Panic Mode
Cryptographic self-destruct. Irreversible by design.
What Panic Mode Does
Panic mode is RVNT's emergency data destruction system. When activated, it performs a multi-stage cryptographic wipe that destroys all sensitive data on the device. After panic mode completes, a forensic examiner will find an application with no data -- no messages, no contacts, no keys, no history. The cryptographic material required to reconstruct any of this data no longer exists on any device, anywhere.
Panic mode is irreversible. There is no undo, no recovery, no backup that survives. The private keys that could decrypt your message history are destroyed at the hardware level (Secure Enclave invalidation). This is permanent. Do not activate panic mode unless you mean it.
Activation Methods
Panic mode can be triggered through multiple methods, depending on configuration:
| Method | Description | Latency |
|---|---|---|
| Duress PIN | Enter the duress PIN at the lock screen. App appears to unlock normally while destroying data. | ~2-5 seconds |
| Hardware Button | Press power button 5 times rapidly (iOS/Android). Configurable button sequence on desktop. | ~2-5 seconds |
| Remote Signal | Send a signed wipe command from another trusted device or via a pre-configured webhook. | ~5-15 seconds (network dependent) |
| Lockout Threshold | Automatic trigger after N failed PIN attempts (configurable, default: disabled). | Immediate |
| Dead Man's Switch | If you do not check in within a configured interval (e.g., 72 hours), panic mode activates automatically. | On timer expiry |
Destruction Sequence
Panic mode executes the following stages in order. Each stage is designed to be as fast as possible while being thorough enough to resist forensic recovery.
Stage 1: Secure Enclave Key Invalidation (~100ms)
Platform: Apple Silicon (macOS/iOS)
1. Delete all Keychain items tagged with RVNT service identifier
2. Invalidate Secure Enclave private keys:
- SecKeyDelete(identityKey)
- SecKeyDelete(storageKey)
- SecKeyDelete(biometricKey)
3. The Secure Enclave permanently destroys the key material
4. This is HARDWARE-LEVEL destruction -- the keys cannot be
recovered even with physical access to the chip
Platform: Android (StrongBox/TEE)
1. KeyStore.deleteEntry(identityKey)
2. KeyStore.deleteEntry(storageKey)
3. Hardware-backed keys are invalidated in the TEE
Platform: Desktop (without hardware security module)
1. Delete all credential store entries
2. Overwrite key files with random data
3. (Less secure than hardware-backed destruction) Why Secure Enclave first: The Secure Enclave invalidation is the most critical step because it is hardware-backed and irreversible. Even if subsequent stages are interrupted (device powered off, app killed), the identity keys are already gone at the hardware level. Without these keys, the SQLCipher database is unreadable.
Stage 2: SQLCipher Database Destruction (~500ms-2s)
1. Open database with current key (if available)
2. Execute: PRAGMA secure_delete = ON;
3. Execute: DELETE FROM messages;
4. Execute: DELETE FROM contacts;
5. Execute: DELETE FROM sessions; // Ratchet state
6. Execute: DELETE FROM prekeys;
7. Execute: DELETE FROM skipped_keys;
8. Execute: VACUUM; // Reclaim space, overwrite deleted pages
9. Close database
10. Three-pass overwrite of database file:
Pass 1: Write 0x00 (all zeros)
Pass 2: Write 0xFF (all ones)
Pass 3: Write cryptographic random bytes
11. fsync() to flush to disk
12. Delete the file
13. fsync() parent directoryStage 3: DoD 5220.22-M Overwrite of Key Material (~200ms)
Files targeted:
- Identity key files
- Session state files
- Prekey storage
- Any temporary key material
- Salt files
For each file:
Pass 1: Overwrite with 0x00 (all zeros)
Pass 2: Overwrite with 0xFF (all ones)
Pass 3: Overwrite with cryptographic random data
Verification: Read back and verify each pass
fsync() after each pass
Delete file
fsync() parent directory
DoD 5220.22-M is a US Department of Defense standard for media
sanitization. While modern SSDs may retain data in wear-leveling
blocks, the combination of Secure Enclave invalidation + database
VACUUM + file overwrite makes recovery extremely difficult.Stage 4: Keychain / Credential Store Wipe (~100ms)
Delete all Keychain/credential store entries:
- Database encryption key
- Argon2id salt
- Biometric access keys
- Push notification tokens
- Tor circuit credentials
