The Gold Standard of Encryption.
On Your Own Servers.
OneFirewall Secure Channel brings the proven Signal open-source protocol to your enterprise — hosted entirely within your own infrastructure. End-to-end encrypted messaging, voice, and video calls with zero data touching third-party servers. The encryption that protects journalists, governments, and security researchers — now running on your hardware, under your control.
Built on the Signal Protocol — the Most Audited Encryption in the World
The Signal Protocol is open-source, peer-reviewed, and the cryptographic standard trusted by more than a billion people. We did not reinvent the wheel — we brought it inside your perimeter.
Why This Encryption Standard?
The Signal Protocol, originally developed by Open Whisper Systems and now maintained by the Signal Foundation, is the most widely vetted end-to-end encryption protocol in existence. It powers Signal, WhatsApp, and Google Messages — and has been independently audited by cryptographers at University of Oxford, Queensland University of Technology, and dozens of other institutions.
It combines the Double Ratchet Algorithm, Extended Triple Diffie-Hellman (X3DH) key agreement, and Curve25519 elliptic-curve cryptography — giving every message forward secrecy and break-in recovery. Even if a key is ever compromised, past messages remain undecipherable.
OneFirewall Secure Channel implements this protocol directly — the same cryptographic primitives, the same security properties — but the infrastructure is yours. No Signal Foundation servers. No WhatsApp servers. No metadata harvesting. Your data stays in your data centre.
-
Keys generated on-device, never transmitted
Every user's private key is generated locally and never leaves their device. The server distributes public keys but never sees private material. -
Per-message key rotation via Double Ratchet
Every single message is encrypted with a unique session key derived from a ratcheting chain. Compromise of one key cannot decrypt any other message — past or future. -
Zero-knowledge server architecture
The Secure Channel server routes and queues encrypted blobs. It has no ability to decrypt message content, see who is messaging whom in plaintext, or access media files. -
Full open-source auditability
The cryptographic core is open source. Your security team, or an external auditor, can inspect and verify every component of the encryption implementation — unlike proprietary solutions. -
Integrated with Alliance threat intelligence
Secure Channel is the only Signal-protocol implementation that runs inside the OneFirewall security perimeter — with real-time IOC blocking applied to the communication infrastructure itself.
Why Consumer Apps Are Not Enterprise-Grade
Teams default to WhatsApp, Slack, or Teams because they are convenient. Each one is a corporate espionage risk hiding in plain sight.
Metadata Harvested by Meta
- Content encrypted — but metadata (who, when, how often) flows to Meta
- Business account data shared with Meta's advertising infrastructure
- Phone number is the identity — ties communication to personal devices
- Backup to Google Drive or iCloud breaks E2E encryption entirely
All Data on Microsoft Servers
- Messages, files, and recordings stored in Microsoft data centres
- Microsoft can access content under legal orders
- Not end-to-end encrypted — Microsoft holds the keys
- Compliance data visible to Microsoft's own systems and AI training
Full Content Accessible to Salesforce
- Slack / Salesforce can read all messages and files by design
- No E2E encryption — server-side encryption only, keys held by Slack
- Message history retained indefinitely on Slack servers
- Third-party app integrations can access channel data
Signal Foundation Servers
- Protocol is excellent — but infrastructure is Signal Foundation's
- Contact discovery reveals who your team communicates with
- Not suitable for air-gapped or classified environments
- No enterprise management, policy enforcement, or audit logging
OneFirewall Secure Channel: All the Cryptography. None of the Third Parties.
Secure Channel gives you the same Signal Protocol cryptography trusted by governments and journalists — but the entire stack runs on your infrastructure. No metadata leaves your perimeter. No keys exist anywhere except on your users' devices. No vendor has access to your communications. And because it runs inside the OneFirewall perimeter, every connection is protected by real-time Alliance threat intelligence.
Everything Your Team Needs. Nothing They Shouldn't Have.
