Islands

Security Architecture

A plain-language look at how we protect accounts, encrypt messages, and lock down infrastructure.

Account & Authentication

  • Passwords are hashed client-side with Argon2 before transmission.
  • TOTP-based two-factor authentication with 8 single-use backup codes.
  • Any single backup code can unlock your archive (per-code escrow recovery).
  • Multi-device sessions with per-device key bundles and crypto identities.
  • 15-minute access tokens with 7-day rotating refresh tokens (RS256 JWT).

Message Encryption

  • DMs: X3DH key agreement + Double Ratchet, same primitives as Signal Protocol.
  • Sealed sender: Server cannot determine who sent a DM.
  • Server channels: Sender Key envelopes for efficient group encryption.
  • Voice/video: Per-session random 256-bit key distributed via nacl.box.
  • At rest: AES-256-GCM encryption for stored messages and attachments.
  • Multi-device fan-out encrypts for all recipient devices + sender's other devices.

Transport & Infrastructure

  • TLS termination at Caddy edge with automatic Let's Encrypt certificates.
  • mTLS between all backend services with per-service client certificates and CA verification.
  • NATS event bus secured with mTLS (client cert + CA verify).
  • Redis transport secured with TLS and client certificates.
  • Metrics endpoints restricted to internal/loopback IPs in production.
  • WebSocket rate limiting: 30 msg/sec per connection, 16KB max message size.

Key Transparency & Trust

  • Verifiable key directory with witness-backed checkpoints.
  • Detects unauthorized key changes or key directory misbehavior.
  • Cryptographic audit trail for key state integrity.
  • Session recovery via automatic X3DH re-establishment on ratchet desync.

Metadata Minimization

  • DM participant IDs hashed after 24 hours of inactivity.
  • Timestamps coarsened to day-level for inactive conversations.
  • Audit logs TTL-expired after 90 days.
  • Used one-time prekeys purged after 7 days.
  • Device activity timestamps coarsened for inactive devices.

Scope & Transparency

  • This page is a user summary, not a formal threat model or audit report.
  • Operational metadata is required for routing, presence, and moderation.
  • The encryption design minimizes trust in the server, but does not eliminate all metadata.
  • Private Islands shift infrastructure trust entirely to the self-host operator.