some file

Security Overview

NetBird provides an ultra-secure, end-to-end encrypted VPN designed with the NSA's Commercial Solutions for Classified (CSfC) program in mind. It delivers two independent layers of encryption over any network — including the public internet — making it suitable for protecting highly sensitive traffic.

Double VPN Architecture

At its core, NetBird establishes a double VPN — two nested encryption layers, each using independent key management, independent cryptographic algorithms, and independent protocol implementations.

Application traffic
    │
    ▼
┌──────────────────────────────────────────────────┐
│  Inner Layer: AES-256-GCM WireGuard (aes0)       │
│  Keys: DSKE-managed PSKs via security hubs        │
│  Protocol: Noise_IKpsk2_25519_AESGCM_BLAKE2s     │
└──────────────────────────────────────────────────┘
    │
    ▼
┌──────────────────────────────────────────────────┐
│  Outer Layer: ChaCha20-Poly1305 WireGuard (wg0)  │
│  Keys: Standard WireGuard Diffie-Hellman          │
│  Protocol: Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s  │
└──────────────────────────────────────────────────┘
    │
    ▼
Network (internet, LAN, etc.)

Even if one encryption layer is compromised — through a cryptographic break, implementation flaw, or key compromise — the other layer continues to protect traffic independently.

Why Two Layers?

The CSfC Multi-Site Connectivity capability package requires two independent layers of encryption to protect classified traffic traversing untrusted networks. NetBird's double VPN architecture satisfies this requirement by design:

RequirementImplementation
Two independent encryption layersWireGuard (ChaCha20-Poly1305) + AES WireGuard (AES-256-GCM)
Independent key management per layerWireGuard DH key exchange + DSKE threshold key exchange
CNSA-compliant algorithmsAES-256-GCM (inner layer)
No single point of key compromiseDSKE splits keys across multiple security hubs
Continuous key rotationAutomatic 120-second PSK rotation via DSKE

How It Works

  1. Peers connect via the standard WireGuard tunnel (wg0), establishing ChaCha20-Poly1305 encryption
  2. A second WireGuard interface (aes0) is created automatically, using AES-256-GCM encryption
  3. DSKE (Distributed Symmetric Key Exchange) generates shared secrets by splitting them across multiple security hubs using threshold cryptography
  4. Application traffic is routed through the AES tunnel, which itself runs inside the WireGuard tunnel — double encryption
  5. Keys rotate automatically every 120 seconds, with zero traffic interruption

Key Components

AES WireGuard Tunnel

A second WireGuard interface (aes0) that uses AES-256-GCM instead of ChaCha20-Poly1305. Traffic routed through aes0 is encrypted twice — once by the AES tunnel and again by the standard WireGuard tunnel underneath.

Learn more about the Double VPN →

DSKE (Distributed Symmetric Key Exchange)

An automated key management system that generates pre-shared keys using threshold cryptography across multiple independent security hubs. No single hub can reconstruct or compromise the keys.

Learn more about DSKE →

Security Hubs

Independent servers that participate in key generation using Shamir secret sharing. Keys are split into shares distributed across hubs — a minimum of 2 shares are required to reconstruct any key.

Learn more about Security Hubs →

PSRD (Pre-Shared Random Data)

One-time-use entropy provisioned from security hubs to clients, consumed during key generation and recovery operations.

Learn more about PSRD Management →

CSfC Alignment

NetBird's architecture is designed with the CSfC Multi-Site Connectivity capability package in mind. For a detailed requirement-by-requirement mapping, see the CSfC Alignment page.

NetBird is designed with CSfC principles in mind. This does not constitute formal CSfC certification or endorsement by the NSA. Organizations seeking formal CSfC compliance should consult their security team and the NSA's CSfC process.

Built on NetBird Open-Source

NetBird's security features build on top of the NetBird open-source project, a WireGuard-based mesh VPN with centralized management. The upstream project provides the peer-to-peer connectivity, NAT traversal, access control, and management infrastructure that NetBird extends with its double VPN architecture.