A complete secure communication suite — messaging, voice, video, and files — all end-to-end encrypted on your own infrastructure.
End-to-End Encrypted Messaging
Individual and group messaging with full E2E encryption. Every message, every attachment, encrypted with per-message keys before it leaves the sender's device. The server routes ciphertext — nothing more.
Encrypted Voice Calls
Crystal-clear VoIP calls with SRTP encryption negotiated via the Signal Protocol handshake. Call metadata — who called whom, when — stays entirely within your infrastructure. No PSTN exposure.
Encrypted Video Conferencing
Secure group video calls with no third-party relays. Video streams are encrypted end-to-end and routed through your own servers. Suitable for board meetings, incident response, and classified briefings.
Secure File Transfer
Documents, images, and binary files transferred with the same E2E encryption as messages. Files are chunked, encrypted, and reconstructed only on the recipient's device. Nothing is stored in plaintext on the server.
Enterprise Directory Integration
Connect to your existing LDAP or Active Directory. Users onboard with corporate identities — no personal phone numbers required. Group membership and channel access controlled by your IT team.
Self-Destructing Messages
Configure per-conversation message expiry timers. Messages automatically delete from all devices after the defined window — enforcing data minimisation policies without relying on user compliance.
Compliance Audit Logging
Metadata audit logs — connection events, delivery receipts, group changes — stored locally in your SIEM. Message content remains encrypted and unreadable even to administrators. Meet NIS2, DORA, and ISO 27001 requirements.
Alliance Threat Intelligence Integration
Secure Channel runs inside the OneFirewall perimeter. All connections to the communication server are governed by real-time IOC blocking — malicious IPs are denied before they reach your communication infrastructure.
Cross-Platform Clients
Native clients for Android, iOS, Windows, macOS, and Linux. All platforms use the same Signal Protocol implementation. Linked devices share the same account with independent key material on each device.
How Secure Channel Works
A zero-knowledge server architecture — your infrastructure routes messages it cannot read.
Deployment on Your Infrastructure
Secure Channel server is deployed on your on-premises hardware, private cloud, or air-gapped environment. OneFirewall provides the deployment package and initial configuration. Your team retains full administrative control — OneFirewall never has remote access to your server.
Key Generation and Identity Registration
When a user registers, the client generates a long-term identity key pair, a signed pre-key, and a batch of one-time pre-keys — entirely on the device. Only public keys are uploaded to your Secure Channel server. Private keys never leave the user's device under any circumstance.
Session Establishment — X3DH Handshake
Before the first message, sender and recipient perform an Extended Triple Diffie-Hellman (X3DH) key agreement using each other's public pre-keys. This establishes a shared secret known only to the two devices — the server participates only as a key distributor, never learning the shared secret.
Message Encryption — Double Ratchet
Every outgoing message is encrypted with a unique symmetric key derived from the Double Ratchet state. Each message advances the ratchet — the key used for message N cannot decrypt message N-1 or N+1. The encrypted ciphertext is sent to the server for routing.
Server Routes — Never Reads
Your Secure Channel server receives the encrypted payload, looks up the recipient's registered device endpoints, and forwards the ciphertext. The server sees: timestamp, sender identifier, recipient identifier, and payload size. It cannot see content, attachments, or call audio/video at any point.
Alliance Perimeter Protection
The WCF agent running on your network applies OneFirewall's real-time IOC feed to all connections reaching the Secure Channel server. Known malicious IP addresses, C2 endpoints, and suspicious actors are blocked at the perimeter before they can attempt any connection to your communication infrastructure.
