Security Model
Stealth implements a defense-in-depth approach, layering multiple protections to ensure your privacy and security. This document explains the technical security measures in place across all features.
Encryption Standards
Stealth uses industry-standard encryption throughout the application. Different features use encryption methods optimized for their specific purpose.
VPN Encryption
All VPN traffic is encrypted using the WireGuard protocol:
| Protocol | WireGuard - modern, audited VPN protocol |
| Cipher | ChaCha20-Poly1305 authenticated encryption |
| Key Exchange | Curve25519 elliptic curve Diffie-Hellman |
| Hashing | BLAKE2s for key derivation and hashing |
WireGuard provides excellent performance with strong security. The protocol has been formally verified and audited by cryptographers.
Stealth Vault Encryption
Your stored passwords and sensitive data in Stealth Vault are protected with:
| Algorithm | AES-256-CBC (Advanced Encryption Standard) |
| Key Derivation | PBKDF2-HMAC-SHA256 with 100,000 iterations |
| Storage | Encrypted locally - never transmitted to servers |
Your master password is never stored. It's used to derive the encryption key that unlocks your vault.
Stealth Transfer Encryption
Files shared through Stealth Transfer use end-to-end encryption:
| Algorithm | AES-256-GCM (authenticated encryption) |
| Key Derivation | scrypt with strong parameters |
| Protection | Per-message IV and authentication tag |
Recipients receive a link containing the decryption key. Files are encrypted before upload and can only be decrypted by someone with the link.
Network Security
Stealth protects your network connections at multiple levels.
DNS Protection
DNS queries can reveal your browsing habits. Stealth secures DNS through:
Secure DNS providers. Queries route through trusted providers like Cloudflare, Google, or Quad9 instead of your ISP.
DNS-over-HTTPS. Optional encrypted DNS queries prevent ISPs and networks from seeing what domains you access.
Leak prevention. System DNS never points to localhost resolvers that could leak queries.
VPN Kill Switch Behavior
Stealth Firewall provides kill switch functionality through "VPN Only" rules. Applications with this rule cannot access the internet unless VPN is connected, preventing data leaks during connection drops.
Split Tunneling Security
When using split tunneling, excluded applications bypass VPN by design. Stealth clearly indicates which applications are excluded and their traffic is not encrypted through the VPN tunnel.
Data Handling
Stealth minimizes data collection and protects what must be stored.
Local Data
Data stored on your device is protected:
Credentials. VPN credentials and Vault passwords are encrypted before storage using AES-256.
Settings. Application settings are stored in your user profile with appropriate permissions.
No plaintext secrets. Sensitive data is never written to disk in plaintext.
Network Transmission
All network communication uses secure protocols:
HTTPS only. All API calls use HTTPS with certificate validation.
No sensitive data in URLs. Credentials and personal data are never included in URLs or query parameters.
Minimal data collection. Only essential data for service operation is transmitted.
Logging
Stealth prioritizes privacy in logging:
No activity logging. Browsing history, visited websites, and connection times are never logged.
Diagnostic logs. Technical logs contain no personal or browsing data.
User control. Bug reports let you review all information before submission.
Operational Security
Stealth follows security best practices in operation.
Least Privilege
The application runs with minimal required permissions. Administrative access is only requested when necessary for specific operations like:
- Installing VPN drivers
- Modifying system hosts file for Stealth Block
- Creating Windows Firewall rules
- Driver updates through Stealth Drivers
Reversible Changes
System modifications are designed to be reversible:
Hosts file. Stealth Block entries are clearly marked and can be removed cleanly.
System Restore. Stealth Drivers creates restore points before driver updates.
Settings reset. All settings can be reset to defaults.
Third-Party Integrations
Stealth integrates with established security tools.
WireGuard
The VPN uses WireGuard/WireSock, an industry-standard protocol with minimal attack surface. The implementation has been audited and is used by major VPN providers worldwide.
Cloudflare WARP
Optional WARP integration uses the official Cloudflare client, providing an additional layer of protection independent from the primary VPN tunnel.
Tor Network
Tor routing uses official Tor software for maximum anonymity. Traffic is encrypted and routed through multiple relays, independent from VPN.
Threat Protection
Stealth protects against common network threats.
Man-in-the-Middle Attacks
VPN encryption prevents attackers on your network from intercepting traffic. DNS-over-HTTPS prevents DNS hijacking. All connections validate certificates.
DNS Leaks
System DNS is forced through encrypted channels. Split tunnel exclusions are explicitly configured. There's no fallback to ISP DNS servers.
IP Leaks
IPv6 is handled properly to prevent leaks. WebRTC leak protection is available for supported browsers. Split tunneling clearly indicates what bypasses VPN.
Responsible Disclosure
If you discover a security vulnerability in Stealth:
- Do not publicly disclose the issue until it has been addressed
- Submit a support ticket marked as Security
- Include detailed reproduction steps
- We will acknowledge receipt and work to resolve the issue promptly
We take security reports seriously and appreciate responsible disclosure from our users and the security community.