Back to overview
Security

Provability over promises

VluxNet moves your data sovereignly and end-to-end encrypted — and makes every movement traceable with tamper-evident provenance. No third-party server, no Windows sharing as an entry point, a single hardened gateway to the outside. In an attack, that means: damage contained, central data survives, and it's provable what happened.

What the architecture delivers

Eight properties backed by our source code — not marketing claims.

No Windows file sharing as an entry point

VluxNet uses no SMB, RDP or Active Directory, but its own end-to-end protocol over TLS. The main spreading routes of classic ransomware are architecturally absent.

Chat end-to-end encrypted

AES-256-GCM between sender and recipient, a fresh random nonce per message, a separate key per conversation thread. Nobody in between reads along.

Tamper-evident audit log

Every security-relevant action lands in a hash-chained log (SHA-256). If an entry is altered after the fact, the chain breaks visibly — tampering is provable.

Encrypted, pinned LAN connections

Connections on the local network run over TLS 1.2/1.3 with certificate pinning and downgrade protection. Once trusted, always encrypted.

Real files don't sit around locally

Vlux Drive works with placeholder references — the actual file only comes from the server when opened, and is removed again afterwards. This reduces the attack surface at rest.

Fine-grained permissions per contact

You decide per folder and contact who may read, write or administer — based on a clear whitelist. Whoever isn't cleared doesn't get in.

A single hardened gateway to the outside

Remote access runs exclusively through Vlux Bastion: mutual TLS authentication (mTLS), an access whitelist and rate limiting. One controlled entrance instead of many open ports.

Incoming files are never opened automatically

Received files land in a quarantine folder per sender and are never executed on their own. They open only when you deliberately do so.

What we deliberately do NOT promise

A false security claim does more harm than a missing one. So here, openly, where the limits are.

We don't prevent attacks — we contain their damage.

VluxNet is not an antivirus solution and not ransomware protection. What we deliver: if something happens, your central data survives, the damage stays locally contained, and it's provably traceable what occurred.

At-rest encryption is software-bound, not hardware-secured.

Local data can be encrypted at rest (bound to your Windows profile). That is not TPM/HSM hardware protection — that's on the roadmap. Hardware-bound keys exist today only on Android.

Device onboarding runs via QR code.

New devices are enrolled via a QR-code procedure. We deliberately don't say "BLE-verified" or "eID" — those methods are not part of the current state.

Tamper-evident is the audit log — not the chat history.

The hash-chained log is genuinely append-only. The local chat history, by contrast, can be deleted — we make no immutability claim there.

Our position

We offer provability and containment — not invulnerability. Every strength on this page is backed by our source code. We only claim what we actually built.

Thank you.

The beta phase is starting now — with a fixed group of testers.

Beta running

Thank you to our beta testers

You're entering the beta with us while VluxNet is still young, and you're giving us your trust. You report bugs, shape features and help decide where the journey goes. That is exactly what makes the difference. From the heart: thank you.

Applications currently closed

The beta is running with a fixed group — we're not accepting further applications at this time. General availability is coming; then VluxNet will be open to everyone.

Urgent case?

If you need a secure solution right now, reach out anyway — we'll find a way.

Send urgent request