Expanding diskless infrastructure to more locations (System Transparency: stboot)

1 augusti 2022  SYSTEM TRANSPARENCY

In January 2022 we announced the first pair of VPN servers booted with our stboot bootloader, both located in Sweden. That was the start of our long running System Transparency project.

Now we announce a continuation of this project with even more servers added around the world, all running from RAM with no disks in use.

You can view all the servers running from RAM without any disks in use on our server page (https://mullvad.net/en/servers/ ). There is a “Running from” filter to select RAM or disk servers.

More diskless infrastructure for VPN servers

Today we announce the continuation of our System Transparency project with more servers spread around the world. All of the new servers are found within their respective cities in the server list, since our plan is to move all our VPN infrastructure to run on our stboot bootloader in future.

To find these servers, set the “Running from“ toggle to RAM on our server page here: https://mullvad.net/servers

What about the [BETA] servers you had previously?

These are going to be moved and placed into their respective cities in due time. Please switch away from these servers and select a new server or location. We will have servers in Sweden running with stboot.

To recap about “no disks in use”

  1. If the computer is powered off, moved or confiscated, there is no data to retrieve. On servers running from disks, this is also the case as we encrypt all of them to secure their data. Regardless there would still be no logs or customer information.
  2. We get the operational benefits of having fewer breakable parts. Disks are among the components that break often. Therefore, switching away from them makes our infrastructure more reliable.
  3. The operational tasks of setting up and upgrading package versions on servers become faster and easier.
  4. Running the system in RAM does not prevent the possibility of logging. It does however minimise the risk of accidentally storing something that can later be retrieved assuming the server has not been powered off.

What happens next?

We get your feedback, if any, on how well it works!

We will continue to add more and more servers in different locations running from RAM without any disks in use. We will also improve the deployment and configuration of these servers, and continue to include these servers as a prime focus in our next infrastructure audit.

Servers that are not running from RAM

We have detailed how we run our servers previously (https://mullvad.net/help/server-list/), explaining that:

“We encrypt all of our servers to secure their data. This means that no one can simply unplug a server, boot it up, and mount the disk in order to copy keys without first knowing the encryption passwords. Only relevant Mullvad staff have access to these.

In addition, the passwords, certificates, and private keys for the VPN tunnels are all unique for each server. In the unlikely event that any of these were to be extracted, only that particular individual server would be affected.“

The configuration of these servers has not changed, and we are continuing to encrypt the servers to secure their data.

Note

Servers running from both disk and RAM contain WireGuard private keys which we persist across controlled reboots, this means that WireGuard keys are no longer wiped on each server restart.

Configuration files that are generated from the accounts page can now be used to connect to these servers.

Read more

System Transparency is the future - https://mullvad.net/blog/2019/6/3/system-transparency-future/

Open Source Firmware is the future - https://mullvad.net/blog/2019/8/7/open-source-firmware-future/

System Transparency home page - https://www.system-transparency.org/

Our previous blog about where we came from: https://mullvad.net/blog/2022/1/12/diskless-infrastructure-beta-system-transparency-stboot/