Security Posture

What we defend.
What we don't.

Honest security documentation. What FGSP protects, what it doesn't, and why the architecture makes those guarantees real.

The core guarantee

FGSP is built around one property: structural inability to comply. Not "we won't hand over your data" — the operator genuinely cannot. There are no decryption keys on any server. There is no mapping between users and their data. When a subpoena arrives, the honest answer is "we have uniform noise and no keys." That is not a policy. That is the architecture.

This is the same legal posture used by Signal, Mullvad VPN, and ProtonMail — companies that have survived legal pressure from multiple jurisdictions precisely because the architecture did not allow compliance. FGSP is in the same family.

What FGSP defends against
Drive seizure
Law enforcement, customs, a hostile employer — anyone who obtains physical possession of the storage drive. The drive is pre-filled with AES-256 encrypted noise. Without the user's two keys, panels are indistinguishable from surrounding noise. There is no forensic starting point. The drive cannot be proven to contain data.
Operator compulsion
A subpoena, national security letter, or other legal instrument served on the FGSP operator demanding user identification or data decryption. The operator holds no Shape Keys, no Coordinates, no mapping between payments and storage bulbs. The operator can be fully compelled and still produce nothing useful — because the architecture genuinely doesn't allow useful disclosure.
Operator infrastructure compromise
A full compromise of operator infrastructure — root access, database access, wire traffic monitoring. Same property: the operator's systems never hold the cryptographic material needed to recover a file. A compromised operator yields encrypted noise and an opaque token ledger. Neither contains user-recoverable material.
Network-level observers
An adversary monitoring traffic between a user and their storage. All connections are Tor v3 hidden services with client authorization. An external observer sees onion-routed traffic. No relay sees both the user and the destination. The user's IP is not logged and not knowable to the operator.
Account-to-data linkage
There are no accounts. FGSP uses a token-as-customer model — payment yields an opaque cryptographic token, the token provisions a storage bulb, no identity persists across the boundary. The operator cannot link a payment to a specific bulb, and cannot link a bulb to a user identity.
What FGSP does NOT defend against

These are not bugs. They are honest limits that every user should understand before relying on this system for high-stakes material.

Endpoint compromise
If your device is compromised at the time you access FGSP — malware, a keylogger, a remote access tool — the attacker reads plaintext directly. FGSP protects data at rest and in transit. It does not protect your local environment.
Coercion of you personally
If you are compelled to hand over your Shape Key and Coordinate under threat or legal order, the data is recoverable by whoever receives those credentials. FGSP's structural-inability defense protects the operator. It does not protect a user who is forced to comply.
Loss of both keys with no Drive A
If you lose your Shape Key and Coordinate, and have no Drive A and no backup, access is permanently gone. There is no recovery path. No operator override. No "forgot my password." This is the architecture. Read the best practices guide.
Metadata exposure via payment
Fiat payments via Stripe create a payment record at Stripe, not at FGSP. Stripe can be subpoenaed independently. If payment-level privacy matters, use the Monero path — no name, no email, no payment record at any party that can be compelled.
Six compounding barriers

The barriers don't add — they multiply. An attacker must defeat every single one. Failing at any step is total failure for that file.

Panels are cryptographically indistinguishable from noise
AES-256 indistinguishability. Without the bitmask, a forensic tool cannot distinguish data panels from surrounding noise. Cryptographically negligible probability of success.
The fractal walker cannot be replayed without both keys
The navigation path through the noise field requires both the Shape Key and the Coordinate. Equivalent to guessing either key directly.
The .meta packet cannot be decrypted without the Shape Key
File metadata — the navigation log, panel locations, shred order — is encrypted with a Shape Key-derived session key. Without the Shape Key, the meta is junk binary with no proof of what it is.
Panel order is jumbled
Even if panels are located, their assembly order is cryptographically shuffled. Reversing the jumble requires the Shape Key. Approximately 1 in 10^65,000 odds for a typical file.
File ciphertext is independently encrypted
The file itself is AES-256-GCM encrypted. Defeating every prior barrier still leaves the file ciphertext. 2^-256 probability of brute-force success.
The operator structurally cannot supply either barrier
No Shape Keys, no Coordinates, no .meta files, no user-to-bulb mapping. There is nothing to produce. An attacker who wants both keys must get them from the user — not from the operator.
Operational commitments
No identification capability, ever
Documented, audited, and public. There is no admin override. No "let me check our database" exists at any layer.
Zero user-identifying logs
Logging policy is "log nothing user-identifying." Audited by external parties before launch. No IP logs, no session logs, no payment-to-bulb mapping.
Warrant canary — published quarterly
If a secret order arrives that cannot be disclosed, the canary disappears. Users see the absence and act accordingly. Modeled on Reddit and Apple's historical canaries.
Transparency report — published annually
Aggregate counts of demands received, broken out by type. Modeled on Signal's public subpoena responses — the answer is typically "we had nothing to hand over."
Real-world precedents

These are companies and services that have maintained structural inability to comply with broad identity demands — openly, profitably, legally.

Signal
Multiple subpoenas. Public responses. The answer every time: "We have routing data and registration timestamps. That's all we retain." Zero user content produced.
Mullvad VPN
Swedish police raid. No logs. Account numbers instead of emails. Zero user-identifying data produced. The architecture was the defense.
ProtonMail
Swiss and EU legal pressure. Encryption-by-default. Survived repeated attempts to force user disclosure across multiple jurisdictions.
IVPN
Same model as Mullvad. No account email required. No logs. The product is architecturally incapable of producing user data.

FGSP is in the same architectural family. The legal posture is mature, the precedents are real, and the playbook is established.