Security
Baseguard's security architecture and principles
Security is foundational to Baseguard. All traffic is encrypted end-to-end, every device is cryptographically authenticated, and access is controlled through tag-based network rules.
Encryption
Two encryption layers protect your traffic:
| Layer | Protocol | Purpose |
|---|---|---|
| Data Plane | WireGuard | P2P and relay traffic encryption |
| Control Plane | NCP over Noise IK | Signaling and coordination |
WireGuard
WireGuard encrypts all mesh traffic between nodes. It uses Curve25519 for key exchange, ChaCha20-Poly1305 for symmetric encryption, and BLAKE2s for hashing. Keys rotate every 2 minutes, providing perfect forward secrecy.
For protocol details, see the WireGuard whitepaper.
Node Control Protocol (NCP)
The NCP runs over the Noise protocol, which handles both encryption and mutual authentication using the IK handshake pattern. It uses Curve25519 for key exchange, ChaCha20-Poly1305 for symmetric encryption, and BLAKE2s for hashing.
For Noise protocol details, see the Noise Protocol specification.
End-to-End Encryption
Even when traffic routes through relay servers, encryption is maintained. The relay forwards encrypted WireGuard packets between nodes — it cannot read, modify, or inject packets.
The control plane never sees your data plane traffic. It knows which devices are connected and distributes node information and ACLs, but it never has WireGuard keys.
Zero Trust
Baseguard implements Zero Trust Network Access (ZTNA) — no device or connection is implicitly trusted. Every access request is authenticated and authorized through tag-based ACLs. New organizations start with a default "allow all" rule for ease of setup, but this should be replaced with specific rules for production environments.
Key Management
All private keys are generated on the device itself and never leave it. See Key Management for details.
| Key | Purpose | Lifetime |
|---|---|---|
| Device Key | Identifies the device, used for NCP authentication | Permanent |
| Node Key | WireGuard P2P encryption | Periodically rotated |
Best Practices
- Enable node approval for production networks
- Use specific ACLs instead of allow-all rules
- Review audit logs regularly
- Rotate API keys periodically
- Keep client software updated
See Also
- Architecture — System design and authentication flow
- Access Control — Tags and network rules
- Networking — P2P and relay connections
- Audit Logs — Activity monitoring