Postern Labs
MAINNET BETA. Unaudited · relaxed k=4 regime (trivially forgeable) · k=8 hardening reverted, re-activating with a difficulty fix · very few nodes, 51%-attackable · not a security · for evaluation — not to protect real secrets yet. Full disclaimer →

Postern Labs · public beta

Privacy & security products, sold the honest way.

Postern Labs builds owned, rebranded privacy and security products — a secrets vault, post-quantum file drop, a messenger, passkeys, metadata scrub, a panic lock, a wallet, voice tools, an app store, and a reproducible OS — on top of an ownerless, post-quantum protocol it does not own. You pay Postern for protection, support, and provable integrity — never for a coin.

The part most launch pages hide

This is a beta launch, and we say exactly what that means.

Honest status — read before anything else

  • Everything here is pre-production. The Rust product cores are built and test-verified. The OS images have started to exist: the x86_64 node and desktop ISOs are built, hosted, and release-signed — both paired with a committed QEMU x86_64 boot harness (first boot pending on the Linux+Nix box) (node → the Postern OS shell; desktop → the GNOME/GDM login), with a physical-hardware boot still pending; the mobile image (aarch64, PinePhone / Mobile NixOS) is now built, hosted, and release-signed, but not yet boot-tested on any platform — it has not been booted on QEMU aarch64 or on hardware, so it is the least-proven of the three. The UIs and cloud/enterprise editions remain designs and reference prototypes. Hosting a signed image is not attestation, and QEMU-validated is not hardware-tested — we don't claim otherwise. Each item is labelled with its exact status wherever it appears.
  • The underlying protocol now runs a mainnet beta — a designation, not a security claim. The relaxed regime (k=4) currently applies — work is trivially forgeable. The k=8 security hardening of the Module-SIS gate was activated at block 213,000 but reverted: it multiplied mining difficulty ~4096x and the current solo / low hashrate could not find blocks, so the chain stalled. k=8 will re-activate together with a matched difficulty reduction (so block time stays ~30s); until then, no security is claimed. Security is cumulative SHAKE-256 hashcash work (the gate is a structural filter), and the network is nascent: very few nodes, low hashrate → 51%-attackable. It is unaudited — a third-party audit is contracted but not done yet, and the concrete-security analysis and IACR ePrint are still outstanding.
  • The coin is not a security and not an asset. No token sale, no listing effort, no market-making, no price. Disclosed in full: a 17% founder premine (10-year cliff, 40-year vest), structurally passive.
  • Do not use any of this to protect real secrets yet. It is a public beta for evaluation, feedback, and reproduction of our claims.

Every claim on this site is audit-gated: if a thing isn't true yet, we phrase it as the plan. The full text lives on the disclaimer page.

The model

Owned products ⟂ ownerless protocol.

Think Bitcoin and the businesses built around it. The base protocol — Bloch-SIS-PoW, a post-quantum, pure-PoW BlockDAG — is a neutral commons: no owner, no foundation, no official site, no token sale. It is software plus a documented RPC/API surface, and nothing more. Anyone runs it; anyone builds on it.

Postern Labs is one builder among many on that neutral base — a company, with products it owns and a name deliberately rebranded away from “Bloch”. It sells the BlackBerry thing: protection, support, and integrity you can verify, on permissive Linux.

Postern Labs — owned products, rebranded

Vault · Courier · Messenger · Keys · Hygiene · Panic Lock · Seal Companion · Wallet · Postern OS · the apps — permissively licensed, sold for the protection.

│ consumes the protocol via its public RPC / API — nothing privileged │
Bloch-SIS-PoW — ownerless protocol

SHAKE-256 hashcash PoW (Module-SIS gate) · Falcon‖ML-DSA · GhostDAG-Q · the coin. No owner, no curator, no official site or explorer. Just the protocol.

This distinction matters enough that it has its own page.

The suite

A tour of what's in the workshop.

The Rust cores below are built and test-verified; the front-ends are reference prototypes; everything is unaudited. Honest labels on every card — the full catalog is on the products page.

A recent round of implementation work moved several of these from prose to code — a real Argon2id KDF in the SDK, a license-revocation (CRL) endpoint, the Megolm end-to-end-encryption messaging core, Tor transport, and feature-gated TDX / SEV-SNP attestation verification. This is first-implementation, not hardening of something that already existed. Each is still labelled with exactly how far it actually runs (some only against offline test fixtures), and all of it remains unaudited.

