Skip to content

Commit 7b6982d

Browse files
totaamtotaam
committed
add more info on AES modes, keydata safety
1 parent 7cc5e49 commit 7b6982d

File tree

1 file changed

+5
-13
lines changed

1 file changed

+5
-13
lines changed

docs/Network/AES.md

Lines changed: 5 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,6 @@ The salts used are generated using Python's [os.urandom()](https://docs.python.o
1010
Caveats:
1111
* it is also possible to run in `AES-128` or `AES-192` mode but this is not recommended
1212
* the HTML5 client currently does not support GCM mode: https://github.com/Xpra-org/xpra-html5/issues/94
13-
* older servers and clients only support `CBC` mode
1413

1514
For step-by-step instructions on setting up AES, expand:
1615
<details>
@@ -31,31 +30,24 @@ xpra attach "tcp://localhost:10000/?encryption=AES&keyfile=./key.txt"
3130
```
3231

3332
## Modes
34-
Starting with version 4.3, the client can specify the exact AES encryption mode to use: `encryption=AES-GCM`.
33+
AES encryption supports 3 different [modes of operation](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation): `CBC`, `GCM` ,`CFB` and `CTR`.
34+
35+
The client can specify the exact mode using: `encryption=AES-GCM`.
3536

36-
## Older syntax
37-
Prior to version 4.1, the encryption is configured globally, for all TCP sockets, using the following syntax:
38-
```
39-
xpra start --start=xterm \
40-
--bind-tcp=0.0.0.0:10000 \
41-
--tcp-encryption=AES --tcp-encryption-keyfile=key.txt
42-
```
43-
```
44-
xpra attach tcp://$HOST:10000 --tcp-encryption=AES --tcp-encryption-keyfile=./key.txt
45-
```
4637
</details>
4738

4839
<details>
4940
<summary>Specifying the key data</summary>
5041

5142
## keydata
52-
With newer versions, instead of using the `keyfile` option, it is also possible to inline the `keydata` value in the bind and attach strings:
43+
Instead of storing the encryption key in a file, it is also possible to inline the `keydata` value in the bind and attach strings:
5344
* `keydata=0x...` for hexadecimal encoded keys
5445
* `keydata=base64:...` for base64 encoded keys
5546
* `keydata=...` for plain text keys
5647

5748
One major disadvantage is that the key data may be leaked in the process list.\
5849
However, it may be easier in some cases to generate commands that do not require extra files to run.
50+
This can also be used with `.xpra` session files, and those do not leak the data.
5951
</details>
6052

6153
<details>

0 commit comments

Comments
 (0)