Get started

Setting up Trantor takes two pieces: a server that publishes encrypted DNS records for the domains it owns, and one or more clients that resolve those records and forge the TLS certificates locally. This guide walks through the minimum setup for both sides.

Trantor is currently under active development. The instructions below describe the intended installation flow — release binaries are arriving as the implementations stabilize.

Server side #

The server runs as a one-shot CLI: trantor initializes the configuration, manages user passphrases, and publishes the encrypted DNS records. It does not stay resident — there is no daemon, no listening port.

Install the binary

# Linux / amd64
curl -L https://github.com/digicreon/trantor/releases/latest/download/trantor-linux-amd64 -o trantor
chmod +x trantor
sudo mv trantor /usr/local/bin/

Initialize a domain

Pick a domain you control and a DNS provider supported by libdns (Cloudflare, Route53, Gandi, Hetzner, OVH, DigitalOcean, and ~15 more). The init command writes the server-side configuration and generates the master passphrase.

sudo trantor init \
    --domain foo.bar.com \
    --provider cloudflare

Create a user passphrase

Each authorized user gets their own passphrase. The output is the passphrase to share with them, through any secure channel.

sudo trantor passphrase add \
    --domain foo.bar.com \
    --name "team-alpha"
# Passphrase generated: correct-horse-battery-staple

Publish to DNS

sudo trantor publish --domain foo.bar.com

That's the entire server lifecycle. The master passphrase rotates automatically every 90 days (or earlier if you revoke a user). Re-running publish updates all records.

Revoke a passphrase

sudo trantor passphrase revoke \
    --domain foo.bar.com \
    --name "team-alpha"

Revocation regenerates the master passphrase, re-encrypts the records for all remaining users, and deletes the revoked passphrase from DNS — atomically.

Client side #

The client is a system daemon that intercepts DNS queries for Trantor-managed domains, decrypts the records, forges the matching TLS certificate, and injects it into the OS trust store. Once running, browsers and other applications connect to https://yourdomain.com as if it were any other HTTPS site.

curl -L https://github.com/digicreon/trantor/releases/latest/download/terminus-linux-amd64 -o terminus
chmod +x terminus
sudo mv terminus /usr/local/bin/

sudo terminus start

curl -L https://github.com/digicreon/trantor/releases/latest/download/terminus-darwin-arm64 -o terminus
chmod +x terminus
sudo mv terminus /usr/local/bin/

sudo terminus start

Invoke-WebRequest `
    -Uri "https://github.com/digicreon/trantor/releases/latest/download/terminus-windows-amd64.exe" `
    -OutFile "terminus.exe"

.\terminus.exe start

Desktop GUI

terminus-gui is bundled with the desktop installers (Linux, Windows, macOS). It runs as a tray icon and exposes a panel to add/remove domains, paste passphrases, and inspect connection state. Most users won't need to edit any configuration file directly.

Mobile

First connection #

Putting it all together — server publishes, client reloads, you open a browser:

# --- on the server ---
sudo trantor init --domain foo.bar.com --provider cloudflare
sudo trantor passphrase add --domain foo.bar.com --name "alice"
# Passphrase generated: correct-horse-battery-staple
sudo trantor publish --domain foo.bar.com

# --- on Alice's laptop ---
sudo terminus start
# Through the GUI, click "+ Add Domain"
#   Domain:     foo.bar.com
#   Passphrase: correct-horse-battery-staple
# Or edit the config file directly and reload:
sudo terminus reload

# --- in Alice's browser ---
# Visit https://foo.bar.com — connection established through Trantor.

Next steps #

• How it works — the protocol explained, with diagrams.
• Documentation — full server and client reference, plus the protocol specification.
• Releases — latest binaries for every platform.
• Issues — bug reports and feature requests.