Postern Vault

A secrets / password vault, sealed at rest with the one canonical seal (XChaCha20-Poly1305 + Argon2id).

core: built · tests pass unaudited

Postern Courier

Serverless person-to-person file drop: ML-KEM-1024 payload seal, now with sender authentication (a post-quantum SignedDrop) and anti-replay. The ephemeral Tor onion transport stays off by default.

core: built · tests pass unaudited

Postern Messenger

Megolm-based end-to-end messaging core, via vodozemac (Apache-2.0). Note: a public disclosure in February 2026 concerns the Olm/vodozemac cryptography this core depends on; Postern has not independently assessed its impact on this product yet.

core: built · tests pass unaudited

Panic Lock

A panic button that instantly re-locks and destroys nothing.

core: built · tests pass unaudited

Postern Keys

A passkey / FIDO2 credential core for the permissive-license world.

core: built · tests pass unaudited

Postern Hygiene

Scrubs the document metadata nobody fixes — OOXML, ODF, JPEG.

core: built · tests pass unaudited

Seal Companion

The attestation verifier: self-audit and peer-verify, so you check our claims instead of trusting them.

core: built · tests pass unaudited

Postern Wallet

Post-quantum hybrid wallet (Falcon‖ML-DSA), diversified addresses, on-device key vault — on the unaudited, 51%-attackable mainnet beta; the coins carry no value claim.

core: built · tests pass reference prototype unaudited

Porog — Android container

The door between two worlds (a proposed name, pending trademark clearance; the porog / threshold of the Izbushka tale): a hardened, self-enrolled managed-profile workspace on stock Android — StrongBox key-attestation skeleton + host-side DPC/consent logic with a real, growing test suite. POC: strong host-side logic, high test counts — but nothing has ever booted an Android managed-profile container with this code; the on-device wrapper does not exist. Prototype logic, unproven on-device. Even wired up it is a key-attested device, not a measured-boot workspace; hardened, not anonymous; a rooted host defeats it. Never “Postern OS”.

host logic: built + tested (real test suites) · unproven on-device — no Android container ever booted unaudited

NoporIS — the bridge

The bridge between two worlds (the Kalinov crossing): a dual-persona layer that joins your personal side and a second, Google-Play-enabled persona on one device. The Google side is honestly the less-private side (it phones home to Google) — NoporIS sells separation, not privacy, and respects Google/Android licenses (no GMS redistribution, no Play-Integrity circumvention). POC: the host-side bridge/gate/consent logic is real and heavily tested — but nothing has ever booted a working dual-persona Android setup with this code; the on-device wrapper does not exist. Prototype logic, unproven on-device. Name pending trademark clearance.

host logic: built + tested (real test suites) · unproven on-device — no Android container ever booted unaudited

Sloboda — the outsiders' quarter

The settlement outside the fortress walls (a proposed name, pending trademark clearance) — the fourth folklore name after Postern the gate, Porog the threshold and NoporIS the crossing, and honestly the tier where data leaves the sealed base. The non-attestable escape hatch: a full Android/AOSP userland meant to run in an LXC container on the GNU/Linux host (built on Waydroid), for the Android apps the native ports can't run. POC: the host-side gate/consent logic is real and heavily tested — but nothing has ever booted an Android container with this code; the on-device wrapper does not exist. Prototype logic, unproven on-device. Bounded honestly: never Postern-Seal-covered, Play-Integrity STRONG fails by design, a rooted host defeats it — keep real secrets out. Never “Postern OS”.

name proposed · pending trademark clearance host logic: built + tested (real test suites) · unproven on-device — no Android container ever booted unaudited

For the deep read, engineers and auditors can pull the Technical Whitepaper (PDF) ↓ and the Audit-Readiness Dossier (PDF) ↓ — code-derived, every UNAUDITED / not-booted marker intact. Neither is an audit.

Technical documentation (PDF). The Postern Systems ↓ — a broad technical description of every Postern subsystem (measured boot, Seal attestation, the license spine, Consiglio, Ezekiel 1, Gramota, Cloud/Chiostro, the SDK, vault apps, comms, phone-as-signer, and the bridge apps), down to real struct/field names, cryptographic parameters, and protocol flows — forward-looking and unaudited.

About · the founder

Tiago Tenório (“TT”) — Founder & CEO.

Tiago Tenório (TT) is the founder and CEO of Postern Labs. He comes from Brazil's payments and fintech sector — a Visa prepaid/third-party ISO agent (2018–2020); founder of the AG47 office and a member of C6 Bank's Conexão C6 program, operating across São Paulo, Goiás, the Federal District, Alagoas and Paraná (2020–2021); a national distribution partner in First Data Corporation's Ignite program for acquiring products and services (2020–2021); PMO lead on a cards project at Havan (2021–2022); and Commercial Director at Avalon Capital, an asset manager (2022). In 2026 he founded Postern Labs to build privacy-first, post-quantum software — and the ownerless Bloch-SIS-PoW protocol its products build on, in which he holds no privileged role beyond a fully disclosed, structurally passive 17% founder premine.

The companies named above state his prior roles only — none of them endorses, backs, funds, or is affiliated with Postern Labs or Bloch-SIS-PoW.

Tiago B. de A. Tenório on LinkedIn — an outbound link; this site still loads nothing external and makes no network requests of its own.

Standing commitments

What we will never do.

  • Never sell you the coin. No token sale, no listing effort, no “ecosystem fund”, no yield marketing. Postern's revenue story never touches the token.
  • Never overclaim to the people who'd pay for it with their safety. No product here says “100% private”; every app carries an honest privacy panel.
  • Never embed copyleft, never close the source. MIT / Apache-2.0; the free build is always buildable from source.
  • Never ship a security claim before its audit. Claims for the protocol and for the products are separate, and each is audit-gated.
  • No covert surveillance, no tracking — including this website, which makes zero network calls.