NFLTRFeaturesEnd-to-End Encryption

End-to-End Encryption Security

P2P connections in NFLTR use AES-256 encryption with per-session key derivation. The server facilitates the handshake but never sees the plaintext data — your transfers are private end-to-end.

How E2EE Works in NFLTR

When two agents establish a P2P connection, they perform a multi-step handshake using the NFLTR server as a signaling channel. Once the handshake completes, all data flows directly between the agents — encrypted and authenticated.

AGENT A (Sender) Generate ephemeral key HMAC authentication Derive session AES key AES-256 Encrypted data stream STUN NAT traversal NFLTR SERVER Signaling only Relay handshake msgs Cannot decrypt data No data passes through after handshake AGENT B (Receiver) Generate ephemeral key HMAC verification Derive session AES key AES-256 Decrypted data received STUN NAT traversal Direct P2P (encrypted)

Encryption Details

🔐 AES-256-GCM

All P2P data is encrypted using AES-256 in GCM mode — authenticated encryption that detects tampering.

🔑 Per-Session Keys

A fresh encryption key is derived for every session. Compromising one session doesn't affect past or future transfers.

🤝 HMAC Mutual Auth

Both parties authenticate via HMAC before any data flows. Prevents man-in-the-middle attacks during handshake.

🌐 STUN NAT Traversal

Connections bypass the server entirely after handshake. STUN-assisted NAT traversal works across LAN, CGNAT, and hairpin NAT.

🚫 Zero Server Knowledge

The server only relays handshake messages. It never has access to the session key or plaintext data.

📁 File Integrity

File transfers include SHA-256 checksums verified by the receiver. Any corruption is detected and rejected.

What's Encrypted

Trust Model

NFLTR uses a trust-the-server-for-signaling-only model:

  1. Both agents must authenticate to the server (API key / fleet token / mTLS)
  2. The server relays the handshake (key exchange + HMAC auth) between agents
  3. After the handshake, a direct P2P connection is established
  4. All subsequent data flows directly between agents, encrypted with AES-256
  5. The server cannot decrypt the data even if it wanted to
💡 Transport encryption + E2EE

Regular tunnels (HTTP, TCP) use TLS for transport encryption between agent and server. P2P features add a second layer of E2EE where data never passes through the server at all.

Private by design

AES-256 encryption, per-session keys, zero server knowledge. Your data stays yours.

Download Agent P2P Transfer →