We present a general framework encompassing a number of continuous-variable quantum key distribution protocols, including standard one-way protocols, measurement-device-independent protocols as well as some two-way protocols, or any other continuous-variable protocol involving only a Gaussian modulation of coherent states and heterodyne detection. The main interest of this framework is that the corresponding protocols are all covariant with respect to the action of the unitary group U (n), implying that their security can be established thanks to a Gaussian de Finetti reduction. In particular, we give a composable security proof of two-way continuous-variable quantum key distribution against general attacks. We also prove that no active symmetrization procedure is required for these protocols, which would otherwise make them prohibitively costly to implement.Quantum key distribution (QKD) allows two distant parties, Alice and Bob with access to an untrusted quantum channel and an authenticated classical channel, to share a secret key which can later be used to encrypt classical messages. The remarkable property of QKD is that its security can be established in the informationtheoretic setting, without appealing to any computational assumptions. While the first protocols relied on a discrete encoding of information and required singlephoton detectors [1, 2], a new generation of protocols called "continuous-variable" (CV) encode the information on the quadratures of the quantized electromagnetic field, allowing coherent detection to advantageously replace single-photon detection [3]. There is, however, a price to pay for this simplified experimental setup and this is increased difficulty of establishing security proofs due to the fact that the finite-dimensional Hilbert space of discrete-variable QKD has to be replaced by an infinite-dimensional Fock space. Notably, the theoretical tools developed for analyzing discrete-variable protocols -de Finetti theorems [4][5][6], entropic uncertainty relations [7], entropy accumulation [8] -need not directly work in the CV setting.Fortunately, some of these proof techniques have been successfully adapted to continuous variables and two oneway CVQKD protocols are now established to be secure against general attacks. These are the no-switching protocol [9] where Alice sends coherent states with a Gaussian modulation and Bob performs heterodyne (or dualhomodyne) detection, and the BB84-inspired protocol of Ref. [10] where Alice sends squeezed states along one of the two quadratures and Bob performs homodyne detection. The security of the latter follows from a continuousvariable version of the entropic uncertainty principle [11] while that of the former protocol is established thanks to a recently developed Gaussian de Finetti theorem [12,13], [43].Establishing the security of two-way CVQKD, where Alice and Bob send quantum information back and forth through the channel, has been an outstanding goal in the field and partial progress was obtained in Refs [14][15][16][17][18][19][...