xpra icon
Bug tracker and wiki

Version 3 (modified by Antoine Martin, 7 days ago) (diff)


AES Encryption


Use this option if you can securely distribute the AES key to each client.
Xpra's AES encryption layer uses either the pycrypto or the cryptography python library to:

  • encrypt the network packets with AES (Advanced Encryption Standard) CBC mode (Cipher-block chaining)
  • stretch the "passwords" with PBKDF2 (Password-Based Key Derivation Function 2)

The salts used are generated using Python's uuid.uuid4()


The encryption key to use must be specified with the "--encryption-keyfile=FILENAME" command line option or it will fallback to the password from the authentication module in use, which may not be as safe.

The contents of this key are combined with salts to generate the secret used to initialize the AES cipher.


  • generate a key:
    uuidgen > ./key.txt
  • server
    xpra start --start=xterm \
        --bind-tcp= \
        --tcp-encryption=AES --tcp-encryption-keyfile=key.txt
  • client:
    xpra attach tcp:$SERVERIP:10000 \
        --tcp-encryption=AES --tcp-encryption-keyfile=./key.txt

With version 4.1 onwards this can be achieved with the more compact syntax:

xpra start --start=xterm --bind-tcp=,encryption=AES,keyfile=key.txt
xpra attach "tcp://localhost:10000/?encryption=AES&keyfile=./key.txt"

And the key data can be embedded in those strings using the syntax:

  • keydata=0x... for hexadecimal encoded keys
  • keydata=... for plain text keys