Use case · for VNC refugees

Encrypted remote desktop without VNC setup

Classic VNC often ships with no built-in transport encryption and needs per-server config. Scry is end-to-end encrypted (DTLS-SRTP) over WebRTC with zero per-server setup — on Mac, Windows, and the browser, with a 7-day free trial to start.

Get Scry — encrypted by default, no VNC setup

Mac · Windows · Linux · browser · 0.2.x public preview

If you've run classic VNC — TightVNC, UltraVNC, TigerVNC and friends — you know two things. First, it's lightweight, free, and deployed on millions of machines. Second, getting it secure and reachable is its own project: many classic VNC servers ship with no built-in transport encryption (you're expected to tunnel it over SSH yourself), plus per-server configuration, password legacy, and firewall/port wrangling for every machine.

If you searched encrypted remote desktop and you're a VNC refugee, this page is about removing both problems at once — honestly, including exactly how the end-to-end encryption works.

The two VNC problems Scry removes

  • 1. Transport encryption you don't have to bolt on

    Classic VNC like TightVNC ships without built-in encryption; securing it traditionally means setting up an SSH tunnel per connection. Scry's connection is end-to-end encrypted by default over WebRTC — DTLS/SRTP is part of the standard, not something you configure. There is no “now set up the SSH tunnel” step.

  • 2. No per-server setup

    With VNC you install and configure a server on every machine, manage passwords, and open ports. Scry uses a pairing code and one account. No port forwarding, no per-server config.

The encryption boundary — how it actually works

Scry's connection is end-to-end encrypted using WebRTC's standard DTLS-SRTP. That is a real, named, verifiable property and it's exactly the security gap classic VNC leaves open.

The encryption keys are negotiated directly between your two devices in the DTLS handshake — the host and the device you're viewing from. Our relay only exchanges connection details to get the two devices talking and, when a direct path isn't possible, forwards already-encrypted packets it cannot read. There is no server in the middle that decrypts your screen, your input, or your clipboard. Peer-to-peer, end to end.

What you give up vs classic VNC

Be clear-eyed: classic VNC is free, open-source, ultra-lightweight, and has decades of deployment behind it. Scry has none of that heritage. Scry does now ship a native Linux host (X11 today, Wayland landing in 0.3), but if you specifically want open-source you can audit and self-host, classic VNC (or an OSS tool built on it) is still the honest choice — not Scry.

Honest limits

  • Multi-monitor, audio, and file transfer are currently in preview at the 0.1.x stage; sessions stream one display at a time today.
  • Mobile still maturing — the iOS and Android apps are at the 0.1.x stage.
  • End-to-end encrypted (DTLS-SRTP), peer-to-peer (covered above).
  • Linux host is new — X11 today, Wayland landing in 0.3 (in test). If you need a deeply field-hardened Linux deployment, classic VNC or RealVNC is the honest pick.

Encrypted by default. No SSH tunnel. No per-server config.

Mac, Windows, and the browser. Pair with a code, one account, end-to-end encrypted (DTLS-SRTP) over WebRTC.

Get Scry

Related

Scry vs RealVNC

The honest side-by-side, including where RealVNC wins.

Remote desktop without port forwarding

No router config — and where homelab setups still beat us.

How Scry encrypts your screen

The full encryption story, and the honest boundary of what our relay can see.