Security Architecture
An overview of SecurQbit's RAM-only server design, tunnel lifecycle, key handling, and threat model — what the VPN protects against and what it does not.
This page describes how SecurQbit is built to be private and resilient: volatile server infrastructure, the lifecycle of a tunnel, how keys are handled, and an honest threat model of what a VPN can and cannot do.
Server architecture
SecurQbit runs a global network of servers on volatile, RAM-only storage.
- No disk persistence. The system loads into memory; nothing about your session is written to a disk. A reboot or power-off wipes everything. See No-Logs & Privacy.
- No activity logs. There is no stored history to leak, seize, or subpoena.
- Ephemeral session state. Routing tables and session keys live only in memory for the connection's duration and are destroyed when it ends.
- Minimal trust footprint. A compromised or confiscated server yields no past activity, because none was retained.
Tunnel lifecycle
- Establish. The client performs a forward-secret key exchange and brings up an AEAD-encrypted tunnel. See Encryption & Protocols.
- Obfuscate. The tunnel is wrapped to look like ordinary HTTPS so DPI can't fingerprint it. See Firewall Bypass & Obfuscation.
- Operate. Traffic is encrypted, authenticated per packet, and routed.
- Adapt. On network changes the client re-keys and re-establishes the tunnel before traffic resumes.
- Tear down. On disconnect, ephemeral keys and session state are discarded on both ends.
Key handling
- Ephemeral keys are generated per session and never reused.
- Forward secrecy ensures past sessions can't be decrypted even if a future key is exposed.
- No key escrow. SecurQbit does not retain session keys after teardown — and with RAM-only servers, there's nowhere for them to persist.
- Server identity is authenticated during the handshake to prevent man-in-the-middle attacks.
Threat model
A VPN is one layer of defense, not a magic cloak. Being clear about scope is part of good security.
What SecurQbit protects against
- Local network snooping — your ISP, a hotel, an airport, or anyone on the same Wi-Fi cannot read your traffic or see which sites you visit.
- DPI-based VPN blocking — obfuscation defeats deep packet inspection that throttles or blocks ordinary VPNs.
- IP exposure — destinations see the server's IP, not yours.
- Retroactive disclosure — no logs and RAM-only servers mean there is nothing to hand over after the fact.
What it does not protect against
- Endpoint compromise. Malware, a keylogger, or a hostile app on your own device sees your activity before it ever enters the tunnel.
- Account-level identification. If you log into a service, that service knows it's you regardless of the VPN.
- Browser and device fingerprinting. Trackers can still fingerprint your browser; pair SecurQbit with privacy-respecting browser settings.
- Phishing and social engineering. A VPN cannot stop you from entering credentials on a fake site.
- Misconfigured exclusions. Apps you exclude via split tunneling are not protected.
Note: Strong privacy is layered. Use SecurQbit alongside good device hygiene, careful account practices, and a privacy-conscious browser.
Further reading
- Encryption & Protocols — the cryptographic primitives.
- No-Logs & Privacy — the data we deliberately don't keep.