Security

Private by design

betterkvm runs entirely on your LAN with no cloud component. Set a shared password and every byte of session traffic is encrypted with AES-256-GCM — keystrokes, clipboard, and files included.

What you get

Security you can read.

AES-256-GCM

Every byte of session traffic is sealed with authenticated AES-256-GCM the moment a shared password is set — on every machine.

LAN-only, no cloud

UDP discovery and TCP sessions stay on your local network. No relay, no server, no account, nothing phoning home.

Peer authentication

A peer with a mismatched password — or none — is rejected cleanly, before a single keystroke or byte of clipboard flows.

Hardened in Rust

betterkvm's input and crypto paths are written in Rust — no buffer overflows, no use-after-free. Security fixes ship regularly.

FAQ

Security & setup, in detail.

What exactly gets encrypted?

All TCP session traffic — keystrokes, mouse movement, clipboard contents, and file transfers — is sealed with AES-256-GCM once a password is set. UDP discovery packets carry only machine names, never input.

Where does the password come from?

From the password field in your config file, or the BETTERKVM_PASSWORD environment variable. It must match on every machine; a peer with a different secret is rejected.

Does betterkvm open ports to the internet?

No. It only speaks on your local network — UDP discovery plus TCP sessions on default ports 38765 / 38766. There is no cloud component and nothing is exposed externally.

Could someone else on my LAN take over my input?

With a password set, any peer that doesn't present the matching secret is rejected before input flows. Without a password, anyone on the LAN could connect — which is exactly why a password is strongly recommended.

What system permissions does it need?

On Linux: membership in the input group and access to /dev/uinput via the bundled udev rule. On macOS: Accessibility and Input Monitoring. It reads /dev/input / CGEventTap and injects through uinput / CGEventPost.

Is there any telemetry or tracking?

None. No analytics, no phone-home, no account, no license check. The daemon talks only to peers you configure on your own network.

How do I rotate the shared password?

Change the password on every machine and restart the daemon. Peers still presenting the old secret are rejected cleanly, so a stale machine simply drops off until it's updated.