Secure Audit Channel
Mixnet - WireGuard + VeraCrypt for your safest audit
A dedicated Wireguard VPN lane for audit participants — built to move vectors, not raw data.
PROTOCOL: WireGuard
CAPSULE: VeraCrypt
DATA: Vectors & Hashes
SESSION: One per client
Secure Audit Channel · WireGuard Overlay · Vector-Only Telemetry
Design goal: maximum operational safety via strict minimization
Mixnet is a per-client WireGuard network provisioned on request for audit participants.
It facilitates exchange of vectorized, pre-masked telemetry only between your perimeter and the
ISMS-Asia Risk Math correlator.
No direct access to your production systems, no raw logs leaving your environment, and no unnecessary knowledge about what exactly was extracted.
No direct access to your production systems, no raw logs leaving your environment, and no unnecessary knowledge about what exactly was extracted.
mixnet_channel.v1
APAC · audit transport layer
Purpose: create an auditable, minimal-scope lane for audit evidence exchange without moving raw, identifiable data.
Principle: “If we don’t receive raw values, we can’t accidentally leak raw values.”
Output: vectors, hashes, structural labels, pseudonyms — suitable for correlation, not re-identification.
mixnet$
transport = wireguard · capsule = veracrypt · payload = vector telemetry
mixnet$
session = one-per-client · previous sessions disabled via key rotation
mixnet$
operators see pseudonyms · only auditor + authorized client lead can map them
If you lost access, email contact@isms-asia.com with subject:
Maxnet access renewal.
Step-by-step: how the protocol works
1
Client-side capture
Connectors reduce to hashes, vectors, metadata
toggle
Your environment runs a small set of custom connectors (per scope) that talk to approved systems
(IAM, CI/CD, cloud logs, ticketing, asset inventory, etc.). Connectors reduce data to
hashes, vectors, structural metadata, and reference labels. Raw values stay inside your perimeter.
- Masking happens before anything reaches the VPN.
- Deterministic pseudonyms enable repeatable correlation across time.
- Connectors can run in read-only mode and be audited.
2
“Vector Router” normalization
A hardened edge device aggregates into one stream
toggle
A hardened edge device (physical or dedicated VM) aggregates connector output into a single
vector stream. This creates a clean boundary: everything leaving the client environment is already shaped into a
non-raw format.
Important
Operational staff should not see the “business meaning” of pseudonyms.
This reduces insider risk and makes accidental disclosure structurally harder.
3
Mixnet tunnel
WireGuard overlay, per engagement
toggle
Mixnet is a dedicated WireGuard overlay network created per engagement.
It carries only the normalized vector stream (and optionally a sealed “audit capsule”).
diagram$
Connectors → Vector Router → WireGuard → RiskMath Correlator
diagram$
optional: sealed capsule (VeraCrypt) for evidence artifacts
4
Correlation & review
Vectors feed Risk Math for signals and consistency
toggle
The ISMS-Asia Risk Math correlator analyzes vector telemetry to infer:
- control effectiveness signals (e.g., IAM hygiene, CI/CD provenance, secrets exposure patterns)
- risk clusters and weak links across systems
- evidence consistency for audit readiness
Mapping from pseudonyms back to business meaning is performed only by:
(a) the auditor and (b) the authorized client audit lead (key holder).
* All client meetings are by appointment only. Delivery is primarily on-site or remote.
Quickstart (client side)
Step 1 — Receive approval marker
Mixnet access is issued based on an approved audit package (the APPROVED marker).
Each engagement creates a separate session.
If you were not explicitly approved, do not attempt to connect. Ask your internal audit lead.
Step 2 — Install clients
Install WireGuard and VeraCrypt on the authorized workstation (client audit terminal).
Keep the audit terminal separated from day-to-day browsing. Treat it as a security boundary.
Step 3 — Import WireGuard profile
Import the provided .conf profile into WireGuard.
The profile is unique to your engagement and will be rotated on renewal.
wg$
import profile → activate tunnel → verify handshake
Step 4 — Mount the audit capsule
If your scope includes evidence artifacts, mount the engagement capsule (VeraCrypt).
Capsule keys are exchanged out-of-band and ratified per engagement.
Capsule is optional. Vector telemetry can flow independently via Mixnet.
Step 5 — Run the connector pack
Use the provided connector pack (or your internal integration pipeline) to emit
masked vector telemetry to the Mixnet endpoint.
client$
connectors start → vector router aggregates → push to correlator
Verification checklist
- WireGuard shows latest handshake within the expected interval.
- Only vector endpoints are reachable over Mixnet (no broad network access).
- Capsule (if used) is mounted and write-protected by your procedure.
- Audit terminal uses your physical key (no shared accounts).
If anything looks off, stop and contact the auditor before proceeding.
Client downloads
Mixnet uses standard, auditable tooling. Download clients from official sources whenever possible.
If your engagement includes a connector pack or a sealed capsule template, you will receive a private link.
WireGuard
Lightweight, modern VPN tunnel. Your profile is a per-engagement configuration.
VeraCrypt
Optional sealed capsule for evidence artifacts. Used when scope requires file-based artifacts.
Connector pack
A scoped set of integrations used to emit masked vectors from approved systems.
(Provided per engagement; not a public download.)
Delivery note
You will receive: connector-pack.zip,
a checksum, and a short execution guide. Activation requires your internal key holder.
Support & renewal
Mixnet sessions are rotated. Previous sessions become inactive after renewal.
mail$
subject: Maxnet access renewal
mail$
to: contact@isms-asia.com
If your organization requires a change-control ticket, include the ticket ID in the email body.
Access model (two terminals, two keys)
Auditor terminal
- Single dedicated workstation.
- Access controlled by a physical key (hardware token) + session material.
- Holds correlation tooling and the ability to interpret vectors.
Auditor terminal does not need direct access to your systems—only to the Mixnet vector stream.
Client audit terminal
- Operated by the authorized person from your company (audit lead / key holder).
- Single physical key, not shared.
- Owns the mapping between pseudonyms and business meaning.
This is intentional separation of duties: operational staff can assist without being able to disclose meaning.
Why pseudonyms matter
Mixnet is designed so that the “transport layer” can operate safely without knowing what it carries.
Even internal helpers see only reference labels and vectors.
“We can’t leak what we never received.”
Session lifecycle
- Issued per engagement.
- Rotated on renewal.
- Previous sessions invalidated.
- Strict endpoint allow-list (no broad network reachability).
If your policy requires explicit revocation steps, we can provide a revocation proof statement.
Troubleshooting
WireGuard checks
linux$sudo wg
linux$ip a (look for wg interface)
win$WireGuard UI → Handshake timestamp
If handshake never appears, check time sync, firewall, and endpoint correctness.
Common issues
- Wrong profile (using an old session) → request renewal.
- DNS leakage policies → ensure audit terminal uses your approved resolver profile.
- Corporate proxy interference → WireGuard should bypass HTTP proxy layers.
- Key holder absent → do not proceed (separation of duties is part of the model).
Support & renewal
Support contact
Include: your client name, engagement ID (if present), and a short description of the problem.
Need Mixnet provisioned for your audit scope?
We issue one session per client, keep endpoints minimal, and rotate keys on renewal.
If you require a dedicated deployment model, we can adapt the provisioner to your change-control requirements.
* All client meetings are by appointment only. Delivery is primarily on-site or remote.