= AES [/wiki/Encryption Encryption] = [[BR]] {{{#!div class="box" == Introduction == Use this option if you can securely distribute the AES key to each client. [[BR]] Xpra's AES encryption layer uses either the [http://www.pycrypto.org/ pycrypto] or the [https://pypi.python.org/pypi/cryptography cryptography] python library to: * encrypt the network packets with [http://en.wikipedia.org/wiki/Advanced_Encryption_Standard AES] (`Advanced Encryption Standard`) [http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher-block_chaining_.28CBC.29 CBC mode] (`Cipher-block chaining`) * stretch the "passwords" with [http://en.wikipedia.org/wiki/PBKDF2 PBKDF2] (`Password-Based Key Derivation Function 2`) The salts used are generated using Python's [http://docs.python.org/2/library/uuid.html#uuid.uuid4 uuid.uuid4()] }}} {{{#!div class="box" == Usage == The encryption key to use must be specified with the "{{{--encryption-keyfile=FILENAME}}}" command line option or it will fallback to the password from the [/wiki/Authentication authentication module] in use, which may not be as safe. The contents of this key are combined with salts to generate the secret used to initialize the AES cipher. }}} {{{#!div class="box" == Example == * generate a key: {{{ uuidgen > ./key.txt }}} * server {{{ xpra start --start=xterm \ --bind-tcp=0.0.0.0:10000 \ --tcp-encryption=AES --tcp-encryption-keyfile=key.txt }}} * client: {{{ xpra attach tcp:$SERVERIP:10000 \ --tcp-encryption=AES --tcp-encryption-keyfile=./key.txt }}} ---- With version 4.1 onwards this can be achieved with the more compact syntax: {{{ xpra start --start=xterm --bind-tcp=0.0.0.0:10000,encryption=AES,keyfile=key.txt }}} {{{ xpra attach "tcp://localhost:10000/?encryption=AES&keyfile=./key.txt" }}} And the key data can be embedded in those strings using the syntax: * `keydata=0x...` for hexadecimal encoded keys * `keydata=...` for plain text keys }}} {{{#!div class="box" == Debugging == To verify that your client connection is using AES, look for `cipher=AES`: {{{ xpra info | grep cipher= }}} To enable debugging, use the `-d crypto` command line option. }}}