+ Introduction +
The Reliquary is a sanctum cathedral infrastructure which helps you establish PQ-secure P2P E2EE sanctum tunnels between any of your POSIX devices, even if they are behind NAT.
The Reliquary provides an API which interacts with our cathedrals and allows you to easily manage your flocks and devices using a handful of very simple shell scripts.
Check out our getting started guide.
Download The Reliquary cli-tools.
This community service is free for use as long as you adhere to our strict nothing-illegal policy.
+ Technology +
Reliquary is based on sanctum. This daemon was designed from the ground up with strong privilege separation and sandboxing.
The sanctum daemon uses modern cryptography for traffic encryption and features a hybridised key exchange mixing a symmetrical shared secret, ECDH and ML-KM-1024 together to provide strong PQ-security guarantees for the confidentiality and integrity of your traffic.
A more detailed cryptographic description can be found in the sanctum repository inside of the docs/crypto.md file.
You are not limited to just sanctum, any libkyrka application can also leverage this infrastructure. For example the following sanctum based applications work out of the box: tier6, confessions and gospel
+ The Cathedrals +
We use the cathedral mode of sanctum to provide an authenticated relay and a key distribution point. The authenticated relay is used for peer discovery and will facilitate the peer-to-peer connections if possible.
As a key distribution point, the cathedrals allow you to update your shared secrets for your devices.
Important: These are always wrapped with your per-device unique KEK and we do not see the plaintext keys.
The Reliquary provides multiple cathedrals to provide resilience in the case of an outage or if cathedrals drop offline unexpectedly.
+ Do you have access to my traffic? +
No.
The cathedrals cannot inject, modify or read any of your traffic that is relayed over them because they lack the keys to be able to do so, you own those keys.
A cathedral is only involved for a few seconds while the p2p discovery kicks in, or relays traffic if no p2p connections are possible.
+ Can I just build this myself? +
Due to the fact that sanctum is truly open and free software licensed under the ISC-license you are able to build something like this entirely yourself. In fact we encourage you to do so if you have the know-how.
You can find all code required to run reliquary.se on our github mirror here.
+ Who runs this? +
This community service is run by the creator of sanctum with the help of a few volunteers from across the globe. The Reliquary was started so that he and his protokol0x41 hacker friends could more easily setup tunnels between all their devices without having to use services like Tailscale or Zerotier.
+ Terms And Conditions +
By using The Reliquary you agree to the following:
This is a free-of-charge, community driven service, with zero warranty. It may shutdown at any given point without any prior notice or we may delete your account without giving notice.
We take no responsibility for any data that is transmitted over this service as we cannot read nor filter said data. When using this service you as the user accept that Reliquary may not be used for illegal activities or to distribute illegal content and that you and you alone are responsible for the data you are transmitting.
You will not perform harmful actions that take The Reliquary offline or cause service disruptions.
If one of your devices is behind a NAT type that prevents falling over to peer-to-peer, your traffic will instead be relayed over one of our cathedrals (remember, we cannot read your traffic) and will be capped at 25mbit/sec.
+ Contact +
You can reach us at help@reliquary.se or find us on discord.