Security & privacy

Even we can't see your photos.

Your photos and files are encrypted on your phone or computer before they ever leave it. Not a setting you turn on — the only way Harbor works. This page explains what that means in plain language, and how to report a security issue if you find one.

Questions people actually ask

The short, honest answers — no marketing gloss.

Can Harbor (the company) see my photos or files?

No. Everything is encrypted on your own device with a key that's generated and kept on your devices. Your home server stores and verifies ciphertext — it never holds anything that can decrypt it, and neither do we.

What about the network in between — the relay that connects my phone to home?

It's zero-knowledge. The relay (Headscale/DERP, embedded in your box) only ever sees WireGuard-encrypted packets. It has no keys and can't read what passes through it — its job is routing, not reading.

Where do the encryption keys actually live?

On your devices, and only your devices. Each phone or computer you pair gets its own key, wrapped with X25519 so it can be shared within your household without ever transiting our servers in the clear.

What if I lose my phone, or the box itself?

A recovery phrase (the same BIP-39 word-list format used by crypto wallets) restores your keys and data byte-for-byte on a new device. Lost a phone? Revoke it from another paired device in one tap so it can't sync anymore.

What encryption do you actually use?

Standard, widely reviewed primitives — not anything custom: XChaCha20-Poly1305 for encrypting files and photos, Argon2id for deriving keys from your passphrase, X25519 for sharing keys between your devices, Ed25519 for signing releases and licenses, and WireGuard for the network transport. Same building blocks used by Signal, WireGuard itself, and most security-focused software.

Has Harbor been independently audited?

Not yet, and we'd rather say that plainly than imply otherwise. What exists today: a written cryptographic specification, a reference implementation, and a byte-for-byte test suite that proves every implementation of our crypto agrees with that spec. We're actively working toward publishing that verification path for outside researchers, and toward a paid third-party design review once the product is generating revenue. Until then, this page and our vulnerability disclosure policy are the honest state of where we are.

Is Harbor open source?

No — the product is closed source today. That's a deliberate, revisitable choice, not a way of hiding anything about the cryptography itself: the design is documented in the specification referenced above, built entirely from published, standard primitives.

What happens to my data if Lighthouse (the company) shuts down?

It's already sitting on hardware you own, in your home, encrypted with keys only your devices hold. It was never in a corporate cloud that could vanish with the company — Harbor's job is to get out of the way of your own data.

Who can see what

Our internal trust-boundary reference, restated in the open.

Trusted with your plaintext

  • Your phone or computer — holds your keys; the origin and destination of everything you store.

Never trusted with your plaintext

  • Your home server — stores ciphertext only, for both files and photos.
  • The relay (Headscale/DERP) — zero-knowledge; sees only encrypted packets.
  • Our control plane (billing/licensing) — handles account and payment metadata only, via our merchant of record; never your file or photo data.
  • The network / your ISP — everything in transit is already WireGuard-encrypted.

Vulnerability disclosure policy

We invite scrutiny. If you find a security issue, we want to hear about it before anyone else does — and we won't come after you for good-faith research that follows this policy.

In scope

  • harbor.lighthouse.computer and its waitlist / onboarding backend
  • The Harbor client and server software, on hardware you own or control
  • The cryptographic design described in our specification

Out of scope / not okay

  • Accessing, modifying, or exfiltrating another person's account, box, or data
  • Denial-of-service testing, spam, or automated volume scanning
  • Social engineering of our users, pilots, or anyone else
  • Physical attacks against hardware you don't own

Report privately to: security@lighthouse.computer

We'll acknowledge reports within a few business days and keep you posted as we work on a fix. Please give us a reasonable window — 90 days is our target — before any public disclosure. Credit is always welcome and offered; we don't run a paid bounty program yet. Machine-readable policy: /.well-known/security.txt.