Return to Facebook   Twitter   Reddit   Instagram   Mastodon   ProtonMail

We’re adding full-disk encryption to harden our servers against MITM attacks

Posted on April 30th, 2019 by in Service Updates.

protonvpn disk encryption


UPDATE: As of February 2020, we have applied full-disk encryption to all ProtonVPN servers.

Attacks from nation states may not be part of your threat model, but they are part of ours. We’re happy to announce an important security upgrade that will help mitigate certain resource-intensive attacks that can come from unfriendly governments in the countries where we have exit servers, such as Russia. With full disk encryption, ProtonVPN will be safer from sophisticated man-in-the-middle attacks.

Why disk encryption is important

When you connect to ProtonVPN, you are establishing an encrypted tunnel between your device and one of our servers around the world. While this prevents surveillance on your local network and at the level of your Internet service provider, it theoretically gives ProtonVPN the ability to see your activity. (Hence why it’s crucial to use a trustworthy VPN.) ProtonVPN does not keep logs of your activity, so there is virtually no information about our users saved on our servers that could be divulged to governments in the countries where we operate.

Nonetheless, our servers are still an attractive target. One way for an attacker to compromise a VPN would be to seize the VPN server, steal the server certificate, and redirect users’ traffic to servers they control. A server certificate is the cryptographic version of an ID badge. It tells your device that the server is trustworthy and it’s safe to establish an encrypted connection. With a stolen server certificate, the attackers could trick your device into sending them your data.

This is not an easy attack to pull off, but a government could do it. As we expand our VPN service to even more countries, including high-risk countries, we are taking precautions to ensure ProtonVPN users can continue to browse safely. This includes disk encryption, which secures all the configurations and software contained in each exit server (including server certificates). That way, even if a server is compromised, the attackers will not be able to access it.

What this means for you

Disk encryption won’t change anything about your ProtonVPN experience. All users will benefit from this security upgrade without any action required.

During the transition to disk encryption, there will be some temporary outages as we reboot each exit server in turn. The majority of users won’t notice any down time. If you do, simply switch to a different VPN server. You can also enable kill switch (if supported on your device) so that even if your VPN connection drops, your device is blocked from sending unencrypted traffic over the network. Full disk encryption is already active on ProtonVPN’s Russia servers, and we will be rolling out this upgrade across our entire fleet of servers.

If you have any questions about disk encryption in ProtonVPN, feel free to join the conversation on Reddit, Twitter, or Mastodon.

Best Regards,
The ProtonVPN Team

To get a free ProtonMail encrypted email account, visit:

Ben Wolford is a writer at Proton. A journalist for many years, Ben joined Proton to help lead the fight for data privacy.


  1. DMW

    Who had the encryption keys or passwords to boot the servers and in which country are they kept?

  2. Ben Wolford

    This information is stored securely in Switzerland.

  3. user

    Hi! Until june 2020, which servers have full disk encription? For example, Argentina´s servers and Brasil´s servers have full disk encription? Thanks!!

  4. Roxana Zega


    All our servers have full disk encryption. Thanks

  5. freemoon

    Any update available ?


  6. Mount

    Can’t government still get your public IP from ISP and run their own server making users connect to it wether or not the configuration matches? How can unmatched configuration keep users from connecting to it?

  7. mmr

    great idea. but what about RAM? government can read RAM and see certificates, private keys, etc. your servers are in datacenter that can be monitored by government.

  8. Why highlight Russia?

    Interested in why ProtonVPN references Russia in an obvious reference to alleged hacking in the west, but not equally serious ‘hacking’ more politely referred to as ‘surveillance’ by the west?
    Given extensive spying in the west, are the UK, US, AU, CA, and NZ too on the list of privacy unfriendly countries?

  9. clouder

    Very good for protected our privacy. Thank you.

  10. ML

    1. Are you talking about physical access to the server?
    2. In order to redirect you to a different server wouldn’t the attacker would also need to take control over the DNS server you are using?
    3. When you are talking about disk encryption do you mean the one which is included in Linux servers or external tool?

  11. ProtonVPN Admin

    Hello! The attack scenario would be, there is a “network problem” in Russia. After the “problem”, the server comes back online, but its actually a different server, run by the government, which users unwittingly connect to because it has the same IP and everything. Obviously, we would detect the attack and remove the servers from our DNS and API, but it can still impact some users who connect via OpenVPN or to the server IP directly or have DNS cached.

  12. Jonathan A

    Very nice. I may have to reconsider the VPN service I’m using.

Comments are closed.

Secure your internet

Get ProtonVPN

For customer support inquiries, please submit the following form for the fastest response:
Support Form

For all other inquiries:

Version: OpenPGP.js v4.10.10


You can also Tweet to us: