[PR #16] [MERGED] add end-to-end encryption #39

New issue

Closed

opened 2026-03-03 01:21:21 +03:00 by kerem · 0 comments

kerem commented 2026-03-03 01:21:21 +03:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/cs01/termpair/pull/16
Author: @cs01
Created: 2/9/2020
Status: ✅ Merged
Merged: 2/9/2020
Merged by: @cs01

Base: master ← Head: cs01/e2ee

---

📝 Commits (1)

• cb8bccf add end-to-end encryption

📊 Changes

15 files changed (+349 additions, -136 deletions)

View changed files

➕ CHANGELOG.md (+8 -0)
📝 README.md (+21 -8)
➕ docs/CHANGELOG.md (+1 -0)
📝 docs/contributing.md (+1 -1)
📝 mkdocs.yml (+1 -0)
📝 noxfile.py (+1 -0)
📝 setup.py (+3 -3)
➕ termpair/encryption.py (+27 -0)
📝 termpair/frontend_src/package.json (+1 -0)
📝 termpair/frontend_src/public/index.html (+4 -1)
📝 termpair/frontend_src/src/App.js (+98 -65)
➕ termpair/frontend_src/src/encryption.js (+88 -0)
📝 termpair/main.py (+15 -18)
📝 termpair/server.py (+8 -4)
📝 termpair/share.py (+72 -36)

📄 Description

This PR adds AES-GCM 128 bit end-to-end encryption for all terminal input and output such that the server and third parties cannot view the terminal data being transmitted (inspired by https://github.com/excalidraw/excalidraw/pull/642). Since termpair has a Python server and a JavaScript client, two crypto libraries had to be used.

When sharing the terminal, the cryptography library from PyPI was used (https://cryptography.io/en/latest/)

• A 128 bit key is generated. From what I've read it's secure, and has better performance (which is important in termpair) than using a 256 bit key.
• The pty data is encrypted, and the iv is prepended, unencrypted to the encrypted pty data
• The iv+encrypted pty data is then base64 encoded and sent over websocket

In the browser the JavaScript library SubtleCrypto was used, since it is built into browsers.

• The window.crypto.subtle library is used, which is available only with secure origins
• The AES key is encoded in base64 and added as a location hash in the url. The hash is not sent to the server on request.
• A subtle crypto key object is then created by importing the raw key. Now the browser can encode/decode similar to the Python code.

fixes #15

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cs01/termpair/pull/16 **Author:** [@cs01](https://github.com/cs01) **Created:** 2/9/2020 **Status:** ✅ Merged **Merged:** 2/9/2020 **Merged by:** [@cs01](https://github.com/cs01) **Base:** `master` ← **Head:** `cs01/e2ee` --- ### 📝 Commits (1) - [`cb8bccf`](https://github.com/cs01/termpair/commit/cb8bccfb95fa1fb071596b00a88e527ccaf0070f) add end-to-end encryption ### 📊 Changes **15 files changed** (+349 additions, -136 deletions) <details> <summary>View changed files</summary> ➕ `CHANGELOG.md` (+8 -0) 📝 `README.md` (+21 -8) ➕ `docs/CHANGELOG.md` (+1 -0) 📝 `docs/contributing.md` (+1 -1) 📝 `mkdocs.yml` (+1 -0) 📝 `noxfile.py` (+1 -0) 📝 `setup.py` (+3 -3) ➕ `termpair/encryption.py` (+27 -0) 📝 `termpair/frontend_src/package.json` (+1 -0) 📝 `termpair/frontend_src/public/index.html` (+4 -1) 📝 `termpair/frontend_src/src/App.js` (+98 -65) ➕ `termpair/frontend_src/src/encryption.js` (+88 -0) 📝 `termpair/main.py` (+15 -18) 📝 `termpair/server.py` (+8 -4) 📝 `termpair/share.py` (+72 -36) </details> ### 📄 Description This PR adds AES-GCM 128 bit end-to-end encryption for all terminal input and output such that the server and third parties cannot view the terminal data being transmitted (inspired by https://github.com/excalidraw/excalidraw/pull/642). Since termpair has a Python server and a JavaScript client, two crypto libraries had to be used. When sharing the terminal, the `cryptography` library from PyPI was used (https://cryptography.io/en/latest/) * A 128 bit key is generated. [From what I've read](https://www.quora.com/Is-AES256-more-secure-than-AES128-Whats-the-different?share=1) it's secure, and has better performance (which is important in termpair) than using a 256 bit key. * The pty data is encrypted, and the iv is [prepended, unencrypted](https://security.stackexchange.com/a/153056) to the encrypted pty data * The iv+encrypted pty data is then base64 encoded and sent over websocket In the browser the JavaScript library [SubtleCrypto](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto) was used, since it is built into browsers. * The window.crypto.subtle library is used, which is available only with [secure origins](https://github.com/w3c/webcrypto/issues/28) * The AES key is encoded in base64 and added as a location hash in the url. The hash is not sent to the server on request. * A subtle crypto key object is then created by importing the raw key. Now the browser can encode/decode similar to the Python code. fixes #15 --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

kerem 2026-03-03 01:21:21 +03:00

• closed this issue
• added the
  pull-request
  label

kerem referenced this issue 2026-03-03 01:21:26 +03:00

[PR #40] [MERGED] Ensure error message is printed to browser's terminal if site is not served in a secure context #58

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

fix-landing-cmds

main

workspace-split

fix-sharemyclaude-url

mobile-ux-fixes

bump-v1.1.1

landing-page-refresh

readme-features

update-readme-images

bump-v1.1.0

install-script-polish

fix-s-path-routing

termpair-defaults

session-banner-text

fix-exit

session-ended-duration

status-bar

v1.0.0-bump

readme-crossref

fix-connect-info

security-fixes

banner-fixes

after-long-help

security-audit-v2

remove-skill-flag

security-hardening-audit

banner-colors-and-clean-exit

sharemyclaude-integration

fix-relative-paths-v2

public-sessions

add-static-dir

readme-diagram

v1.2.0

v1.1.1

v1.1.0

v1.0.0

v0.5.0-rc4

v0.5.0-rc3

v0.5.0-rc2

v0.5.0-rc1

v0.5.0-rc

v0.3.1.5

v0.3.1.4

v0.3.1.3

v0.3.1.2

v0.3.1.1

v0.3.1.0

v0.3.0.0

v0.2.0.0

v0.1.1.1

0.1.1.0

0.1.0.0b0

0.0.1.3

0.0.1.2

0.0.1.1

0.0.1.0

0.0.0.3

0.0.0.1

Labels

Clear labels   

good first issue

  

help wanted

  

pull-request

Mirrored from GitHub Pull Request

No labels

good first issue

help wanted

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/termpair#39

No description provided.