Security

The cryptography and key handling behind vpn.golf, stated plainly.

Encryption

WireGuard fixes one modern cipher suite: Curve25519, ChaCha20-Poly1305, BLAKE2s. There are no weak options to misconfigure into.

Key handling

Each device generates its own key pair locally; we store only the public key. Revoking a device removes its key from the exit nodes.

Isolation

Control plane and exit nodes are separate systems on separate providers, limiting the blast radius of any single compromise.

Reporting a vulnerability

Email security@vpn.golf (see our security.txt). We welcome good-faith research.

Frequently asked questions

WireGuard's fixed modern suite: Curve25519 for key exchange, ChaCha20-Poly1305 for encryption, BLAKE2s for hashing. There are no weak options to misconfigure.

Email security@vpn.golf (see our security.txt). We welcome good-faith research and will coordinate disclosure.

Your private key stays on your device. We store only your public key, which is removed from the exit nodes when you revoke a device.

Security

Encryption

Key handling

Isolation

Reporting a vulnerability

Frequently asked questions

What encryption does vpn.golf use?

How do I report a security vulnerability?

Where are my keys stored?