Skip to content

Support ZMQ Curve for transport encryption#1515

Open
krassowski wants to merge 15 commits intoipython:mainfrom
krassowski:curve-encryption
Open

Support ZMQ Curve for transport encryption#1515
krassowski wants to merge 15 commits intoipython:mainfrom
krassowski:curve-encryption

Conversation

@krassowski
Copy link
Copy Markdown
Member

@krassowski krassowski commented May 6, 2026
edited
Loading

krassowski
krassowski commented May 6, 2026
View reviewed changes
Comment thread ipykernel/kernelapp.py Outdated
@krassowski krassowski mentioned this pull request May 6, 2026
Open
3 tasks
krassowski
krassowski commented May 6, 2026
View reviewed changes
Comment thread ipykernel/kernelapp.py Outdated
@krassowski krassowski mentioned this pull request May 7, 2026
Open
krassowski
krassowski commented May 7, 2026
View reviewed changes
Comment thread ipykernel/kernelapp.py
Comment on lines +363 to +369
self.log.warning(
"Kernel is running over TCP without encryption."
" All communication (including code and outputs) is sent in plain text"
" and is susceptible to eavesdropping."
" Use IPC transport or set IPKernelApp.enable_curve=True to enable"
" CurveZMQ encryption."
)
Copy link
Copy Markdown
Member Author

@krassowski krassowski May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nbclient downstream tests are failing due to addition of this warning, see:

  E       AssertionError: assert '[IPKernelApp] WARNING | Kernel is running over TCP without encryption. All communication (including code and outputs) is sent in plain text and is susceptible to eavesdropping. Use IPC transport or set IPKernelApp.enable_curve=True to enable CurveZMQ encryption.\n[IPKernelApp] WARNING | Kernel is running over TCP without encryption. All communication (including code and outputs) is sent in plain text and is susceptible to eavesdropping. Use IPC transport or set IPKernelApp.enable_curve=True to enable CurveZMQ encryption.' == ''

I believe we should keep it and update nbclient tests, any objections?

Copy link
Copy Markdown
Member

@Carreau Carreau May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to fix nbclient.

Copy link
Copy Markdown
Member

@minrk minrk May 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, nbclient tests shouldn't fail if warnings are logged from another package, that's a problem in the test suite

Copy link
Copy Markdown
Member Author

@krassowski krassowski May 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I opened jupyter/nbclient#341

@Carreau Carreau self-requested a review May 7, 2026 10:20
Carreau
Carreau reviewed May 7, 2026
View reviewed changes
Comment thread ipykernel/heartbeat.py Outdated
Carreau
Carreau reviewed May 7, 2026
View reviewed changes
Comment thread ipykernel/heartbeat.py Outdated
Carreau
Carreau reviewed May 7, 2026
View reviewed changes
Comment thread ipykernel/kernelapp.py Outdated
).tag(config=True)

enable_curve = Bool(
bool(int(os.environ.get("JUPYTER_ENABLE_CURVE", "0"))),
Copy link
Copy Markdown
Member

@Carreau Carreau May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't like the name it's non obvious, i think it's ok to have "curve" in inner variable names, maybe not in env-var and options. ; should we also trim(), the value of environ.get, or be stricter on it's format ?

Copy link
Copy Markdown
Member Author

@krassowski krassowski May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, I think we could hide "curve" here as an implementation detail; an argument for keeping it as-is would be alignment with ipyparallel (ipython/ipyparallel#553).

I think an obvious choice would be enable_transport_encryption?

Same change would need to follow in jupyter-server/jupyter_server#1638.

CC @minrk in case if you have an opinion here

Carreau
Carreau reviewed May 7, 2026
View reviewed changes
Comment thread tests/test_curve.py Outdated
@krassowski krassowski mentioned this pull request May 9, 2026
Open
@krassowski krassowski marked this pull request as ready for review May 9, 2026 08:20
krassowski
krassowski commented May 9, 2026
View reviewed changes
Comment thread pyproject.toml
"comm>=0.1.1",
"traitlets>=5.4.0",
"jupyter_client>=8.8.0",
"jupyter_client @ git+https://github.com/krassowski/jupyter_client.git@add-curve-encryption",
Copy link
Copy Markdown
Member Author

@krassowski krassowski May 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(needs reverting once jupyter-client PR is merged and released)

krassowski
krassowski commented May 9, 2026
View reviewed changes
Comment thread pyproject.toml
Comment on lines +74 to +75
[tool.hatch.metadata]
allow-direct-references = true
Copy link
Copy Markdown
Member Author

@krassowski krassowski May 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(this too)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@minrk minrk minrk left review comments

@Carreau Carreau Carreau left review comments

Assignees

No one assigned

Labels

feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@krassowski @minrk @Carreau