Security
Security Whitepaper
The Managed Sovereign Model — how ellul.ai proves trust instead of asking for it.
The Managed Sovereign Model
ℹCore Philosophy
Most platforms hold the keys to your kingdom. We actively throw them away.
Most hosting platforms store your credentials, manage your access, and ask you to trust that no employee, breach, or rogue process will ever abuse that power.
ellul.ai takes a fundamentally different approach. We handle the billing and the hardware. But the authority — the cryptographic proof of who you are and what you're allowed to do — lives exclusively on your VPS and your device. We are the caretaker, not the landlord. If we disappear tomorrow, your server keeps running. If we get breached tonight, your data stays untouched.
The Core Promise: Don't Trust Us. Trust the Math.
Traditional platforms require you to trust a chain of people: the ops team, the support staff, the database admin, the vendor's vendor. ellul.ai replaces human trust with cryptographic guarantees wherever possible.
Chain of Trust
| What | Trust the Vendor | Trust the Math |
|---|---|---|
| Billing & Payments | ✓ | |
| Initial Server Setup | ✓ | |
| DNS Routing | ✓ | |
| Your Identity | ✓ WebAuthn + PoP | |
| Command Integrity | ✓ HMAC SHA-256 | |
| Code Updates | ✓ GPG Signatures | |
| Data Access | ✓ Zero-Knowledge | |
| Command Execution | ✓ Proof of Possession | |
| Session Continuity | ✓ WebSocket PoP Challenges |
The left column is what every platform requires. The right column is what we moved out of our hands and into yours.
The Four Locks
ellul.ai's security architecture is built on four independent cryptographic guarantees. Each one eliminates an entire class of attack — not by making it harder, but by making it mathematically impossible.
Identity — WebAuthn + Continuous Proof of Possession
Tech
Non-extractable ECDSA P-256 keys in device secure enclave. PoP signatures over timestamp, method, path, body hash, and nonce on every request. WebSocket challenge-response every 5 minutes.
Benefit
Phishing is impossible. Session hijacking is impossible. Even if our database is breached, your server cannot be accessed.
The Problem: Traditional platforms authenticate you with passwords or session tokens stored in their database. If that database is breached, an attacker can impersonate you.
Our Solution: ellul.ai's Web Locked mode uses WebAuthn passkeys — the same technology behind Face ID and Touch ID. Your private key is generated inside your device's secure enclave and never leaves it (extractable: false).
Every request is signed by a Proof of Possession layer: a Service Worker intercepts all same-origin requests and adds ECDSA signatures over timestamp|method|path|bodyHash|nonce. The VPS independently verifies every signature.
For long-lived WebSocket connections (chat, terminal), the server issues PoP challenges every 5 minutes — random bytes that the browser must sign with its non-extractable key. Two consecutive failures terminate the connection. This provides SSH-equivalent continuous authentication.
- Phishing is impossible. WebAuthn is domain-bound — your passkey only works on the real ellul.ai domain.
- Session hijacking is impossible. Stolen cookies are worthless without the hardware key — the key cannot be extracted from the browser.
- A full platform breach cannot compromise your server. There is nothing in our database to steal.
- Long-lived connections are continuously authenticated. Unlike most web apps that authenticate once at connection time, we re-verify every 5 minutes.
Integrity — Deterministic Body Hashing
Tech
SHA-256 canonical body hash with recursive key sorting, embedded in PoP signature.
Benefit
The 'Bait and Switch' defense. It is mathematically impossible for anyone to modify your command between your browser and the server.
The Problem: Even with strong authentication, a man-in-the-middle (or a compromised platform) could alter the content of your request after you authenticate it. You confirm "restart my server" but the platform sends "delete my server."
Our Solution: Every sensitive request is bound to its payload using deterministic SHA-256 body hashing. The hash is computed over canonicalized JSON (recursively sorted keys) and embedded in the PoP signature. The VPS recomputes the hash independently — if a single parameter was changed by anyone, including us, the operation is rejected.
- TOCTOU protection. Parameters cannot change between confirmation and execution.
- Three-way integrity chain. During provisioning, the API hashes the cloud-init YAML, your browser independently computes the same hash, and the server verifies it on first boot. All three must agree.
Supply Chain — GPG-Verified Updates
Tech
Offline air-gapped GPG key. Fingerprint pinned as a build-time constant. Anti-rollback enforcement.
Benefit
We cannot push a backdoor to your server. Your VPS independently verifies every update against a public key that even we cannot change.
The Problem: If an attacker compromises a platform's CI/CD pipeline, they can push a backdoored update to every server — a single point of failure affecting all users simultaneously.
Our Solution: Your VPS independently verifies every update against a GPG signature created with an offline, air-gapped key. The verification happens on your server, not on our infrastructure.
| Check | What It Prevents |
|---|---|
| GPG Signature Verification | Unsigned or tampered releases |
| Fingerprint Pinning | Swapped GPG keyring (even by root attacker) |
| Anti-Rollback | Downgrade to vulnerable older versions |
| Tag Format Validation | Path traversal or injection via tag names |
✓Circular Dependency Defense
The GPG fingerprint is a build-time constant embedded in the daemon binary. An attacker would need to both compromise the GPG key and push a fraudulent GPG-signed update to change it — a circular dependency that makes the attack infeasible.
