Abstract
This paper presents RamOnly, a novel VPN infrastructure design that operates exclusively in volatile memory (RAM), eliminating the possibility of data persistence. We describe the technical architecture, cryptographic implementations, and verification methods that enable true zero-knowledge VPN operation.
Our approach addresses fundamental limitations of traditional VPN services where data may be recovered from storage media through forensic analysis. By ensuring all operations occur in RAM with no disk I/O, we provide mathematical guarantees that user data cannot persist beyond active sessions.
1. Introduction
Virtual Private Networks (VPNs) have become essential tools for privacy and security. However, traditional VPN infrastructure faces a fundamental challenge: any data written to persistent storage can potentially be recovered, subpoenaed, or compromised.
RamOnly introduces a paradigm shift by eliminating persistent storage entirely. Our servers boot from read-only images and operate exclusively in volatile memory. This design ensures that when power is removed, all data—including session keys, routing tables, and connection metadata—is instantly and permanently destroyed.
2. System Architecture
The RamOnly architecture consists of three primary components:
- Boot Infrastructure: Read-only images served via PXE boot
- RAM-Only Nodes: Compute instances with no attached storage
- Ephemeral Key Management: Keys generated per-session, never persisted
Each component is designed with the principle of minimal data handling. No component writes to disk, and inter-component communication is encrypted with forward-secret keys that are rotated continuously.
3. RAM-Only Implementation
Our nodes are configured with the following constraints:
- No block devices mounted in read-write mode
- tmpfs for all temporary files, sized to available RAM
- Disabled swap partitions
- Kernel parameters preventing disk access
Hardware-level verification ensures no storage devices are physically connected. Our data center partners provide attestation that nodes have no disk controllers or NVMe/SATA interfaces installed.
4. Cryptographic Design
RamOnly implements WireGuard protocol with the following cryptographic primitives:
- Key Exchange: Curve25519 ECDH
- Symmetric Encryption: ChaCha20-Poly1305
- Hashing: BLAKE2s
Session keys are derived using HKDF and exist only in RAM. Key rotation occurs every 2 minutes or 2^64 packets, whichever comes first.
5. Threat Model
RamOnly protects against:
- Forensic analysis of server storage (no storage exists)
- Legal requests for historical data (data doesn't persist)
- Data center compromise with physical access (cold boot mitigated by memory encryption)
- Network-level surveillance (end-to-end encryption)
We explicitly do not protect against:
- Compromise of user's endpoint device
- Active MITM with compromised certificates
- Nation-state adversaries with real-time network tap and unlimited resources
6. Verification Methods
Users and auditors can verify our claims through:
- Hardware Audits: Third-party inspection of server configurations
- Network Analysis: Monitoring for disk I/O patterns (none exist)
- Open Source: Client applications are fully open source
- Reproducible Builds: Verify binary integrity
7. Conclusion
RamOnly demonstrates that true zero-knowledge VPN operation is achievable through careful architectural design. By eliminating persistent storage at every layer, we provide guarantees that exceed policy-based "no-log" claims.
Future work includes hardware security module integration for RAM encryption and distributed key generation protocols to further reduce trust requirements.