Encryption

Your files are encrypted on your device by Restic before any data leaves your network. Restic uses authenticated encryption with AES-256 in counter mode and Poly1305 for integrity. The encryption key is derived from your repository password using scrypt — a memory-hard KDF designed to resist GPU and ASIC attacks.

We never see, store, or transmit your encryption key. We see ciphertext only. If you lose your password, your data is unrecoverable — including by us. That's not a bug; that's the contract.

Transport

All data in transit travels over SFTP (SSH File Transfer Protocol) using OpenSSH. Each vault has a unique SSH host key (no shared host keys across customers). Connections are authenticated with username + password generated at provision time and shown in the portal once.

Even if the SFTP connection were intercepted, all transferred data is already Restic-encrypted ciphertext. The SFTP layer is defense in depth, not the primary boundary.

Storage isolation

Every customer gets a dedicated ZFS dataset on our storage pool. Datasets are isolated at the filesystem level — they cannot read each other's data, share inodes, or escape their boundaries. Each vault runs in its own LXC container with a chrooted SFTP user that cannot navigate above its dataset.

ZFS provides end-to-end data integrity via cryptographic checksums on every block read and write. If a disk silently corrupts a sector, ZFS detects it on the next read and (with the right pool topology) self-heals from redundancy. Your backup target won't quietly rot.

What we log

• SFTP connection metadata (timestamp, source IP, vault ID, bytes transferred). Retained 30 days.
• Portal authentication events (login, logout, password change). Retained 90 days.
• Stripe billing events (charges, subscription changes). Retained per Stripe and tax-record requirements.
• Application errors (anonymized stack traces, no customer data). Retained 14 days.

We do not log file names, file paths, snapshot contents, restore content, or anything that could reveal what's inside your vault. Restic's wire protocol doesn't expose that information to us, and we've made no effort to derive it.

Threat model

The system is designed against three threat classes:

• External attacker compromising ServerCrate infrastructure: Attacker gets ciphertext blobs and connection metadata. Cannot decrypt without your repository password.
• Insider threat (operator-side): Same as external. We have no key access. Logs do not contain decryptable data.
• Legal demand or warrant: We can hand over what we have — ciphertext blobs and connection metadata. We cannot hand over decrypted data because we don't have it.

The system is not designed against an attacker who has compromised your machine and exfiltrated your repository password. That's a separate boundary — your endpoint security is your responsibility. We recommend storing your Restic password in a hardware-backed password manager.

Infrastructure

Storage runs on owned hardware in a US Tier-3 colocation facility with redundant power and network. Public network reach is provided by an upstream BGP partner with a leased IPv4 /24, ensuring our customer-facing endpoints don't depend on a single transit provider's reachability.

Operating systems are Debian 12 stable on Proxmox VE host nodes. ZFS is the OpenZFS upstream. All systems are CrowdSec-enrolled with nftables-based bouncing for IP-level abuse mitigation.

For business customers requiring detailed infrastructure information for compliance reviews (SOC 2, HIPAA, GDPR DPIAs), contact us and we'll walk through the specifics under NDA.

Account security

• Password hashing: Argon2id with conservative parameters.
• Two-factor authentication (TOTP): available on every account, optional but strongly recommended.
• Session management: HTTPOnly cookies, separate CSRF token, IP and user-agent change detection.
• Rate limiting: Per-account and per-IP, applied to login, password reset, and chat endpoints.
• Email verification required before vault provisioning.

Incident response

In the event of a confirmed security incident affecting customer data or service availability, we commit to:

• Public disclosure within 72 hours of confirmation, on our status page
• Direct email to all affected customers, including specifics of what was accessed and what was not
• A post-incident report within 14 days describing root cause, response timeline, and mitigations
• Cooperation with affected customers' compliance and legal teams as needed

Responsible disclosure

Security researchers: please email security@servercrate.net with findings. We aim to acknowledge within 48 hours and provide a remediation timeline within 7 days.

We don't yet operate a formal bounty program — we're a small operation — but verified vulnerability reports get public credit (with consent), free Pro plan time, and our genuine thanks. Please don't run automated scanners against production.

What you should do

• Save your Restic repository password in a real password manager (1Password, Bitwarden, KeePassXC). Not in a text file.
• Enable TOTP on your portal account.
• Test a restore at least once. An untested backup is a hope, not a backup.
• Set up restic check on a schedule to verify repository integrity from your end.
• Use a dedicated SSH key for unattended Restic backups, separate from your interactive admin key.