Skip to main content
Encryption in paqet is configured as part of the KCP transport settings. Both client and server must use the same encryption algorithm and key.

Encryption Settings

transport.kcp.block
string
default:"aes"
Encryption algorithm to use for securing the connection.
transport.kcp.key
string
required
Encryption key used to encrypt/decrypt traffic. Must be identical on both client and server.

Supported Encryption Algorithms

paqet supports the following encryption algorithms via the block parameter:
  • salsa20: Salsa20 stream cipher (fast, good for embedded systems)
  • blowfish: Blowfish block cipher
  • twofish: Twofish block cipher
  • cast5: CAST5 block cipher
  • 3des: Triple DES (legacy, not recommended)
  • tea: Tiny Encryption Algorithm
  • xtea: Extended TEA
  • sm4: Chinese national standard cipher
  • xor: Simple XOR cipher (weak, not recommended)
  • none: No encryption
  • null: No encryption
Using none, null, or xor provides little or no security. Only use these for testing or in trusted networks.

Generating Encryption Keys

Use the paqet secret command to generate a secure random key: 
paqet secret
This will output a cryptographically secure random key that you can use in your configuration: 
Generated secret key: 8x2Kp9mL3vQ7wN5R
The same key must be used in both the client and server configuration files for them to communicate.

Configuration Example

transport:
  protocol: "kcp"
  kcp:
    mode: "fast"
    block: "aes"  # Use AES encryption
    key: "8x2Kp9mL3vQ7wN5R"  # Must match on client and server

Using AES-GCM for Authenticated Encryption

transport:
  protocol: "kcp"
  kcp:
    mode: "fast"
    block: "aes-128-gcm"  # Authenticated encryption
    key: "8x2Kp9mL3vQ7wN5R"

Using Salsa20 for Performance

transport:
  protocol: "kcp"
  kcp:
    mode: "fast"
    block: "salsa20"  # Fast stream cipher
    key: "8x2Kp9mL3vQ7wN5R"
Disabling encryption exposes all traffic in plaintext. Only use this for testing or debugging.
transport:
  protocol: "kcp"
  kcp:
    mode: "fast"
    block: "none"  # No encryption
    key: ""  # Key not required when encryption is disabled

Key Requirements

Key Length
requirement
The encryption key can be any string, but longer keys are more secure. A minimum of 16 characters is recommended.
Key Matching
requirement
The encryption key must be identical on both client and server. Any mismatch will prevent connection establishment.
Key Security
requirement
  • Generate keys using paqet secret for cryptographic randomness
  • Never commit keys to version control
  • Rotate keys periodically for enhanced security
  • Use different keys for different deployments

Security Recommendations

Use Strong Encryption

Always use aes, aes-128-gcm, or salsa20 for production deployments.

Generate Random Keys

Use paqet secret to generate cryptographically secure random keys.

Protect Your Keys

Store configuration files securely and restrict file permissions.

Rotate Keys

Periodically change encryption keys for enhanced security.

Troubleshooting

Verify that:
  • The block parameter is identical on client and server
  • The key parameter is identical on client and server
  • There are no extra spaces or special characters in the key
  • The encryption algorithm is supported (check spelling)
You must provide a key when using any encryption algorithm except none or null:
transport:
  kcp:
    block: "aes"
    key: "your-secret-key-here"  # This is required
If encryption is causing performance bottlenecks:
  • Try salsa20 for faster encryption with good security
  • Use aes (hardware-accelerated on most modern CPUs)
  • Avoid 3des and blowfish (slower legacy algorithms)

See Also

Build docs developers (and LLMs) love

Get started for freeTalk to us