Containment — VPS-Served Interfaces
Tech
All UI served from the VPS binary. Nonce-based Content Security Policy. No external JavaScript dependencies. Session-pop.js injected at serve time.
Benefit
Even if the ellul.ai platform is fully compromised, an attacker cannot inject scripts into your server's interfaces. Your terminal, chat, and code browser are self-contained.
The Problem: Most web management interfaces load JavaScript from CDNs, platform servers, or third-party dependencies. If any of those sources are compromised, an attacker can inject malicious code into your management session.
Our Solution: Every interface on your VPS — terminal, chat (Vibe Mode), code browser — is a self-contained single-page application embedded in the VPS binary at build time. Zero external JavaScript. Zero CDN dependencies. The HTML is served directly by your VPS with a unique cryptographic nonce on every page load.
| Defense | What It Prevents |
|---|---|
| Nonce-based CSP | script-src 'nonce-...' — only scripts with the per-request nonce execute. Injected <script> tags are blocked. |
| No external JS | No CDN compromise vector. No supply chain risk from npm at runtime. |
| VPS-served HTML | The platform cannot modify what your browser receives. The binary on your VPS is the source of truth. |
frame-ancestors CSP | Prevents clickjacking by restricting who can embed the interfaces. |
form-action 'none' | Prevents form submission hijacking. |
✓The SSH Parallel
This mirrors how SSH works: the terminal client talks directly to the server binary. No intermediary can inject code into the session. Our web interfaces achieve the same property — the browser talks to VPS-served HTML that the platform cannot tamper with.
The "Bus Factor" — What If ellul.ai Disappears?
This is the question every developer should ask their hosting provider. Most can't give you a good answer. Here's ours.
ℹBreak Glass Protocol
Your server is a standard Linux VPS on Hetzner or DigitalOcean. ellul.ai is a management layer on top — not a proprietary container, not a locked-down image, not a walled garden.
If ellul.ai goes offline — whether from an outage, a shutdown, or the heat death of the universe:
Your server keeps running
All your applications, data, and configurations continue to operate. Nothing depends on our API for runtime functionality.
The daemon enters fail-safe mode
After 5 consecutive missed heartbeats, the State Enforcer enters Emergency Lockdown — closing external access as a precaution while the daemon stays alive and polls for recovery.
You SSH in and take over
Disable the agent, open SSH permanently, and your server is a standard Linux VPS. All your data, apps, and configs are intact.
Keep your server forever
Transfer billing to your own cloud provider account. ellul.ai is fully out of the picture.
# The full takeover — five minutes of work
sudo systemctl stop ellulai-enforcer
sudo systemctl disable ellulai-enforcer
sudo ufw allow 22/tcp
# Done. Standard Linux VPS.
✓We lock ourselves out, not you.
There is no kill switch, no remote wipe, no dead man's trigger. The worst case scenario for ellul.ai going away is five minutes of terminal commands.
Identity Pinning — The Anti-Takeover Defense
During initial provisioning, your user ID is written to an immutable lockfile on the VPS:
/etc/ellulai/owner.lock (chmod 400, chattr +i)
The chattr +i flag makes this file immutable at the filesystem level — not even root can modify or delete it without first removing the flag.
Every heartbeat, the State Enforcer checks whether the user ID reported by the API matches this lockfile.
✗Attack scenario: database takeover
An attacker compromises the database and runs UPDATE servers SET userId='hacker'. The next heartbeat detects the mismatch against owner.lock. Soft Lockdown activates instantly: JWT secret deleted, terminal killed, SSH closed. The attacker cannot issue commands despite "owning" the database record. When the database is corrected, the enforcer auto-recovers — no manual intervention, no support ticket.
Compliance & Privacy
Data Residency
ellul.ai supports strict region selection with EU-compliant datacenters:
| Region | Provider | Location | EU Residency |
|---|---|---|---|
| eu-central | Hetzner | Nuremberg, DE | Yes |
| eu-north | Hetzner | Helsinki, FI | Yes |
| eu-central (overflow) | DigitalOcean | Frankfurt, DE | Yes |
| eu-north (overflow) | DigitalOcean | Amsterdam, NL | Yes |
| us-east | Hetzner / DO | Ashburn / NYC | — |
| us-west | Hetzner / DO | Hillsboro / SFO | — |
| asia-pacific | Hetzner / DO | Singapore | — |
EU-region servers are provisioned exclusively in EU datacenters. Your data stays in the jurisdiction you choose.
Abuse Prevention — The Liability Straitjacket
⚠Blocked by default on every VPS
SMTP (25, 465, 587) — prevents spam relay. Mining pools (3333, 5555, 7777, 8888, 9999, 14433, 14444, 45560) — prevents cryptojacking. Outbound SYN flood — rate-limited to 100/s, preventing DDoS participation.
