Glacier is a secure collaboration and device protection platform. The Glacier app provides teams a secure, anonymous, and obfuscated method to communicate over text, voice, and video.
Can I trust Glacier?
The Glacier project was launched in 2015 by a group of engineers and developers with backgrounds from the National Security Agency (NSA) to solve major mobility pain points we experienced first hand in the government.
Our colleagues across the globe needed a secure method to communicate, and because we weren’t satisfied with the free and commercial solutions, we built one ourselves. Since then we’ve provided secure communication solutions to Fortune 50 companies, Non Profits, Government, and high-net-worth individuals.
Our brilliant team has been together for nearly 15 years creating cutting edge software to tackle some of the United States Government’s most unique problems. We’ve researched and developed innovating tools to solve complex security issues with today’s latest consumer technology and created strong relationships with leading mobile device and software manufacturers.
Glacier is a US based company and 100% privately owned and funded. Read more about our team.
How is Glacier different from other secure messengers?
It comes down to what makes the most sense for your team or organization. Glacier is tailored towards securing teams communications, contacts, and devices rather than connecting individuals. Glacier will never ask for your phone number or access to your address book. Glacier will never notify your contacts you’re using Glacier. There are no ads, no affiliate marketers, and no tracking.
What encryption does Glacier use?
Glacier leverages the OMEMO (OMEMO Multi-End Message and Object Encryption) protocol, an adaptation of the Signal Protocol.
A Double Ratchet algorithm to establish secure sessions between every combination of devices for you and your contact(s). The Double Ratchet Algorithm uses Curve25519, AES-256, and HMAC-SHA256. These sessions are then being used to communicate secure keys to all devices. Glacier will generate a new key for every message. That key is used to encrypt your message with AES-GCM.
Video and call media is encrypted end-to-end (E2E) using WebRTC security protocols. Each Participant negotiates a separate DTLS/SRTP connection to every other participant. All media published to the call is sent over these secure connections, and is encrypted only at the sender and decrypted only at the receiver.
Does Glacier offer confidentiality and forward secrecy?
Each message sent is encrypted with a fresh, randomly generated encryption key. No other user except the sender and receiver are able to read the contents. If key material is compromised, previous and future messages are not vulnerable.
How does Glacier embrace Zero Trust?
Glacier has specifically designed its platform for zero trust. Glacier's core infrastructure acts as a transport service for end-to-end encrypted communications. Once messages are delivered they are deleted. Additionally, servers are encrypted at rest with keys generated by Amazon Web Services KMS. KMS uses hardware security modules (HSMs) that have been validated under FIPS 140-2, or are in the process of being validated, to generate and protect keys.
Does Glacier offer message ephemerality?
Yes, messages can be configured to expire. After expiration, the message will be permanently deleted from both the sender and the receivers device(s). Read more here.
How do I verify a contact or device?
There are two levels of verification that take place on Glacier. Glacier's platform is not designed to be a flat, open model. This is common with most secure messengers. Each organization is provided their own secure enclave which users have to be invited to join. Secondly, you will be presented with a Glacier ID for each of your contacts devices. This can be easily verified in-person or over another secure channel.
Has the Glacier apps been audited?
The Glacier apps have been evaluated against the National Information Assurance Partnership (NIAP) protection profile (PP) security criteria by Apcerto, a mobile development and security platform using application vetting technology built around machine learning Bayesian algorithms. The full report can be viewed here.
OMEMO is an open standard based on a Double Ratchet which can be freely used and implemented by anyone. The protocol has been audited by a third party and can be viewed here.
How do I perform a backup?
Currently, there is no way to backup chat history. Once you log out or uninstall the app, message history will be lost.
How is file transfer and pinning secured?
File sharing and File pinning allows users and organizations to upload documents that are only accessible to users within that group.
Uploaded files that are “pinned” to a room, don’t expire, and can be listed/retrieved by the group occupants. The files are encrypted by the server during upload. While browsing the attachments, the client receives the key material necessary to decrypt them.
To retrieve the list of attachments the client queries the list of files attached to a given room by sending an IQ-get to the group.The server responds with an IQ-result that contains the attachments, each with url, cipher, key, iv, and tag attributes. The url attribute points to the HTTPS URL of the encrypted file, the cipher hard-coded to AES-256-GCM, and the remaining three attributes contain the key material required to decrypt the downloaded file. During the upload process the file is encrypted using AES-256 GCM before storing it.
How does Glacier protect their users?
Glacier does not require a mobile number or email address. The organization admin can simply create accounts on behalf of their users.
Glacier does not collect any data from the user, such as location, contacts, or message history.
Glacier launches a cloud based "tenant" for each organization. This tenant is private and makes no correlation with the organization or Glacier.
When Glacier Core VPN is enabled, users route device traffic through an encrypted and temporary cloud based redirector that is unique for each tenant.
Is my IP address exposed when using Glacier?
Glacier uses a client/server architecture. Your IP address is never exposed to your contacts. When Glacier Core (VPN) is enabled, your IP address is removed prior to accessing Glacier's servers.
How does Push Notifications work?
For Android, Glacier leverages background polling and Google's Firebase Cloud Messaging. For iOS, Glacier leverages Apple Push Notification Service (APNS) to notify a user of a new message. A push notification allows Glacier to temporarily connect in the background and decrypt the message. Google and Apple never have access to message content.
Chat, Calls, Video & VPN.
Where are Glacier messages stored?
Messages sent on Glacier are end-to-end encrypted. When a user is offline, messages are stored encrypted on Glacier servers until the user connects. Once messages are delivered they are deleted from the server.
What are Glacier usernames?
Each user has a unique Glacier username that is used for authentication. After authentication, a user can set their display name. This allows organizations to create generic usernames and have the end users decide what they appear as on the network.
Does Glacier support voice and video chat?
Yes, Glacier supports end-to-end encrypted voice and video calls. Currently there is a limit of 5 participants.
What are Invite Only and Open Groups?
Invite only groups are end-to-end encrypted and can support up to 15 users. Open groups are designed to support a large amount of users. Messages in Open groups are only encrypted in transit. Currently, