LifestyleMullvad: Diskless infrastructure in beta (System Transparency: stboot)

Mullvad: Diskless infrastructure in beta (System Transparency: stboot)

-

- Advertisment -

Diskless infrastructure using stboot (in beta) is now available on a pair of WireGuard servers in Sweden.

Today we are introducing our first VPN servers booted with our new bootloader – stboot. This marks the start of our long-running public-facing journey to make our VPN infrastructure transparent and user-auditable.

Diskless infrastructure for VPN servers

Today we announce an early beta release of a part of our System Transparency technology running on one VPN server in Gothenburg and one in Stockholm, Sweden. Both of these servers are listed in a “System Transparency [BETA]” city in our server list, viewable within our app as well as on our website.

You can find these servers by selecting: Switch Location → Sweden → System Transparency [BETA]

Make sure you are using the WireGuard protocol (applies to desktop app only).

- Advertisement -

This means that we now have two servers running entirely on RAM, without any disks in use.

What does “without any disks in use” mean?

  1. If the computer is powered off, moved or confiscated, there is no data to retrieve.
  2. We get the operational benefits of having fewer breakable parts. Disks are among the components that break often. Therefore, switching away from them makes our infrastructure more reliable.
  3. The operational tasks of setting up and upgrading package versions on servers become faster and easier.
  4. Running the system in RAM does not prevent the possibility of logging. It does however minimise the risk of accidentally storing something that can later be retrieved.

Where do you pull data from if you have no disks to store it on?

For these servers we make use of provisioning servers in order to download an “OS Package”. These provisioning servers have disks but they contain only the signed images and some base configuration data that our System Transparency (or stbooted) servers will use.

Our VPN servers launch the System Transparency bootloader (stboot) which downloads the OS package from a provisioning server and verifies that it originates from relevant Mullvad VPN staff by checking its signatures. If the OS package is valid, the OS is booted. The server then waits for an authorised member of staff to provision and deploy it for customer use.

By and large, these servers will be configured in a similar manner to our other WireGuard servers, except we use no disks, and RAM is the only location where data is kept.

- Advertisement -

Debug output stboot starting up

Debug output OS package signatures verified

What happens when the server is restarted?

At this point, the server would boot up, unaware about its past history due to using no disk. The process would be the same as in the previous step (download, verify, wait for authorisation).

In other words, we have amnesia for servers.

If this is the first of many steps, what happens next?

- Advertisement -

We get your feedback, if any, on how well it works!

We will continue to develop our provisioning and deployment process of stbooted VPN servers, starting with the ones providing WireGuard tunnels. We will start adding more servers in different locations as we get more comfortable and the projects’ moving parts become more mature.

End goal: Trustworthiness through transparency

We are continuously striving to strengthen the trustworthiness of all aspects of our service. This is why our VPN apps have been open source since we started over 12 years ago. Achieving transparency on the server side is a very different challenge, as merely open sourcing our server software is not enough. We want our users to be able to verify and audit what is currently running on the VPN server they are connected to. This is our end goal with System Transparency.

Note

During this beta, WireGuard keys will be wiped on each server restart. If you are using configuration files to connect to the servers you will need to download new ones each time this happens. This does not affect the Mullvad App.

Read more

NOW WITH OVER +8500 USERS. people can Join Knowasiak for free. Sign up on Knowasiak.com
Read More

- Advertisement -

2 Comments

  1. A bit tangential to the main post, but I'd to share a recent positive experience with Mullvad:

    I am a regular user of Mullvad and recently wanted to try a different VPN, that only provides Wireguard configs (i.e. no native app). I used the default setup.

    For some reason, my internet connection was flaky, and when it disconnected and reconnected, my traffic leaked.

    That never happened with Mullvad as the app comes with an "Always require VPN" option out of the box and it has always worked reliably.

You might also likeRELATED
Recommended to you

Compiling a Spin program correct into a native binary for Nintendo Swap

Hajime Hoshi2022-01-03 Right here's an English...

GeoWorks: The Other “Windows”

Hey all, Ernie here with a refreshed piece about...

India defuses its population bomb: Fertility falls to 2 childhood per girl

Back in the 1960s, India faced an exploding population, with a fertility rate of nearly six children per woman. When famine struck, U.S. President Lyndon B. Johnson initially refused to deliver food aid, citing the country’s high birth rate. In response, India’s Prime Minister Indira Gandhi dramatically expanded the first national family planning program in…
- Advertisement -

Billionaire Chamath Palihapitiya: ‘nobody cares’ about China’s Uyghur genocide

WASHINGTON – Billionaire investor Chamath Palihapitiya triggered a backlash on social media after saying during a recent episode of his podcast that "nobody cares" about the ongoing human rights abuses against the Uyghurs in China.During a 90-minute episode, Palihapitiya told co-host Jason Calacanis on their "All-In" podcast that he would be lying if he said that…

Show HN: Declarative Instrumentation for Python

Pyccolo is a library for declarative instrumentation in Python; i.e., it lets you specify the what of the instrumentation you wish to perform, and takes care of the how for you. It aims to be ergonomic, composable, and portable, by providing an intuitive interface, making it easy to layer multiple levels of instrumentation, and allowing…

Must read

Testing Phone-Sized Faraday Bags

2 December 2021, 5 AMTesting Phone-Sized Faraday Bags Reliable...

Predict civilization collapse with Python and World3 mannequin

The World3 model revisited in Python Install & Hello World3 How to tune your own simulation Licence How to cite PyWorld3 with Bibtex References & acknowledgment PyWorld3 is a Python implementation of the World3 model, as described in the book Dynamics of Growth in a Finite World. This version slightly differs from the previous one…
- Advertisement -