A clean IP means your legitimate services work reliably. Platforms that don't enforce these rules end up on blocklists — and so do you.
Encryption at Rest
All secrets stored in the ellul.ai database are encrypted with AES-256-GCM before storage. Initialization vectors are unique per record. Auth tags prevent tampering. Token hashes use SHA-256 with timing-safe comparison to prevent length oracle attacks.
The Audit Trail
Every security-relevant action is recorded in a hash-chained SQLite audit log. Each entry includes a SHA-256 hash of the previous entry, creating a tamper-evident append-only chain — if any entry is modified or deleted, the chain breaks and the tampering is detectable.
The system tracks 52 distinct event types across five categories:
| Category | Example Events |
|---|---|
| Authentication | Login, logout, failed auth attempts, PoP key binding |
| Server Operations | Create, delete, rebuild, rollback |
| Security Changes | Tier changes, passkey registration, SSH key management |
| Anomaly Detection | Replay attempts, nonce reuse, fingerprint mismatches |
| System Events | Lockdown triggers, recovery events, heartbeat failures |
Sensitive data (keys, tokens, credentials) is automatically redacted before logging. Destructive operations capture raw PoP signatures for hardware non-repudiation — cryptographic proof that the operation was authorized by the specific device.
Hostile Red Team Audit
The system has been subjected to adversarial testing covering four domains:
| Audit Domain | What Was Tested |
|---|---|
| Data Sovereignty | Can the platform access user data? Can a database breach expose server contents? |
| Credential Isolation | Does Web Locked mode remain safe under full platform compromise? |
| Localhost Bypass Prevention | Can internal services be reached by circumventing authentication layers? |
| Ghost Port Detection | Do disabled services leave residual open ports or listening sockets? |
ellul.ai vs. Traditional Platforms
| Traditional PaaS | Standard VPS | ellul.ai | |
|---|---|---|---|
| Who holds the keys? | The platform | You (manage everything) | You (we manage the rest) |
| Platform breach = your breach? | Yes | N/A | No (Web Locked mode) |
| Can the vendor read your data? | Usually yes | N/A | No |
| Can the vendor push code? | Yes | N/A | No (GPG verification) |
| Survive vendor shutdown? | No (proprietary runtime) | Yes | Yes (standard Linux VPS) |
| Command integrity? | No | N/A | Yes (HMAC body hashing) |
| Phishing-resistant auth? | Rarely | N/A | Yes (WebAuthn) |
| Continuous auth on connections? | No | Yes (SSH) | Yes (PoP challenges) |
| Setup complexity | Low | High | Low |
FAQ for Skeptics
You say you can't access my server. How do I know that's true?+
Because there's no mechanism to. In Web Locked mode, the only way in is with a WebAuthn passkey whose private component lives in your device's secure enclave — it cannot be exported. Every request requires a Proof of Possession signature from a non-extractable ECDSA key. We don't have a backdoor, an admin override, or an emergency access protocol. We architecturally cannot build one without breaking the GPG-signed update chain.
What if I lose my passkey device?+
During initial passkey registration, you receive 10 one-time recovery codes. Each is scrypt-hashed and can only be used once. If you lose your device and your recovery codes, you can access the underlying Hetzner or DigitalOcean VPS through the provider's emergency console. We intentionally limit our own recovery capabilities — because any recovery path we offer is a recovery path an attacker can exploit.
What stops a rogue ellul.ai employee from pushing a malicious update?+
GPG verification. Every update must be signed with an offline, air-gapped GPG key. The VPS verifies the signature and checks the fingerprint against a build-time constant. A rogue employee with full access to our infrastructure still cannot sign a release, because the signing key has never touched a networked machine.
How is this different from just renting a VPS myself?+
Three things: automated provisioning (your server is ready in minutes, not hours), managed security defaults (firewall rules, abuse prevention, hardened configs), and the tiered security model (WebAuthn, PoP signatures, body hashing, nonce-based CSP) that would take significant engineering effort to implement yourself. You get self-managed sovereignty without the self-managed overhead.
What data do you actually store about me?+
Your account info (email, OAuth tokens for login), server metadata (IP, region, plan, security tier), and encrypted secrets (SSH public keys, API tokens). We do not store: your server's contents, your terminal history, your application data, your SSH private keys, or your WebAuthn private keys.
Can you read my terminal sessions?+
In Standard mode, terminal traffic is proxied through our infrastructure — so theoretically, yes. In Web Locked mode, your terminal, chat, and code browser are self-contained SPAs served directly from your VPS binary, authenticated end-to-end with passkeys and PoP signatures. The platform never sees the traffic. If terminal privacy matters, enable Web Locked mode.
What happens to my data if I delete my account?+
Server deletion is handled at the cloud provider level. The VPS and all its data are destroyed. Your account data is deleted from our database. If you want to keep your server, disable the ellul.ai agent via SSH and transfer billing to your own provider account before deleting.
Has this been independently audited?+
The system has undergone internal adversarial testing (hostile red team audit) covering data sovereignty, credential isolation, localhost bypass prevention, and ghost port detection. We publish our security architecture transparently so you can audit the design yourself.