E2EE Terminal Transport

Security First

Terminal input and output are encrypted between the AFK CLI and your mobile app, so the relay does not receive terminal plaintext.

Terminal Plaintext Stays on Your Devices

Your terminal data is encrypted on your machine before transmission. Our relay sees routing metadata and encrypted payload bytes, not terminal plaintext. If the relay were compromised, terminal input and output would still be protected by the E2EE layer.

How It Works

1 Key Exchange

When your mobile app connects to a session, it performs an X25519 ECDH key exchange with the AFK CLI. This establishes a shared secret that only your devices know.

# AFK CLI generates ephemeral key pair

cli_private = X25519.generate()

cli_public = cli_private.public_key()

 

# Client generates ephemeral key pair

client_private = X25519.generate()

client_public = client_private.public_key()

 

# Both derive the same shared secret

shared_secret = ECDH(my_private, their_public)

2 Encryption

All terminal data is encrypted using AES-256-GCM with the shared secret. Each message has a unique nonce to prevent replay attacks.

# AFK CLI encrypts terminal output

nonce = counter_to_nonce(message_counter++)

ciphertext = AES-256-GCM.encrypt(

key=shared_secret,

nonce=nonce,

plaintext=terminal_output

)

 

# Send encrypted terminal payload through relay

send(nonce + ciphertext) # relay sees ciphertext

3 Server Role

Our server acts as an encrypted relay. It routes encrypted bytes between the AFK CLI and mobile app, but does not have the E2EE private keys needed to decrypt terminal payloads. The server handles:

  • Authentication (JWT tokens, magic links)
  • Session management (connect AFK CLI to clients)
  • Message routing (encrypted bytes only)

Defense in Depth

We don't rely on a single security layer. AFK uses multiple independent protections:

E2EE

End-to-End Encryption

X25519 + AES-256-GCM between AFK CLI and clients

JWT

Token Authentication

Short-lived JWTs with refresh tokens, magic link login

TLS

Transport Security

All connections use TLS 1.3 (HTTPS/WSS)

ISO

Session Isolation

Each user's sessions are cryptographically isolated