Securing your VNC headless guest with simple passwords


The option of using a vncserver with your KVM virtual machine allows for running your virtual machine “headless”. Sometime ago I wrote a topic on how to run your KVM machine headless that can be found here but didn’t mention anything about securing your vncserver.

Securing your vncserver with basic passwords only involves using the password keyword argument to the vnc option when starting your KVM machine as follows:

qemu-system_x86_64 –hda windows –vnc :1,password –m 512 –monitor stdio
It is necessary to use the –monitor option when using vnc option in order to get access to the qemu monitor. After starting your machine with the above command, you will not be able to access it with vnc until you set a password. To set the vnc password, go into the qemu monitor window (specified using the –monitor option ) and type change vnc password as shown below.

(qemu) change vnc password
Password: ********
You will now be able to access your headless machine using any vnc client using password authentication. Personally I like tightvnc that can be found at and is free but you can use whichever client you want. The password option, along with more options for security, is documented at the official qemu page at Note that plain vnc password is not the strongest security option as explained on the qemu link above but if you want quick and dirty security, it is the quickest option. For stronger security, the recommended way is using certificates and tls for encryption but takes a little more configuration.

Leave a Reply

Your email address will not be published. Required fields are marked *