Skip to content

Carrier

Carrier is private messaging built directly into HomeDock OS. It lets one instance talk to another with messages that are end-to-end encrypted and digitally signed — and it does it without a middleman. There is no central relay, no HomeDock OS server holding your queues, no third party that ever sees a single byte of your conversation. Every message travels point-to-point, straight from your instance to your contact’s, sealed and authenticated the whole way.

Carrier turns two HomeDock OS instances into a direct, private channel. You exchange a small identity file once, verify a fingerprint, and from then on you can message each other — encrypted, signed, and delivered machine-to-machine over your own network or the open internet.

  • End-to-end encrypted: only the recipient’s instance can open a message. Not us, not your ISP, not anyone sitting on the wire.
  • Cryptographically signed: every message is signed by the sender’s identity key, so the recipient knows exactly who it came from and that it wasn’t altered.
  • Truly peer-to-peer: delivery is a direct connection from your instance to theirs. No relay server, no store-and-forward cloud, no queues on our side.
  • Self-hosted identity: your keys are generated and kept on your instance, treated like an SSH key. They never leave the box.

Why There’s No Relay (and Why That Matters)

Section titled “Why There’s No Relay (and Why That Matters)”

Most “encrypted” messengers still route your traffic through their servers. Even when the content is encrypted, that central point sees the metadata: who talks to whom, when, how often, from where. It’s a queue, a log, and a single point of failure — and a single point of subpoena.

Carrier removes it entirely.

  • No central HomeDock OS server processes your queues, your envelopes, or your delivery. The delivery worker on your instance POSTs the sealed envelope directly to your contact’s public inbox.
  • No message queues on our infrastructure. The outbox lives on your machine; the inbox lives on theirs. We are never a hop.
  • No metadata harvest. Because we’re not in the path, there is no relay log of your social graph to leak, sell, or hand over.
  • Nothing in the middle to compel. As lawmakers across Europe debate mandating message scanning at the platform level, architecture beats promises: Carrier has no relay to scan and no server-side metadata to retain or hand over. There is simply no central point where scanning or interception could be inserted.
  • No single point of failure. If HomeDock OS’s own servers went dark tomorrow, Carrier would keep delivering — it never depended on them.

PGP was designed in the early 1990s, and it shows. Carrier deliberately does not use GPG/PGP — not for lack of familiarity, but because the modern alternative is simply better on every axis that matters.

  • Forward secrecy PGP doesn’t have. With PGP, one long-term key encrypts everything. If that private key ever leaks, every message you’ve ever received can be decrypted retroactively. Carrier generates a fresh ephemeral key for every single message — compromising your long-term key does not unlock past captured traffic.
  • No keyservers, no web of trust theatre. PGP’s trust model is famously painful: keyservers, expiry, revocation, signing parties. Carrier verifies identity with a single short fingerprint you confirm out-of-band, once. Clean and human.
  • One modern ciphersuite, zero negotiation. PGP’s flexibility is its weakness — decades of packet formats, optional algorithms, and downgrade attacks. Carrier has exactly one fixed, modern ciphersuite. Nothing to negotiate means nothing to downgrade.
  • Context-bound authentication. Carrier signs the whole envelope and binds its metadata (message ID, recipient, timestamp) into the encryption itself as authenticated data — and always verifies the signature before attempting to decrypt. PGP signatures float free of that context.
  • No giant external binary. GPG is a large, legacy dependency with a long history of parsing vulnerabilities. Carrier is built entirely on cryptography (pyca) — already a core HomeDock OS dependency, audited, and cross-platform. Zero new dependencies.

Carrier is built on the exact same cryptographic primitives that Signal and WireGuard are built on — the modern, battle-tested “Curve25519 family” that has become the de-facto standard for serious secure communication:

Primitive Role Also used by
X25519 Key agreement (ECDH) Signal, WireGuard
Ed25519 Digital signatures Signal, SSH, TLS 1.3
ChaCha20-Poly1305 Authenticated encryption (AEAD) WireGuard, TLS 1.3
HKDF-SHA256 Key derivation Signal, WireGuard, TLS 1.3

Every Carrier message uses a fresh ephemeral X25519 keypair, a shared secret derived through HKDF-SHA256, and one-shot ChaCha20-Poly1305 encryption — the same sealed-box construction that libsodium popularised and that WireGuard’s handshake is founded on. The identity that signs your messages is an Ed25519 key, exactly like the ones securing SSH and modern TLS.

