+ Getting started

Please refer to our guide on how to get an account and how to get your first two devices connected. Accounts are free, limited to 24-hours. If you like the service ask us to convert your 24-hours account into an indefinite one.

+ Technology

To provide the encrypted transport we use the fully privilege seperated VPN daemon called sanctum. This daemon was designed from the ground up to separate all important assets using a multi-process approach.

This approach allows sanctum to strongly sandbox and separate its different processes. Because of this, sanctum only runs on POSIX based platforms such as OpenBSD, Linux but also MacOS.

The sanctum daemon uses strong symmetrical cryptography and lacks any ability for the usage of public key encryption providing strong post-quantum guarantees for the confidentiality and integrity of your traffic, given you protect your secrets correctly.

A more detailed cryptographic description can be found in the sanctum repository inside of the docs/crypto.md file.

+ The Cathedrals

We use the cathedral mode of sanctum to provide an authenticated relay and a key distribution point. The authenticated relay is used for peer discovery and will facilitate the peer-to-peer connections if possible.

As a key distrubtion point, the cathedral allows you to update your shared secrets for your devices. Note: these are always wrapped with your per-device unique KEK and we do not see the plaintext keys.

The reliquary provides multiple cathedrals to provide resilience in the case of an outage or if cathedrals drop offline unexpectedly.

+ The Reliquary

The API we provide (the reliquary) interacts with our cathedrals and allows you to easily manage your devices and wrapped shared secrets using a handful of very simple shell scripts.

You may download the cli tools here. Extract these somewhere and make sure that directory exists in your $PATH.

+ Do you have access to my encrypted traffic?

No.

The authenticated relay (cathedral) does not have the encryption keys to be able to decrypt your traffic.

Here is a list what we can see (not read):

• Anything related to the ESP packets your devices are sending, unavoidable, the cathedral relays initial traffic or all traffic if one of your devices is behind symmetric NAT.
• Api requests made to the reliquary, unavoidable.

Here is what we can actually read:

• Requests sent to the reliquary API, unavoidable, we have to act on them.
• The sanctum cathedral update messages, unavoidable, these are used to authenticate your sanctum instance to the cathedral and to provide connectivity information (these do NOT carry traffic).
• Contents of mails you sent us, obviously. We will respond to disposable email addresses.

+ Can I just build this myself?

Sanctum is fully open source and ISC licensed, so yes you can build and setup something similar to this completely on your own.

+ Who runs this?

Reliquary is run by the creator of sanctum with the help of a few volunteers from across the globe.

The reliquary was started so that he and his Protokol0x41 hacker friends had an easier way of setting up and maintaining multiple sanctum tunnels between their devices.

+ Disclaimer

This is a free-of-charge, community driven service, with zero warranty. It may shutdown at any given point without any prior notice.

We take no responsibility for any data that is transmitted over this service as we cannot read nor filter said data. When using this service you as the user accept that reliquary may not be used for illegal activities or to distribute illegal content and that you and you alone are responsible for the data you are transmitting.

If one of your devices is behind a NAT type that prevents falling over to peer-to-peer, your traffic will instead be relayed over one of our cathedrals (remember, we cannot read your traffic) and will be capped at 25mbit/sec.

This cap can be increased but only for people who contribute to the project. We are always looking for people who want to donate cathedrals.

+ Contact

You can reach us at help@reliquary.se or find us on discord.