- Any stored session tokens
Each entry is individually deleted using platform APIs:
macOS/iOS: SecItemDelete(query)
Android: KeyStore.deleteEntry(alias)
Linux: Secret Service API delete
Windows: Credential Manager deleteStage 5: Media Cache Wipe (~500ms-5s)
1. Enumerate all files in RVNT media cache directory
2. For each file:
a. Overwrite with random data (single pass, speed priority)
b. Delete file
3. Enumerate all thumbnail cache files
4. Overwrite and delete each
5. Clear any system-level caches:
- URLCache (iOS/macOS)
- WebView cache (if applicable)
- Temporary directory
6. fsync() all parent directoriesStage 6: State Reset (~100ms)
1. Reset application to first-launch state
2. If duress mode:
a. Load decoy database (if configured)
b. Present decoy conversation list
c. App appears normal to observer
3. If explicit panic:
a. Present clean first-launch screen
b. "Welcome to RVNT" setup flowWhat Is Recoverable After Panic Mode
| Data | Recoverable? | Explanation |
|---|---|---|
| Identity keys (Secure Enclave) | No | Hardware-level destruction. Keys cease to exist at the silicon level. |
| Identity keys (software-only) | Unlikely | 3-pass overwrite. SSD wear leveling may retain fragments, but keys are 32 bytes and recovery is impractical without knowing the exact block locations. |
| Database content | No (practical) | Even if database file fragments survive on SSD, the encryption key (Secure Enclave) is gone. AES-256 encrypted data without the key is indistinguishable from random noise. |
| Message plaintext | No | Messages were stored in SQLCipher. Database key is destroyed. Double Ratchet session keys are destroyed. |
| Contact list | No | Stored in the encrypted database. Same protection as messages. |
| Media files | Unlikely | Overwritten + deleted. SSD wear leveling may retain fragments of large files. However, media files were individually encrypted with per-file keys that are now destroyed. |
| App installation | Yes | The RVNT application binary remains installed. Only data is destroyed. |
| Username | Yes (server) | The username-to-public-key mapping on the identity server remains. However, the private key is destroyed, so the identity cannot be used. |
SSD Considerations
Modern solid-state drives use wear leveling and garbage collection, which means overwritten data may persist in unmapped blocks. RVNT's defense against this is layered:
- Encryption key destruction: Even if ciphertext persists on SSD, the decryption key is gone (Secure Enclave). The ciphertext is useless.
- File overwrite: The operating system's write path goes through the FTL (Flash Translation Layer). The overwritten data replaces the logical sector mapping.
- TRIM: RVNT issues TRIM/discard hints to the SSD after deletion, which allows the drive to garbage-collect the physical blocks.
No software wipe is 100% against physical forensics on SSDs. If your adversary has the resources to desolder NAND chips and read raw flash, some data fragments may be recoverable. However, without the encryption keys (Secure Enclave destroyed), recovered fragments are encrypted ciphertext with no path to decryption. This is why the Secure Enclave invalidation in Stage 1 is the most critical step.
Remote Wipe
Remote wipe command format:
{
"action": "panic",
"timestamp": 1712745600,
"device_id": "target_device_public_key_hash",
"signature": "Ed25519_signature_of_above_fields"
}
The command must be signed by a pre-authorized key (configured
during setup). The signature is verified before execution.
An unsigned or incorrectly signed command is silently dropped.
Delivery methods:
1. Push notification (APNs/FCM) -- fastest, requires network
2. Peer-to-peer via mesh -- works without internet
3. Webhook endpoint -- for integration with external systemsDead Man's Switch
Configuration:
Interval: 24h / 48h / 72h / 7d / 30d (user-configurable)
Check-in: Open the app and authenticate with real PIN
Failure: Panic mode activates automatically
Implementation:
- Timer stored in Secure Enclave (tamper-resistant)
- Timer runs even if app is not open (background scheduled task)
- Check-in resets the timer to full interval
- Duress PIN does NOT count as a check-in (it triggers panic)
- If device is powered off for longer than the interval,
panic mode triggers on next bootFurther Reading
- PIN & Duress Mode -- PIN system and duress PIN configuration
- Threat Model -- Physical device seizure analysis