ExpressVPN Uses AWS Nitro Enclaves to Strengthen Privacy for Thousands of VPN Users

ExpressVPN is a virtual private network that uses advanced custom protocols for security. “We have a very strong privacy focus, and we take things above and beyond,” says Peter Membrey, chief research officer at ExpressVPN.

VPNs help protect user identities online by changing users’ IP addresses, making it difficult to identify and locate a user—which is especially useful on public wireless internet networks. VPNs typically use rotating IP addresses to prevent user tracking or provide anonymization by making sure that multiple users share the same outgoing IP address. However, some users require static IP or DIP addresses, particularly when accessing networks that are protected by firewalls that require specifically allowed DIP addresses. DIP addresses provide a consistent online presence, which helps to access restricted networks or high-security identity and access solutions—like banking websites—avoiding the need to respond to continual authentication requests.

However, traditional DIP integrations come with inherent privacy challenges. Without the layer of anonymization, a DIP address can be used to identify and track a user’s activity. Implementing robust security measures to overcome these challenges often leads to complex user interfaces that nontechnical users might find daunting or might not be able to configure correctly. Improper design or implementation can then compromise user privacy.

ExpressVPN faced the task of architecting a user-friendly solution that would preserve customer anonymity by obscuring the correlation between users and their respective DIP addresses while still upholding rigorous security standards. The company initially considered using tokens for DIP address purchases, but it needed a more comprehensive solution. Given its strong privacy focus, ExpressVPN wanted to create a solution where privacy safeguards were built into the architecture, making sure that not even the system administrators could access confidential user information, all while delivering a frictionless customer journey. These requirements led ExpressVPN to explore AWS services to incorporate enhanced security into its solution. The team delved into AWS Nitro Enclaves as the foundation for its enhanced privacy solution.

The cryptographic architecture and features of AWS Nitro Enclaves aligned with ExpressVPN’s security requirements. AWS Nitro Enclaves offers an isolated, hardened, and highly constrained environment to host security-critical applications. Furthermore, it uses cryptographic attestation to establish each enclave’s identity and build trust with an external service. “The implementation of AWS Nitro Enclaves is really well thought out,” says Membrey. “If we had to design this system ourselves, this is how we would do it.”

With a security-first mindset, the ExpressVPN team designed its solution to be secure while protecting user information during third-party audits for regulatory compliance. The team established attested and encrypted channels between ExpressVPN applications and AWS Nitro Enclaves so that only authorized applications could access a user’s DIP address. Using cryptographic attestation, the team created a deployment process where the code running in AWS Nitro Enclaves was legitimate and could not create logs or send data outside the enclaves (see figure 1. System architecture and enclave deployment process).

Deployed in 6 months, the solution serves thousands of ExpressVPN’s customers daily. The process works as follows: When a customer purchases or renews a DIP address license on ExpressVPN, they receive a blinded token—containing no user-associable information—that reserves an IP address. AWS Nitro Enclaves converts this IP address into an encrypted token, which is delivered to the user’s application through an encrypted channel.

The fully encrypted system prevents token interception and helps users connect to ExpressVPN servers while proving legitimate DIP address ownership. Because tokens contain no user information, DIP addresses cannot be associated with specific customers, maintaining privacy and security under the AWS Shared Responsibility Model. “Most VPNs provide DIP addresses with different levels of privacy, but privacy and anonymity sometimes come at the cost of the user experience,” says Membrey. “Our solution is unique because it is super convenient to use in ExpressVPN applications. We’ve designed a robust workflow with all the privacy and security measures that we wanted to provide to our users.”

Using AWS, ExpressVPN could automate security and use a cost-effective and resource-efficient design approach. It would have been more expensive and time-consuming to build the physical infrastructure and cryptographic system from scratch while handling development and integration. “It would be very complicated to create this solution without the hosted architecture on AWS,” says Timo Beyel, chief architect at ExpressVPN. “AWS has a strong reputation that makes it a widely accepted choice as a certificate authority for cryptographic signatures—something that would otherwise be hard to establish for such a solution.”

Creating this solution strengthened ExpressVPN’s position as an innovation leader. “We proved to customers that we strive to provide excellent experience and technology in VPNs,” says Beyel. Building on this success, ExpressVPN plans to develop additional solutions using AWS Nitro Enclaves, exploring artificial intelligence and machine learning use cases.

ExpressVPN will continue to drive innovation through its collaboration with the AWS team, focusing particularly on confidential computing, user privacy, and security. “AWS services power most of our backend infrastructure, fulfilling all our security expectations,” says Beyel.