Security

Built on cryptographic principles, not trust.

RemoteDesk uses end-to-end encryption, zero-knowledge proofs, and open-source auditing to ensure your remote sessions remain private.

Table of Contents

End-to-End Encryption Architecture

Every RemoteDesk session uses AES-256-GCM encryption with ephemeral keys. The signaling server never sees your screen, SDP offers, or ICE candidates—only signed ciphertext.

Key Generation

  1. Host generates ephemeral ECDH keypair (P-256)
  2. Viewer generates ephemeral ECDH keypair (P-256)
  3. Both sides exchange public keys signed with session password (HMAC-SHA256)
  4. Shared secret derived via ECDH
  5. Final AES-256 key derived via HKDF-SHA256
  6. New key generated for every session—no key reuse

ENCRYPTION_FLOW: ┌─ Host Screen Capture ─┐ │ (1920x1080@60fps) │ └──────────┬────────────┘ │ ▼ ┌─ H.264 Encoding ─┐ │ (Adaptive BR) │ └────────┬──────────┘ │ ▼ ┌─ AES-256-GCM ─┐ │ (Authenticated)│ └────────┬───────┘ │ ▼ [SIGNALING SERVER] Sees: Ciphertext only │ ▼ [VIEWER's Decryption] Uses: Ephemeral key │ ▼ [H.264 Decode → Display]

ECDH Key Exchange Protocol

We use ECDH-P256 for forward secrecy and ephemeral key negotiation. Each session gets a unique key pair that's discarded after the session ends.

Why P-256?

  • NIST standardized — Widely audited and trusted
  • Hardware acceleration — Fast on CPUs & GPUs
  • Post-quantum resistance — Not broken by quantum computers yet
  • Browser compatible — Web Crypto API support

Safety Numbers

6-word safety numbers are displayed to both parties. Out-of-band verification ensures no MITM substitution.

Safety numbers: apple · zebra · blue · shark · piano · wonder

Forensic Audit Trail

Every action is logged with millisecond precision and cryptographically signed. Support teams get an immutable record of what happened, when, and by whom.

Events Captured

  • ✓ Session start/end with timestamps
  • ✓ Every mouse movement and click
  • ✓ Keystroke activity (not passwords)
  • ✓ File transfers (name, size, checksum)
  • ✓ Clipboard operations
  • ✓ Screen recording metadata
  • ✓ Privacy mask regions
  • ✓ Network metrics (latency, bitrate)

Export Formats

Audit trails can be exported as signed HTML (human-readable) or JSON (machine-parseable). HMAC-SHA256 signatures allow organizations to verify integrity even years later.

Privacy Masking

For sensitive work (healthcare, finance, personal data), draw redaction boxes on your screen. Masking happens before encoding—the viewer never sees the sensitive content.

Masking Pipeline

  • 1
    Draw regions

    Select sensitive areas in real-time

  • 2
    H.264 encode

    Blur/blacken masked regions

  • 3
    Viewer sees

    Only masked view—original data stays local

Privacy-First by Design

Compliance & Certifications

ISO 27001

Information Security Management System. Audited annually.

HIPAA

Business Associate Agreement (BAA) available. Healthcare-grade encryption.

GDPR

GDPR-compliant data processing. DPA included in Enterprise plans.

DPDP Act

India's Digital Personal Data Protection Act compliant.

SOC 2 Type II

Service Organization Control audit completed. Full report on request.

PCI DSS

Payment Card Industry Data Security Standard ready for merchants.

Security Disclosure Policy

We welcome responsible security research. If you find a vulnerability, please report it to security@remotedesk.app.

🏆 Bug Bounty

  • Critical: $10,000
  • High: $5,000
  • Medium: $1,000
  • Low: $100

Process

  1. Report privately (not public issues)
  2. We acknowledge within 24 hours
  3. 90-day fix window
  4. Joint disclosure with credit
Download

Get the full Security Whitepaper (PDF)

26 pages of technical details, cryptographic proofs, and architecture diagrams.

Download PDF