen for a full-screen, app-like experience: on iOS, tap the Share button then "Add to Home Screen." On Android, tap the browser menu then "Add to Home Screen" or "Install app." It will launch without browser chrome, just like a native app.
How do I navigate between sessions, windows, and panes?
Swipe left or right on the terminal view to move between panes and windows. A picker in the top bar shows your current session, window, and pane — tap it to jump directly to any other one. If you use Byobu, named windows and sessions appear by their Byobu names.
How do I send keystrokes and commands from my phone?
Tap the terminal view to focus it and bring up your phone keyboard. Type normally — every keystroke is forwarded to the active tmux pane in real time. An on-screen toolbar provides one-tap access to common keys that are awkward on mobile: Tab, Escape, arrow keys, and the tmux prefix (Ctrl-b by default, or F12 in Byobu).
The Pro tier (coming soon) adds full control-character support: Ctrl-C, Ctrl-Z, Ctrl-D, and others.
Can I use Trustmux when I'm traveling or away from home?
Yes — that's one of the main use cases. As long as both your workstation and your phone are connected to Tailscale, Trustmux works anywhere: on mobile data, on a conference Wi-Fi, anywhere in the world. Tailscale handles NAT traversal and roaming automatically, so there's nothing extra to configure.
Is my terminal data private and secure?
Yes. Your terminal output travels directly from your workstation to your phone over your Tailscale WireGuard tunnel — TLS encrypted, point to point. Nothing passes through a relay server or any Trustmux infrastructure. The pairing code expires in 60 seconds and is single-use. Long-lived tokens are stored locally in ~/.config/trustmux/ and never leave your machines.
How does pairing work, and how do I revoke access?
Run trustmux pair to generate a one-time 6-digit code valid for 60 seconds. When your phone enters the code, Trustmux issues a long-lived token stored on that device. To revoke all paired devices at once, run trustmux unpair — this invalidates every token. You can then re-pair any device you want to keep.
Why not just SSH from my phone?
SSH apps on phones work, but they're awkward: you need to manage keys, each connection starts a fresh shell, and if your connection drops you lose whatever was running. With Trustmux, you're looking at a persistent tmux session that keeps running on your workstation regardless of network interruptions. Pick it up from your phone exactly where you left off — running builds, long logs, ongoing processes — without any reconnection ceremony.
Trustmux also renders in a browser, so pinch-to-zoom, copy-paste, and accessibility features all work naturally on mobile.
The daemon stopped. How do I restart it?
Run trustmux start. Check its current status with trustmux status. If you ran trustmux enable, the daemon is registered to start automatically at login — so a reboot will also bring it back. To stop it manually, run trustmux stop.
How does Trustmux compare to Mosh?
Mosh is a roaming-aware replacement for SSH — it handles spotty mobile connections gracefully and predicts your keystrokes locally so the terminal feels snappy even on a high-latency link. It's great technology, but it's still a connection to a remote shell. If that connection breaks long enough, your session can diverge; and because Mosh itself provides no multiplexing, most people run Mosh into a tmux session on the server anyway to get persistence.
Trustmux is a different layer entirely. Rather than replacing SSH, it replaces the phone client. There is no SSH, no Mosh — your phone's browser attaches directly to a tmux session that is already running on your workstation, over your Tailscale WireGuard tunnel. Both approaches have prerequisites; they're just different ones:
- What Mosh needs.
mosh-serverinstalled on each remote machine you connect to, plus UDP ports 60000–61000 open in the firewall. If you SSH to machines you don't control, that can be a real barrier. - What Trustmux needs. The
trustmuxdaemon running on your workstation, and Tailscale installed on both your workstation and your phone. These live entirely on your own devices, but it's still real software to install and keep running. - Browser, not a terminal app. Trustmux renders in a PWA, so pinch-to-zoom, copy-paste, and your phone's accessibility features all work naturally. Mosh requires a dedicated terminal emulator app.
- Session persistence is built in. Both approaches benefit from tmux underneath, but Trustmux is designed around that model from the start — you're always looking at the live state of a session that never stops.
- Local echo vs. live output. Mosh's local prediction makes typing feel faster on laggy links. Trustmux streams real terminal output with no prediction; over a Tailscale tunnel this is typically fast enough that the difference is imperceptible.
If you love Mosh for SSH access to remote servers, keep using it — Trustmux doesn't replace that workflow. What Trustmux replaces is reaching for a Mosh or SSH client on your phone just to peek at a build running on your own workstation.
Security model
Point-to-point, hardened pairing, and 256-bit session tokens — no cloud required.
🔢
Brute-force-resistant pairing
The 6-digit pairing code expires after 3 minutes and is invalidated after three wrong guesses — regardless of how fast the guesses arrive. An attacker has a 0.0003% chance of success per pairing window. A new window requires the machine owner to run trustmux pair again.
🗝️
256-bit session tokens
After pairing, Trustmux issues a secrets.token_urlsafe(32) session token — 256 bits of cryptographically secure entropy. Validated with a constant-time comparison to prevent timing attacks. Computationally impossible to brute-force.
🌐
Minimal network exposure
In default mode the daemon binds only to your Tailscale IP (100.x.x.x) — unreachable from the public internet or other local-network devices. The pairing endpoint is never exposed unless you explicitly run trustmux start-direct.
🔐
TLS everywhere
Traffic between your workstation and phone is TLS-encrypted end to end via tailscale serve. In start-direct mode a self-signed certificate is generated automatically. In start-local mode the SSH tunnel provides encryption.
💾
Tokens stored locally, 0600
Session tokens live in ~/.config/trustmux/tokens.json with mode 0600 — readable only by you. They are delivered to the browser as HttpOnly, SameSite=Strict cookies and automatically expire after 90 days of inactivity.
🚫
Instant revocation
Run trustmux unpair to immediately invalidate all paired devices or remove a specific one. Revoked tokens are rejected on the next request — no waiting, no TTL drift.