Security

Every layer of Sypher is designed with zero-trust principles. Here's how.

Encryption

Multi-layered encryption from transport to storage.

End-to-End Encryption (E2EE)

Direct messages use mandatory E2EE with X3DH (Extended Triple Diffie-Hellman) key agreement and AES-256-GCM symmetric encryption. Not even the server can read your DMs.

Channel Encryption

Optional per-channel E2EE for text and voice. Server admins can enforce encryption policies via ABAC.

Transport Security

All traffic flows through TLS 1.3 via Traefik with automatic certificate provisioning from Let's Encrypt. No unencrypted connections.

Data at Rest

PostgreSQL with volume encryption. Sensitive fields (tokens, keys) are additionally encrypted at the application layer.

Identity & Authentication

Device-bound identity with cryptographic verification.

EdDSA Signing

Each device generates a unique Ed25519 keypair. All tokens are signed with the server's signing key — no HMAC secrets.

Argon2id Hashing

Passwords are hashed with Argon2id — the winner of the Password Hashing Competition. Memory-hard and resistant to GPU attacks.

Device Binding

Install UUIDs and device fingerprints tie sessions to specific devices. Token revocation is instant and granular.

3-Layer Token Revocation

Revoke individual tokens, all tokens for a device, or all tokens for a user. Revocation propagates immediately.

Brute Force Protection

Per-user rate limiting and progressive lockout. Failed attempts are logged to the audit trail.

OS Keychain

Desktop clients store credentials in the OS keychain (Windows Credential Manager, Linux Secret Service).

ABAC Permissions

Attribute-Based Access Control — more powerful than roles, more precise than ACLs.

Deny-Wins Semantics

If any policy denies an action, it's denied — regardless of other grants. This prevents privilege escalation through policy stacking.

Scope Chains

Policies inherit through the hierarchy: Server → Category → Drawer → Channel. More specific scopes can override broader ones (except denies).

Effects Pipelines

Beyond simple allow/deny, policies can attach effects — conditional visibility, rate limiting, content filtering, and more.

Federation Security

Server-to-server communication is authenticated with Ed25519 HTTP signatures. Trust is tiered — you control exactly which servers can interact with yours and at what level.

  • Ed25519 HTTP signature verification
  • Configurable trust tiers
  • Per-server allow/deny lists
  • Audit logging of all federated actions

Compliance

Sypher provides controls aligned with common compliance frameworks for organizations that need them.

  • AC-2: Account management controls
  • AC-17: Remote access controls
  • AU-2/AU-3: Comprehensive audit events
  • IA-2: Multi-factor authentication
  • SC-8: Transmission confidentiality (TLS)
  • SC-28: Data at rest protection
  • SI-7: Software integrity verification

Responsible Disclosure

Found a vulnerability? We take security reports seriously. Please disclose responsibly.

Reporting a Security Issue

Email security concerns to [email protected]. Include a clear description, reproduction steps, and impact assessment. We will acknowledge within 48 hours and aim to resolve critical issues within 7 days.

Please do not open public GitHub issues for security vulnerabilities.

Any individual found to be exploiting vulnerabilities in Sypher software or infrastructure — rather than disclosing them responsibly — will be subject to criminal prosecution and civil action to the fullest extent permitted by applicable law, including but not limited to the Computer Fraud and Abuse Act (18 U.S.C. § 1030).

As of this date, SyCom has not been compelled to disclose user data, surrender source code
or program files, or modify its software at the direction of any government agency.