Sanctum introduction

submited by

Style Pass

2024-04-29 13:00:03

Sanctum is a small, reviewable, experimental and fully privilege seperated VPN daemon capable of transporting encrypted network traffic between two peers.

Sanctum is built using a multi-process approach where each process is only doing one thing. This allows for more fine-grained sandboxing in relation to permissions or allowed system calls.

Several different processes exist that all only perform one task: bless - The encryption process. confess - The decryption process. chapel - The key exchange process. heaven-rx - The red side receiving process. heaven-tx - The red side transmitting process. purgatory-rx - The black side receiving process. purgatory-tx - The black side transmitting process.

Packets flow between these processes in a well-defined manner making it impossible to move a packet straight from the red side to the black side without passing the encryption process and vice-versa. Traffic encryption