Traffic Analysis protection

Sanctum offers very strong traffic analysis protection, being able to mask all protocol meta-data on the wire, making packets look entirely like random data.

This feature is called shroud.

Shroud is off by default as it increases overhead and affects performance by about 45% as it has to shroud/unshroud each individual packet with additional unique per-packet masks.

While shroud on a normal tunnel setup does not offer many advantages, it is very useful in a cathedral setup as it becomes very tricky for anyone capturing traffic to deduce what devices belong to the same flock and who is talking to whom.