Use this option if you can securely distribute the AES key to each client.
It is somewhat similar to SSL mode with a self-signed certificate.
Xpra's AES encryption layer uses the python cryptography library to encrypt the network packets with AES-256 - Advanced Encryption Standard in CBC - Cipher Block Chaining, GCM - Galois/Counter Mode, CTR - Counter Mode or CFB - Cipher_feedback.
The encryption key can be stored in a keyfile or specified using the keydata socket option. If neither is present and an authentication module was used, the password will be used as key data.
The key data is stretched using PBKDF2(Password-Based Key Derivation Function 2).
The salts used are generated using Python's os.urandom() which is suitable for cryptographic use
Caveats:
- it is also possible to run in
AES-128orAES-192mode but this is not recommended - the HTML5 client currently does not support GCM mode: Xpra-org/xpra-html5#94
For step-by-step instructions on setting up AES, expand:
AES Usage Example
generate a key:
uuidgen > ./key.txt
start a server:
xpra start --start=xterm \
--bind-tcp=0.0.0.0:10000,encryption=AES,keyfile=key.txt
- client:
xpra attach "tcp://localhost:10000/?encryption=AES&keyfile=./key.txt"
AES encryption supports 3 different modes of operation: CBC, GCM ,CFB and CTR.
The client can specify the exact mode using: encryption=AES-GCM.
Specifying the key data
Instead of storing the encryption key in a file, it is also possible to inline the keydata value in the bind and attach strings:
keydata=0x...for hexadecimal encoded keyskeydata=base64:...for base64 encoded keyskeydata=...for plain text keys
One major disadvantage is that the key data may be leaked in the process list.
However, it may be easier in some cases to generate commands that do not require extra files to run.
This can also be used with .xpra session files, and those do not leak the data.
Debugging
To verify that your client connection is using AES, look for cipher=AES:
xpra info | grep cipher=
To enable debugging, use the -d crypto debug logging option.