GARRISON Docs

Security & Encryption

Garrison is private by default: self-hosted, no telemetry, and real end-to-end encryption for the channels that need it, built on the IETF MLS standard (RFC 9420).

End-to-end encryption (MLS)

Any channel can be marked encrypted (🔒). For those channels, messages are encrypted on your device and only ever reach the server as opaque ciphertext. The server stores and relays those bytes but can't read them, encryption and decryption happen entirely in the client, using a real MLS group per channel (OpenMLS, compiled to WebAssembly).

You encrypts 🔒 Server sees only ▓▓ ciphertext ▓▓ Guildmate decrypts 🔓 🔒 blob 🔒 blob
In an encrypted channel, only members' devices ever hold the keys, the server relays ciphertext it can't read.

When members join or leave an encrypted channel, the group's keys are rotated so a removed member can't read new messages, and a new member can't read old ones.

ℹī¸

What's encrypted: message bodies in channels marked encrypted. What isn't: normal (non-encrypted) channels, direct messages, and metadata like who's in a server. Server-side search and translation skip encrypted channels by design, the server can't read them, so translation there happens on-device.

Key backup & new devices

Because keys live on your device, Garrison offers a password-wrapped key backup under Settings → Encryption. Your keys are encrypted with a passphrase (PBKDF2 + AES-GCM) before they're stored, the passphrase never leaves your device, so you can restore your encrypted history on a new device.

🔑

If you lose your devices and your backup passphrase, encrypted message history is gone, not even the server operator can recover it. That's the whole point of end-to-end encryption. Back up, and keep the passphrase safe.

Account security

  • Passwords are hashed with argon2id and never stored or transmitted in the clear.
  • Sessions use short-lived JWT access tokens plus rotating refresh tokens with theft/reuse detection: if a stolen refresh token is replayed, the whole token family is revoked and you're forced to sign back in.
  • Two-factor authentication (TOTP) with an authenticator app, plus 10 one-time recovery codes. Enable it under Settings → Security.
  • Changing your password revokes all other sessions.

Hardened transport

  • Rate limiting on auth endpoints and on real-time messages (per-connection and per-IP).
  • CSP and security headers, and a CORS origin allowlist (no wildcard).
  • Access tokens are never put in URLs: the WebSocket authenticates with a first message, so tokens don't land in proxy logs.
  • All database queries are parameterized; secrets come from the environment, never the codebase.

Privacy posture

Garrison is self-hosted with no telemetry. There's no analytics phone-home and no third-party data sharing, your community's data lives on the box you control. See Self-Hosting to run your own.