Bastet
Sovereign secure communications infrastructure

Capabilities and trust model

Security capabilities, professional features, and governance guarantees.

Bastet is designed to operate across different trust and regulatory environments without ever relying on hidden mechanisms.

Its capabilities are organized into clearly defined operational models.

Core capabilities (open architecture)

These capabilities are available in all Bastet deployments.

Security and privacy

  • End-to-end encryption of messages and calls
  • Cryptographic identities independent of phone numbers or email
  • Device-level encryption
  • Hidden contacts and conversations
  • Multi-device identity management and revocation

Network architecture

  • Peer-to-peer relay network
  • Self-hosted relay servers
  • Jurisdiction-aware server chaining
  • No central metadata aggregation

Communication

  • Secure messaging
  • Encrypted audio and video communication

These capabilities ensure that no relay server can read message content, regardless of where it is hosted.

Professional capabilities (enterprise and agency deployments)

Professional capabilities are designed for managed organizational environments where identity and access control are required, without compromising content confidentiality.

Identity and access integration

  • LDAP-based user authentication
  • LDAP-based user discovery
  • Server-managed user identification keys
  • Isolated professional and private profiles on the same device

Security guarantees

For communications routed through organization-managed servers:

  • Users may be identified by the server
  • Message content remains end-to-end encrypted
  • Servers cannot decrypt messages or calls

This model supports:

  • Internal accountability
  • User lifecycle management
  • Compliance with organizational access policies

Without introducing content surveillance.

Extended Professional capabilities (regulated environments)

Certain organizations — such as military, defense, or regulated critical infrastructure — operate under legal or regulatory obligations that require controlled access to internal communications.

Extended Professional capabilities are designed to meet these requirements without silently weakening user security.

Controlled server-side decryption

  • Server-side encryption key management
  • Decryption applies only to conversations routed through organization-managed servers
  • Private and external communications remain fully end-to-end encrypted

Explicit user awareness

  • A permanent visual warning is displayed in any conversation where server-side content access is possible
  • Users are never misled about inspection capabilities

Profile isolation

  • Full cryptographic isolation between:
    • Professional profile (regulated)
    • Private profile (fully end-to-end encrypted)

This ensures:

  • Legal compliance for organizations
  • Preserved privacy for users outside regulated scopes
  • Clear, enforceable trust boundaries

Non-negotiable guarantees

Bastet enforces the following principles across all deployment models:

  • No hidden interception
  • No silent downgrade of encryption
  • No misleading user interface
  • No removal of inspection warnings

Any deployment that allows content access is:

  • Technically explicit
  • Visibly signaled to users
  • Cryptographically isolated

Source code and trust

Open Source components

The Bastet Core architecture is Open Source and fully auditable.

However, because Open Source software can be modified by third parties, users are strongly advised to use only official Bastet builds.

Modified builds may:

  • Remove security warnings
  • Alter cryptographic behavior
  • Introduce surveillance mechanisms

Professional editions

Bastet Professional and Extended Professional editions are not Open Source.

This is a deliberate security decision.

It prevents:

  • Malicious organizations from distributing altered clients
  • Hidden interception presented as compliant deployments
  • Users being deceived about inspection capabilities

Only officially signed builds guarantee:

  • Enforcement of warning mechanisms
  • Correct isolation between profiles
  • Accurate representation of server capabilities

Organizational branding

Organizations may receive custom-branded builds.

However:

  • Security indicators cannot be removed
  • Inspection warnings cannot be hidden or altered
  • Extended Professional features cannot be disguised as Professional

Trust for users is a core design objective, not a policy choice.