In other words: the cryptographic core is the same grade. When you send a Carrier message, it’s protected by the same math that protects a WireGuard tunnel or a Signal message.

On first use, Carrier generates a persistent identity for your instance: an Ed25519 signing key and an X25519 encryption key. It’s stored on your machine with the same posture as an SSH private key (locked down, owner-only) and never leaves it. From those keys, Carrier derives a short, human-comparable fingerprint.

2. You Exchange a Contact File — Out of Band

Section titled “2. You Exchange a Contact File — Out of Band”

To add a contact, you exchange a tiny .hdc identity file through whatever channel you already trust (in person, a signed email, a secure chat). It carries your public keys, your fingerprint, and your instance’s reachable addresses — signed by your identity so nobody can tamper with the addresses in transit and redirect your messages.

Both sides then compare the fingerprint out-of-band. Once it matches, the contact is verified — this is the one human step, and it’s what makes the whole channel trustworthy.

When you send a message, Carrier:

  1. Generates a brand-new ephemeral key just for this message.
  2. Derives a unique encryption key via X25519 + HKDF-SHA256.
  3. Encrypts the text with ChaCha20-Poly1305, binding the message’s metadata (ID, recipient, timestamp) into the ciphertext as authenticated data.
  4. Signs the whole envelope with your Ed25519 identity key.

The recipient’s instance does the reverse — but verifies your signature first, and only then decrypts. A bad signature never reaches the decryption step.

Your instance’s delivery worker takes the sealed envelope and POSTs it straight to your contact’s instance — no relay, no queue on our side. It tries your contact’s known addresses (local network first, then internet), learns the working route, and follows them across IP or port changes via signed address updates. A slow or offline peer never blocks delivery to anyone else, and failed sends retry automatically.

  • Verify-before-decrypt on every inbound envelope — signatures are checked before any decryption is attempted.
  • Anti-replay window: envelopes with a timestamp too far from now are rejected, and address updates use a monotonic version counter so an old one can never override a newer one.
  • Tamper-proof addresses: the address list is signed by the identity, so it can’t be swapped in the out-of-band channel to hijack delivery.
  • Owner-only key storage: identity keys are written with restrictive permissions, treated like an SSH key.
  • Block & tombstone: silence any sender permanently; their traffic is dropped without ever telling them.
  • Self-contained: all Carrier state lives in its own private data directory, isolated from the rest of the system.

Carrier ships today as a focused, rock-solid encrypted text channel between instances — the hardest part (the secure transport) done right, first. That foundation is deliberately built to carry more.

As Enterprise and team adoption grows, we’ll expand Carrier’s capabilities — richer message types and collaboration features layered on top of the exact same peer-to-peer, encrypted, signed transport. The security model doesn’t change as it grows; it’s the bedrock everything else is built on.

Carrier is an Enterprise module and activates automatically with a valid commercial license. Contact support@homedock.cloud for licensing information.
  • Signatures: Ed25519 (identity signing key)
  • Key agreement: X25519 ECDH, with a fresh ephemeral keypair per message
  • Key derivation: HKDF-SHA256
  • Encryption: ChaCha20-Poly1305 (AEAD), one-shot per message, with metadata bound as authenticated data
  • Identity fingerprint: SHA-256 over the public keys, rendered as a short human-comparable string, verified out-of-band
  • Trust model: trust-on-first-use with out-of-band fingerprint verification — no keyservers, no web of trust
  • Transport: direct instance-to-instance HTTP POST to the peer’s public inbox — no central relay
  • Dependencies: built entirely on cryptography (pyca), already core to HomeDock OS — zero new dependencies, no PGP, no PyNaCl