Home of internet privacy

Introducing TrustedServer: Why ExpressVPN is making VPN-server hard drives obsolete

This post was originally published on April 17, 2019.

At ExpressVPN, we know users count on us to protect their privacy and security, and we take that responsibility seriously. That’s why we never collect any activity or connection logs and why we engineered our systems to ensure sensitive information never touches the hard drive. But now, we’re taking it one (huge) step further—we’re cutting the hard drive out of the picture entirely.

Hard drives represented security risks, so we asked: Why use them?

With our industry-first TrustedServer technology, our VPN servers run only on volatile memory (RAM), not on hard drives. Since RAM requires power to store data, this guarantees that all information on a server is wiped every time it is powered off and on again.

In contrast, the traditional and most common way of running servers relies very much on hard drives, which retain all data until they are erased and written over, a painstaking and error-prone process. This increases the risk that servers could inadvertently contain sensitive user information. If someone were to hack or seize the server, they could gain access to this data. Even worse, hackers who do find their way in might be able to install a backdoor that remains indefinitely.

As Bruce Schneier has said, “data is a toxic asset,” and “it continues to be toxic as long as it sits in a company’s computers and networks.”

ExpressVPN TrustedServer technology addresses those security threats by making sure that absolutely nothing—neither information nor intruders—can remain on a server when it is rebooted.

Traditional server administration also posed security risks, so we reimagined it

TrustedServer introduces another key innovation that ensures that all our VPN servers are running the same, most up-to-date software and configuration. Each time a server powers up, it loads the latest read-only image containing the entire software stack, operating system (OS) and all. This is similar to how the “Tails” operating system boots itself. In our case, the image is also cryptographically signed by ExpressVPN, and servers will not operate if that signature isn’t valid.

This gives us confidence that each and every one of our 3,000+ servers worldwide is running exactly the same code—with the right patches and configuration for optimum security and performance. The more software consistency there is across a network, the less likely that there are vulnerabilities or misconfigurations, and the more sure we can be that the software that we audit and test is actually what’s running on all servers.

In contrast, the traditional approach to server administration is to install the OS and software when the server is first set up, and then install updates and make configurations to that OS and software over time. It might be years until a server is wiped and the OS re-installed.

With traditional server administration, every incremental update that is applied one by one across thousands of servers is an opportunity for differences among them to arise, like tiny evolutionary mutations across generations. The more servers a company has, and the more time passes, the less confident that company can be that every single server is running the exact same code and configured the same way. As a result, a server that was set up years ago might be running software in an unexpected way that’s dangerously different from what the company’s engineers are testing or auditing today.

TrustedServer means that ExpressVPN is able to have a high level of confidence that we know exactly what’s running on each of our servers, and that the OS is effectively “reinstalled” with every single reboot—dramatically minimizing security risks.

See Destin Sandlin of popular YouTube channel Smarter Every Day explain the privacy and security benefits of TrustedServer in his own words:

Like containerization, but for the entire software stack

For those of you who are familiar with containerization, the idea of loading an image onto a server for easy and consistent deployment might sound familiar. The key difference here is that our TrustedServer technology enables the entire software stack—OS on up—to be included in this image. The image is loaded on boot and runs on bare metal; there’s no separate host OS, VM, hypervisor, or container engine that could be left unpatched, misconfigured, or vulnerable to hackers.

ExpressVPN developed this approach in-house, and we’re not aware of any other company (including those outside of the VPN industry) that’s doing this today. Other containers described as “bare-metal” typically still run on a host OS. We look forward to sharing more about how we’ve implemented it so that other companies and industries, along with the people they serve, can benefit.

Learn more about our TrustedServer technology

TrustedServer represents a major leap in protecting user privacy and security, and we’ll be sharing additional explainers, including more technical content, in the coming weeks. Stay tuned for more information about how this technology could fundamentally reshape how servers operate.