We are a community driven service for the hackers and the truely paranoid that want to establish multiple peer-to-peer and end-to-end encrypted VPN tunnels between their devices to faciliate secure communication between these, no matter where they are located.

We only provide the encrypted transport between your devices, you bring everything else yourself.

See our guide on how to get an account and how to get your first two devices up and running.

To provide the encrypted transport we use the fully privilege seperated VPN daemon called sanctum. This daemon was designed from the ground up to separate all important assets using a multi-process approach.

This approach allows sanctum to strongly sandbox and separate its different processes. Because of this, sanctum only runs on POSIX based platforms such as OpenBSD, Linux but also MacOS.

The sanctum daemon uses strong symmetrical cryptography and lacks any ability for the usage of public key encryption providing strong post-quantum guarantees for the confidentiality and integrity of your traffic, given you protect your secrets correctly.

A cryptographic description can be found in the sanctum repository under docs/crypto.md.

We use the cathedral mode of sanctum to provide an authenticated relay and a key distribution point. The authenticated relay is used for peer discovery and will facilitate the peer-to-peer connections if possible.

As a key distrubtion point, the cathedral allows you to update your shared secrets for your devices. Note: these are always wrapped with your per-device unique KEK and we do not see the plaintext keys.

The reliquary provides multiple cathedrals to provide resilience in the case of an outage or if cathedrals drop offline.

The API we provide (the reliquary) interacts with our cathedrals and allows you to easily manage your devices and wrapped shared secrets using a handful of very simple shell scripts.

You may download the cli tools here. Extract these somewhere and make sure that directory exists in your $PATH.

Nope, the authenticated relay (cathedral) does not have the encryption keys to be able to decrypt your traffic.

Here is what we can see:

Here is what we can read:

Sanctum is fully open source and ISC licensed, so yes you can setup something similar to this completely on your own.

Reliquary is run by the creator of sanctum together with some Protokol0x41 hackers.

The reliquary was started so that he and his hacker buddies had an easier way of setting up and maintaining multiple sanctum tunnels between their devices.

This is a community driven service and comes with zero warranty. It may be shutdown at any given point without any prior notice.

As a community driven service we take no responsibility for any data that is transmitted over this service as we cannot read nor filter said data. When using this service you as the user accept that reliquary may not be used for illegal activities or to distribute illegal content and that you and you alone are responsible for the data you are transmitting.

If one of your devices is behind a NAT type that prevents falling over to peer-to-peer, your traffic will instead be relayed over our cathedral (remember, we cannot read your traffic) and will be capped at 25mbit/sec.

This cap can be increased but only for people who contribute to the project. We are always looking for people who want to donate cathedrals.

You can mail us at help@reliquary.se, find us on discord or in #reliquary on libera.