Security Architecture

How Semafore handles keys, sessions, encryption, and rotation.

Security architecture reference pages for Semafore.

What plaintext-blind means and how the trust model works.

X25519, Ed25519, AES-256-GCM, HKDF, and HMAC-SHA256.

Dual identity key contract, key bundles, and per-device keys.

X3DH walkthrough, first-message headers, and multi-device fan-out.

Double Ratchet, dr_v1 wire format, and forward secrecy.

Organisation-wide announcements, offline delivery, and plaintext-blind relay.

SPK rotation triggers, procedure, and why it matters.