# Security Architecture

This page describes how SecurQbit is built to be private and resilient: volatile server infrastructure, the lifecycle of a tunnel, how keys are handled, and an honest threat model of what a VPN can and cannot do.

## Server architecture

SecurQbit runs a global network of servers on **volatile, RAM-only storage**.

- **No disk persistence.** The system loads into memory; nothing about your session is written to a disk. A reboot or power-off wipes everything. See [No-Logs & Privacy](/no-logs-privacy).
- **No activity logs.** There is no stored history to leak, seize, or subpoena.
- **Ephemeral session state.** Routing tables and session keys live only in memory for the connection's duration and are destroyed when it ends.
- **Minimal trust footprint.** A compromised or confiscated server yields no past activity, because none was retained.

## Tunnel lifecycle

1. **Establish.** The client performs a forward-secret key exchange and brings up an AEAD-encrypted tunnel. See [Encryption & Protocols](/encryption).
2. **Obfuscate.** The tunnel is wrapped to look like ordinary HTTPS so DPI can't fingerprint it. See [Firewall Bypass & Obfuscation](/firewall-bypass).
3. **Operate.** Traffic is encrypted, authenticated per packet, and routed.
4. **Adapt.** On network changes the client re-keys and re-establishes the tunnel before traffic resumes.
5. **Tear down.** On disconnect, ephemeral keys and session state are discarded on both ends.

## Key handling

- **Ephemeral keys** are generated per session and never reused.
- **Forward secrecy** ensures past sessions can't be decrypted even if a future key is exposed.
- **No key escrow.** SecurQbit does not retain session keys after teardown — and with RAM-only servers, there's nowhere for them to persist.
- **Server identity** is authenticated during the handshake to prevent man-in-the-middle attacks.

## Threat model

A VPN is one layer of defense, not a magic cloak. Being clear about scope is part of good security.

### What SecurQbit protects against

- **Local network snooping** — your ISP, a hotel, an airport, or anyone on the same Wi-Fi cannot read your traffic or see which sites you visit.
- **DPI-based VPN blocking** — obfuscation defeats deep packet inspection that throttles or blocks ordinary VPNs.
- **IP exposure** — destinations see the server's IP, not yours.
- **Retroactive disclosure** — no logs and RAM-only servers mean there is nothing to hand over after the fact.

### What it does not protect against

- **Endpoint compromise.** Malware, a keylogger, or a hostile app on your own device sees your activity before it ever enters the tunnel.
- **Account-level identification.** If you log into a service, that service knows it's you regardless of the VPN.
- **Browser and device fingerprinting.** Trackers can still fingerprint your browser; pair SecurQbit with privacy-respecting browser settings.
- **Phishing and social engineering.** A VPN cannot stop you from entering credentials on a fake site.
- **Misconfigured exclusions.** Apps you exclude via [split tunneling](/split-tunneling) are not protected.

> **Note:** Strong privacy is layered. Use SecurQbit alongside good device hygiene, careful account practices, and a privacy-conscious browser.

## Further reading

- [Encryption & Protocols](/encryption) — the cryptographic primitives.
- [No-Logs & Privacy](/no-logs-privacy) — the data we deliberately don't keep.
