Security Architecture

An overview of SecurQbit's RAM-only server design, tunnel lifecycle, key handling, and threat model — what the VPN protects against and what it does not.

This page describes how SecurQbit is built to be private and resilient: volatile server infrastructure, the lifecycle of a tunnel, how keys are handled, and an honest threat model of what a VPN can and cannot do.

Server architecture

SecurQbit runs a global network of servers on volatile, RAM-only storage.

  • No disk persistence. The system loads into memory; nothing about your session is written to a disk. A reboot or power-off wipes everything. See No-Logs & Privacy.
  • No activity logs. There is no stored history to leak, seize, or subpoena.
  • Ephemeral session state. Routing tables and session keys live only in memory for the connection's duration and are destroyed when it ends.
  • Minimal trust footprint. A compromised or confiscated server yields no past activity, because none was retained.

Tunnel lifecycle

  1. Establish. The client performs a forward-secret key exchange and brings up an AEAD-encrypted tunnel. See Encryption & Protocols.
  2. Obfuscate. The tunnel is wrapped to look like ordinary HTTPS so DPI can't fingerprint it. See Firewall Bypass & Obfuscation.
  3. Operate. Traffic is encrypted, authenticated per packet, and routed.
  4. Adapt. On network changes the client re-keys and re-establishes the tunnel before traffic resumes.
  5. Tear down. On disconnect, ephemeral keys and session state are discarded on both ends.

Key handling

  • Ephemeral keys are generated per session and never reused.
  • Forward secrecy ensures past sessions can't be decrypted even if a future key is exposed.
  • No key escrow. SecurQbit does not retain session keys after teardown — and with RAM-only servers, there's nowhere for them to persist.
  • Server identity is authenticated during the handshake to prevent man-in-the-middle attacks.

Threat model

A VPN is one layer of defense, not a magic cloak. Being clear about scope is part of good security.

What SecurQbit protects against

  • Local network snooping — your ISP, a hotel, an airport, or anyone on the same Wi-Fi cannot read your traffic or see which sites you visit.
  • DPI-based VPN blocking — obfuscation defeats deep packet inspection that throttles or blocks ordinary VPNs.
  • IP exposure — destinations see the server's IP, not yours.
  • Retroactive disclosure — no logs and RAM-only servers mean there is nothing to hand over after the fact.

What it does not protect against

  • Endpoint compromise. Malware, a keylogger, or a hostile app on your own device sees your activity before it ever enters the tunnel.
  • Account-level identification. If you log into a service, that service knows it's you regardless of the VPN.
  • Browser and device fingerprinting. Trackers can still fingerprint your browser; pair SecurQbit with privacy-respecting browser settings.
  • Phishing and social engineering. A VPN cannot stop you from entering credentials on a fake site.
  • Misconfigured exclusions. Apps you exclude via split tunneling are not protected.

Note: Strong privacy is layered. Use SecurQbit alongside good device hygiene, careful account practices, and a privacy-conscious browser.

Further reading