Perfect forward secrecy is achieved by creating a unique set of encryption keys for each Proton VPN session. This is done by generating new keys each time you connect to one of our VPN servers using secret numbers and robust mathematical procedures. This means that if your private key for one session is compromised, it cannot be used to decrypt any past (or future) browsing sessions.
Perfect forward secrecy with Proton VPN
Future-proof your security with perfect forward secrecy (PFS). Proton VPN keeps your browsing history secure even if an encryption key is compromised in the future.
- Secure each VPN session with unique encryption keys
- Protect all VPN sessions with PFS by default
- Add an extra layer of security to your VPN encryption
What is perfect forward secrecy?
Perfect forward secrecy refers to how an encryption algorithm generates encryption keys and ensures that a unique set of keys are used for each VPN session. These keys are used to encrypt your VPN connection so that no one can monitor your activity. We only use VPN protocols and encryption that support perfect forward secrecy.
How does PFS work?
We exclusively use encryption and VPN protocols that support perfect forward secrecy. Each time you connect to Proton VPN, we generate a new encryption key, to provide you with a more secure VPN connection.
Protect past activity
By never re-using old encryption keys, we ensure that your traffic cannot be captured and decrypted later if an encryption key from a future VPN session is somehow compromised.
Perfect forward secrecy gives you improved security. In contrast, if all browsing data is encrypted with a single private key, that key can be stolen and used to access all your past activity. With PFS, all your activities stay private, even if there is a leak.
Advanced privacy from Proton VPN
Secure Core VPN
Our Secure Core network is made up of physical servers that we own, located in countries with very strong privacy laws. We route your connection through a second VPN server for extra security. You can connect to our Secure Core network with a Proton VPN Plus plan.
DNS leak protection
We prevent DNS leaks that can expose your browsing history by encrypting your DNS requests in our VPN tunnel and resolving them using our own DNS servers. When you are connected to Proton VPN, nobody can access your DNS requests.
Private sign up
When you sign up for a Proton VPN account, you don’t need to provide us with any identifying information before connecting, just an email address. Once you sign in(new window) you can start browsing securely with just one click.
How Proton VPN protects you online
Based in Switzerland
We’re based in Switzerland, which has very strict privacy laws and is free from EU and US mass surveillance practices.
Proton is supported by the European Commission and recommended by the UN as a way to bypass censorship.
Free and available to everyone who uses Proton VPN, our unique VPN Accelerator technology can improve speeds by over 400%.
We’ve made all our apps open source, so anyone can inspect their code. We have also published the audit reports from independent security experts on our website.
If you unexpectedly lose connection to your Proton VPN server, our kill switch will ensure your unique IP address is kept private.
We operate a strict no-logs policy, so we cannot be forced to share any information about your online activity with anyone.
Secure VPN protocols
The VPN protocols we use are known to be secure — IKEv2, OpenVPN, and WireGuard. We don’t use less secure protocols, even if they are less costly to operate.
All our servers are protected by full-disk encryption, meaning that even if our servers were physically seized, it would not be possible to intercept user traffic.
Download a fast and secure VPN
- High-speed servers
- Unique VPN Accelerator technology
- Strict no-logs policy
- Secure Core VPN
- NetShield Ad-blocker
Frequently Asked Questions
If a hacker managed to get hold of one of the keys for a single session that used perfect forward secrecy, they could only use it to access data from that specific session, while the data in the rest of your sessions would remain safe (since different unique keys were used to encrypt and protect them). It also means that your session key will remain secure even if your VPN’s private key was exposed.
All Proton VPN connections are protected by perfect forward secrecy.
By using any of the Proton VPN apps, you will automatically be protected by perfect forward secrecy, as we only use encryption that supports it. Get Proton VPN to start browsing with perfect forward secrecy, you don’t need to take any additional steps.
We use the OpenVPN, IKEv2, and WireGuard VPN protocols, which are known to be secure. We don’t support any VPN connections using PPTP or L2TP/IPSec (even though they are often cheaper and easier to run), as they do not meet our security standards. This is true for both free and paid Proton VPN plans.