xpra icon
Bug tracker and wiki

Version 4 (modified by Antoine Martin, 7 years ago) (diff)

--

Encryption


Introduction

Access to Xpra's sessions over TCP (see network connection) can be protected using authentication modules but those do not protect the network connection itself from man in the middle attacks. For that, you need encryption.
Xpra's encryption layer uses the pycrypto library to:

  • encrypt the network packets with AES (Advanced Encryption Standard) CBC mode (Cipher-block chaining)
  • stretch the "passwords" with PBKDF2 (Password-Based Key Derivation Function 2)

The salts used are generated using Python's uuid.uuid4()

Setup

Prior to version 0.11, the encryption key used was derived directly from the "--password-file=FILENAME" command line option.

Starting with version 0.11, one can specify the encryption key to use with the "--encryption-keyfile=FILENAME" command line option or fallback to the password from the authentication module in use.

The contents of this key are combined with salts to generate the secret used to initialize the AES cipher.