VPN provider Mullvad
announced today that it has completed the migration to a disk-less VPN infrastructure. The migration to servers that operate fully in RAM strengthens user privacy further and it also improves reliability and management of VPN servers.
Mullvad
started the migration in early 2022 with two test WireGuard servers. The company created a special bootloader, stboot, for the purpose and continues to use a custom Linux kernel that is a heavily slimmed down version of the mainline branch.
The server itself has a size of less than 200 megabytes before deployment, according to Mullvad. The company had four major goals when it announced the move to a disk-less VPN infrastructure:
- If a computer that runs a VPN server is moved, confiscated or powered off, no data can be retrieved.
- Minimize the risk of storing logs that may reveal information at a later point.
- Removing disks from systems makes the servers less prone to hardware failures due to fewer breakable parts.
- Setting up and upgrading servers and packages is faster and easier.
The disk-less servers use provisioning servers to download the operating system and boot from it. Mullvad states that the provisioning servers host just the signed disk images and "some base configuration data".
When a VPN server boots, it launches the bootloader stboot, which is configured to download and verify the OS package from the provisioning server. The operating system will be booted only in RAM if the downloaded image passes verification. The server "waits" then for staff members to provision and deploy it for customer user.
disk-less is a big leap forward well done Mullvad....
