This page is for anyone who wants to understand the architecture behind Fenrir — how messages move, what the server sees, and what we have deliberately made impossible for ourselves to do.
Fenrir uses the Signal Protocol for end-to-end encryption — the same protocol used by Signal and trusted by security researchers worldwide. Every message is encrypted on the sender's device before it leaves. It is decrypted only on the recipient's device. The server handles an opaque ciphertext blob it cannot read.
The Double Ratchet algorithm means every message uses a different encryption key. Compromising one message does not compromise past or future messages. This property is called forward secrecy.
Protocol
Signal Protocol
Double Ratchet + X3DH. Industry standard. Independently audited.
Key Exchange
X3DH
Extended Triple Diffie-Hellman. Establishes encrypted sessions without the server seeing keys.
Forward Secrecy
Per-message keys
Each message encrypted with a unique key. Past messages stay safe even if a key is later compromised.
V2 — Planned
Triple Ratchet
PQXDH + SPQR. Post-quantum resistant. Matches Signal's current production posture. Ships when stable.
Standard encrypted messaging protects message content but still exposes metadata — who sent what to whom, and when. We're closing that gap with sealed sender: the sender's identity is encrypted inside the message payload using the recipient's identity key, so the server sees only the recipient and a timestamp — not the sender.
To be precise about where this stands: usernames are registered, and your account exists on our servers today. Sealed sender is the change that stops the server from linking a sender to a delivery at the moment a message arrives — it is the last piece closing out the current messaging-hardening phase, ahead of voice.
WHAT THE SERVER WILL STORE PER MESSAGE, ONCE THIS LANDS
An opaque ciphertext blob. A recipient identifier. A timestamp. Delivery status. No sender identity in the delivery record. That is the target, and it's what we hold ourselves to before calling this done.
Registration requires a username and password. Nothing else. No phone number, no email address, no external identity anchor of any kind. Your identity on Fenrir is your username — chosen at registration, permanent.
Passwords are hashed with bcrypt server-side. The plaintext password never leaves your device and is never stored anywhere. Account recovery is via a backup code generated locally at registration and shown once. If lost, the account cannot be recovered. This is the price of not requiring a phone number — we communicate it clearly.
Contact discovery is by username search only. We do not scan your contacts. We do not ask for your address book. There is no contact hashing. If you know someone's username, you can message them. If you do not, you cannot.
Fenrir runs on physical infrastructure owned and operated by AetherMind. No hyperscaler is in the data path. No AWS, no GCP, no Azure. The compute, storage, and networking are ours.
Today's build runs on a segmented, VLAN-based network — management traffic, VM traffic, and application traffic isolated from each other by design, default-deny between segments unless explicitly allowed. This is validated and reboot-persistent now. The full production topology — a dedicated perimeter firewall, redundant storage replication, and a fully isolated backup network — is architecture-locked and sequenced next; it is not yet the live topology.
Reaching this backend from outside our private network requires one external component: a relay, needed because our current connection sits behind CGNAT with no static public IP on-site. This relay is being brought online now, as this build phase closes. Design is locked: it will hold no user data and no encryption keys, and it will see only connection-level metadata — timing, and that a connection occurred — never content, which stays end-to-end encrypted regardless of transport. That disclosure holds permanently, not just until the relay is live: when a self-owned static IP replaces it, the relay itself goes away, but the same standard — no third party ever sees content — is what it's held to the entire time.
Traffic path — inbound (target design)
The relay sees only encrypted tunnel traffic plus connection metadata. TLS terminates at our reverse proxy. The application backend never receives a raw connection from the internet. This is the locked design being brought up now — it is labeled target design here, not a claim that it is already carrying live traffic.
Push notifications are delivered via a self-hosted UnifiedPush server. No Google FCM. No Apple APNs. No third-party service receives any information about your notification events. This works on standard Android and GrapheneOS.
Notification payloads carry zero content. They are a signal to your device to wake the app and fetch the message over the encrypted channel. The notification itself tells nothing to anyone who sees it.
The following are absent by design. This is not marketing language — these components do not exist in the architecture.
Advertising infrastructure
No ad network. No analytics pipeline. No data warehouse.
Third-party cloud
No AWS, GCP, Azure, or any hyperscaler in the data path.
SMS gateway
No OTP. No Twilio. No external identity verification of any kind.
Google FCM / Apple APNs
Push notifications are self-hosted. No third-party notification service.
Contact hashing
No phone book access. No contact matching. Username search only.
Behavioural profiling
No usage tracking. No session analytics. No profile building.
These are not features added later. This is how Fenrir was designed from day one.
Notify me when it's ready