# OneFirewall Secure Channel — Cryptographic Stack key_agreement: algorithm: X3DH (Extended Triple Diffie-Hellman) curve: Curve25519 # Provides asynchronous session establishment and forward secrecy session_encryption: algorithm: Double Ratchet (Signal Protocol) cipher: AES-256-GCM mac: HMAC-SHA256 key_rotation: per-message # unique key every message forward_secrecy: ✓ guaranteed # past msgs safe if key compromised break_in_recovery: ✓ guaranteed # future msgs safe after compromise media_encryption: files: AES-256-CBC + HMAC-SHA256 voice_video: SRTP / DTLS-SRTP server_knowledge: message_content: NONE # zero-knowledge architecture media_content: NONE # encrypted before upload private_keys: NONE # never leave client devices routing_metadata: minimal # timestamp, sender, recipient IDs only infrastructure: YOUR DATA CENTRE # 100% on-premises third_party_access: NONE
Secure Channel vs. Alternatives
How does a self-hosted Signal-protocol platform compare to what most enterprises currently use?
| Capability | WhatsApp / Slack / Teams Consumer & Collaborative Apps |
Signal (consumer app) Signal Foundation Servers |
OneFirewall Secure Channel |
|---|---|---|---|
| End-to-end encryption | ~ Partial (Slack/Teams: none) | ✓ Full E2E | ✓ Full E2E, Signal Protocol |
| Data on your own servers | ✗ Vendor cloud only | ✗ Signal Foundation servers | ✓ 100% your infrastructure |
| Metadata privacy (who contacts whom) | ✗ Harvested by vendor | ~ Minimised but not zero | ✓ Stays entirely on-prem |
| Per-message key rotation | ✗ Session keys only | ✓ Double Ratchet | ✓ Double Ratchet |
| Forward secrecy | ✗ Not guaranteed | ✓ Yes | ✓ Yes |
| Enterprise directory (LDAP / AD) | ~ Teams only (limited) | ✗ Phone number only | ✓ Full LDAP / AD integration |
| Admin audit logging (metadata only) | ~ Vendor-controlled | ✗ None | ✓ Full metadata log, on-prem |
| Vendor can read your messages | ✗ Yes (Slack, Teams) | ✓ Cannot | ✓ Cannot — zero-knowledge |
| Air-gap / offline deployment | ✗ Requires internet | ✗ Requires internet | ✓ Supported |
| Compliance (NIS2, DORA, ISO 27001) | ~ Partial evidence only | ✗ Not enterprise-grade | ✓ Full on-prem audit trail |
| Alliance threat intelligence integration | ✗ None | ✗ None | ✓ Real-time IOC protection |
| Encrypted voice & video | ~ Partial E2E | ✓ E2E | ✓ E2E, SRTP, on-prem relay |
Who Needs Secure Channel
Any organisation where a leaked conversation has consequences beyond a GDPR fine.
Legal & Executive Teams
M&A communications, board discussions, litigation strategy, and executive decisions require communications that cannot be subpoenaed from a vendor's servers. Secure Channel gives legal privilege a technical guarantee.
Government & Public Sector
Classified and sensitive communications require infrastructure under sovereign control. Secure Channel can be deployed in air-gapped environments with no external network dependency — meeting classified data handling requirements.
Security Operations & Incident Response
SOC and IR teams need a communication channel that an active attacker cannot intercept or monitor. Secure Channel runs on your own perimeter — when your email and Slack are compromised, your Secure Channel is not.
Financial Services
Trading desks, risk committees, and regulatory affairs teams operate under NIS2, DORA, and FCA communication record-keeping rules. Secure Channel provides the encryption and the compliance audit trail — without sending data to Slack or Microsoft.
Healthcare & Pharmaceuticals
Patient data, clinical trial results, and drug development communications require GDPR-compliant infrastructure where no third party holds the keys. Secure Channel ensures data stays within your regulatory boundary.
International Operations in High-Risk Regions
Teams operating in regions with government surveillance or data localisation laws need communication infrastructure that cannot be compelled from a foreign cloud provider. Self-hosted Secure Channel keeps your communications under your jurisdiction.
Bring Signal-Level Encryption
Inside Your Perimeter
Talk to the OneFirewall team about deploying Secure Channel in your environment. On-premises, private cloud, or air-gapped — we configure it to fit your infrastructure and compliance requirements.