Introduction

About
Topologies

Releases

Getting Sanctum

Security

Errata
Cryptography
Privilege Separation

Resources

Setup Guide
Liturgy Guide
Cathedral Guide

Community

The Reliquary
The Conclave
Join us on Discord

Made in Sweden
Latest release: sanctum 1.1.2

Privilege separation

Sanctum is the only ISC licensed, free and open VPN software in the world designed from the ground up in a fully privilege separated way.

Multi-process

Sanctum is built using a multi-process approach where each process is only doing one thing. This allows for more fine-grained sandboxing in relation to permissions or allowed system calls.

Packets flow between these processes in a well-defined manner making it impossible to move a packet straight from the red side to the black side without passing the encryption process and vice-versa.

Sandbox

Its unique privilege separation design in combination with strong modern sandboxing guarantee that all of its important assets are separated from processes that talk to the internet or handle non-cryptography related things.

Each process receives its own sandbox with only the system calls it requires to function and only access to the files it needs.

Packet flow

The processes share packets between each other in a very well defined way. For incoming packets: 

purgatory-rx (black) -> confess (decryption) -> heaven-tx (red)
For outgoing packets: 
heaven-rx (red) -> bless (encrypt) -> purgatory-tx (black)
When the processes start they will remove any of the queues they do not need for operating making sure only the correct processes have access to the queues they require.

Processes

Below is a list of all the processes that make up sanctum and their responsibility, what processes are active is determined by what mode sanctum runs under.

For example: pilgrim (the sender mode for one-way tunnels) does not have the heaven-tx or purgatory-rx processes active, meaning it is impossible for it to receive any packets.


Process Name Description
bless The process responsible for encrypting packets.
confess The process responsible for decrypting packets.
chapel The process responsible for deriving new TX/RX keys from a key.
heaven-rx The process receiving packets on the inner interface.
heaven-tx The process sending packets on the inner interface.
purgatory-rx The process receiving packets on the outer interface.
purgatory-tx The process sending packets on the outer interface.
pilgrim The process handling TX keys when running in pilgrim mode (pilgrim is the sender mode for one-way tunnels).
shrine The process handling RX keys running in shrine mode (shrine is the receiver mode for one-way tunnels).
cathedral The process handling discovery, relay and key distribution for connected peers.
liturgy The process responsible for autodiscovery of peers in a cathedral.
bishop The process responsible for configuring tunnels discovered by the liturgy process.
guardian The process monitoring all other processes. It is responsible for setting MTU values and updating the sanctum uptime once every second. This uptime is used by other processes who need timestamps.