Security Model
Zero employs a defense-in-depth security architecture combining multiple isolation layers, encryption, and access controls.
Security Principles
- Zero Trust: Never trust, always verify
- Defense in Depth: Multiple security layers
- Least Privilege: Minimal required permissions
- Separation of Duties: Isolated work/personal environments
Isolation Layers
Process Isolation
Work profile runs in an isolated container with:
- Separate PID namespace (invisible personal processes)
- Separate mount namespace (isolated filesystem)
- Separate user namespace (unprivileged containers)
- cgroups v2 resource limits
Network Isolation
- Dedicated network namespace
- All traffic routes through WireGuard VPN
- Firewall blocks unauthorized connections
- Split tunneling available (if policy allows)
Storage Isolation
- Encrypted container for work data
- No access to personal files
- Temporary files encrypted in memory
GUI Isolation
- Separate X11/Wayland session via Xpra
- No clipboard sharing (unless policy allows)
- Screenshot prevention
- Visual boundary indicators
Security Architecture
┌─────────────────────────────────────────────────────────┐
│ Host System │
│ ┌─────────────────────┐ ┌─────────────────────────┐ │
│ │ Personal Profile │ │ Work Profile │ │
│ │ ┌───────────────┐ │ │ ┌─────────────────┐ │ │
│ │ │ Personal Apps │ │ │ │ Work Apps │ │ │
│ │ └───────────────┘ │ │ │ (LXC Container)│ │ │
│ │ ┌───────────────┐ │ │ └────────┬────────┘ │ │
│ │ │ Personal Data │ │ │ │ │ │
│ │ └───────────────┘ │ │ ┌────────▼────────┐ │ │
│ │ │ │ │ Encrypted Volume│ │ │
│ │ │ │ │ (LUKS) │ │ │
│ │ │ │ └─────────────────┘ │ │
│ └─────────────────────┘ │ │ │ │
│ │ │ ┌────────▼────────┐ │ │
│ │ │ │ WireGuard VPN │ │ │
│ │ │ └────────┬────────┘ │ │
└───────────┼───────────────┴───────────┼────────────┴───┘
│ │
Personal Traffic Work Traffic
(Direct to Internet) (via VPN Tunnel)Threat Model
In-Scope Threats
| Threat | Mitigation |
|---|---|
| Data leakage via clipboard | Clipboard isolation, DLP policies |
| Malware in personal apps | Process/network isolation |
| Data exfiltration via USB | USB device blocking |
| Screenshot/screen recording | Screenshot prevention APIs |
| Network interception | WireGuard VPN, certificate pinning |
| Lost/stolen device | Remote wipe, encryption at rest |
Out-of-Scope Threats
- Kernel-level exploits (requires OS patching)
- Hardware attacks (cold boot, evil maid)
- Malicious privileged users
Authentication
- SSO Integration: SAML, OIDC, OAuth 2.0
- MFA: TOTP, FIDO2/WebAuthn, Push
- Certificate-based: Client certificates
- Conditional Access: Device compliance checks
Data Protection
- At Rest: AES-256-XTS (LUKS)
- In Transit: TLS 1.3, WireGuard
- Key Management: Per-device keys, secure key derivation
Security Auditing
All security-relevant events are logged:
- Authentication attempts
- Policy changes
- DLP violations
- Administrative actions
- Device enrollment/unenrollment