Why use RAM-less VPN servers?

Why Proton VPN doesn’t use RAM-only VPN servers

Some VPN services use RAM-only VPN servers, which they promote as being more secure than traditional servers that use hard drives. At Proton VPN, we do not doubt that RAM-only servers can offer VPN services some legitimate operational advantages, but we disagree with how they’re often portrayed (especially by third-party VPN review and comparison sites) as providing additional security over using full disk encryption on hard drives. 

In this article, we’ll explain why.

What is a RAM-only VPN server?

Computers (including VPN servers, but also your laptop and smartphone) usually use two types of storage:

RAM

Random access memory  (RAM) is temporary storage. It acts as the computer’s short-term memory, enabling quick access to data and applications actively being used or processed by the central processing unit (CPU). The more RAM a computer has, the quicker it can multitask and perform complex operations. RAM is often referred to simply as “memory”.

RAM is volatile, meaning it loses all stored information when the power is turned off. Unlike storage devices such as hard drives, which retain data even when the computer is powered down, RAM requires a continuous power supply to maintain its data.

Hard drives

Hard drives come in two main types — hard disk drives (HDDs) and solid-state drives (SSDs), and provide persistent storage. In other words, data stored on hard drives doesn’t disappear when you turn off the power. Hard drives are therefore essential for storing your operating system, applications, files, and other data between computer sessions. 

Hard drive storage is much cheaper than RAM but also slower (especially “spinning rust” HDDs), so when a computer needs to perform a task, it looks up the information stored on the hard drive and loads it to temporary RAM for speedy processing.  

RAM-only servers

As the name suggests, RAM-only servers dispense with hard drives, relying on RAM only. This means that no data is stored on the computer when the power is turned off. When a server is powered down and up again, it’s booted from a read-only image (such as one stored on a write-protected DVD disk). 

Advocates of RAM-only VPN servers argue this makes them more secure. If the VPN servers are seized, the argument goes, the adversary won’t have access to hard disks containing user data. However, at Proton VPN, we believe this notion doesn’t stand up to rigorous scrutiny.

Why Proton doesn’t use RAM-only servers

1. RAM can be just as easily accessed as hard disks if the computer is on

The first thing to note is that the claimed security benefits of RAM-only servers only apply if the server is turned off. If an adversary gains access to a running machine — whether by physically seizing it or by some covert means — they can gain full access to all data stored on the server, regardless of the nature of the storage medium it used. 

For the record, this also applies to hard disks that use full-disk encryption (see below). The disks are decrypted when the server is turned on, so anyone with administrative access to the system when it’s operational can access all data stored on it. This means hard disks using full-disk encryption are neither more nor less secure than RAM-only servers in this situation.

2. Full-disk encryption achieves the same end

Any competent VPN company will use full-disk encryption(new window) on its hard drives, which encrypts all the data on a drive, including the operating system, applications, system files, and temporary files that might contain sensitive information. This ensures that no data on the disk can be accessed without proper authorization.

Learn more about how Proton VPN protects all our servers with full-disk encryption(new window)

The data is decrypted during the boot-up process, and when the system is powered off, all data on the disk remains encrypted, making it inaccessible without the encryption key.

Proton VPN secures all our server disks with the Linux Unified Key Setup(new window) (LUKS) encryption specification, using an AES-256 cipher and encryption keys that are long enough to resist any practical brute force attack. And crucially, encryption keys are stored off-site (not on the server) so that incidents such as this(new window) can’t happen with Proton VPN’s servers. 

Learn more about AES encryption(new window)

The result is that seizing our servers when powered off will yield no more information than seizing RAM-only servers. 

3. A good VPN service has no logs worth seizing anyway 

A reputable VPN service should never log anything that might compromise its customers’ privacy. That way, even if authorities seized its servers or an adversary accessed its storage, they would find nothing useful, anyway.

At Proton VPN, we commission annual third-party audits to verify our strict no-logs policy. And unlike many other VPN companies, we publish these audits in full, so you can have confidence that when we say we keep no logs, we mean it. 

Learn more about our third-party no-logs audits(new window)

4. Location, location, location

Another important factor in ensuring that data doesn’t fall into the wrong hands is their legal jurisdiction. Servers in restrictive and authoritarian countries are more vulnerable to seizure than in countries with respect for their citizens’ privacy and the rule of law.

To address this issue, Proton VPN uses Smart Routing to offer servers in countries we might not otherwise be able to due to possible censorship and interference. Instead of running servers physically inside those countries, we use servers that are, in reality, located in safe countries.

These Smart Routing servers behave just like the other servers on the Proton VPN network do. They are also run on our own bare metal servers, so they are equally secure.

Learn more about Smart Routing(new window)

For those with very high privacy requirements, we offer Secure Core. This double-VPN solution routes connections through two VPN servers, the first of which is always located in a country with strong privacy laws: Iceland, Switzerland, or Sweden. 

Learn more about Secure Core

And, of course, Proton VPN itself is headquartered in Switzerland, a neutral country with some of the strongest data privacy laws in the world. The Swiss legal code also protects us from any obligation to start logging our community’s VPN connections.

Learn more about Swiss legal protections(new window)

So why use RAM servers?

There are reputable VPN services that offer RAM-only VPN servers, and we have confidence they have good operational reasons for doing so. For example, this setup allows you to boot all servers from a single image, allowing for a high degree of consistency between server instances. 

At Proton VPN, we’ve opted to emphasize different operational advantages by using hard disks with full-disk encryption. For example, hard disks allow us to:

  • Securely store system logs (which contain no personal information) locally. These help us quickly and efficiently investigate issues with our servers or network.
  • Easily release new features, as we can simply update our servers rather than needing to reboot them all with a new image.
  • More conveniently and accurately run diagnostic and performance tests on our servers, as RAM is not shared between system files and other data.

So, there are operational tradeoffs no matter what option a VPN service chooses. However, we strongly believe that RAM-only VPN servers offer no privacy or security advantages over robust full-disk encryption. 

Final thoughts — what really protects your privacy

Much more effective real-world measures for maintaining your privacy are:

Needless to say, at Proton VPN we implement all these measures in the fullest possible ways, so you can be confident that what you get up to online is your business — and yours alone. 

Related articles

What we've been up to, and what's next
en
Here are the main things Proton VPN delivered this spring and summer and the exciting changes that lie ahead on our product roadmap this winter.
Proton VPN for Windows ARM
en
  • Proton VPN news
We’re pleased to announce a new Proton VPN app with native support for Windows devices that use the ARM chipset.
What is doxing and is doxing illegal
en
We look at what doxing is, who does it (and why), and at how to protect yourself from doxing .
Stream securely on tvOS with Proton VPN
en
With the Proton VPN Apple TV app, you can easily and securely watch your favorite content on your big-screen TV no matter where you are.
Illustrated laptop devices representing a network with a shield and a lock in the center of the screen
en
Cybercriminals will take any opportunity to gain unauthorized access to your servers. Learn how you can stop them.
Proton for Business now offers MDM support, more dedicated servers, and gateway monitoring.
en
Proton for Business now offers MDM support, more dedicated servers, and gateway monitoring.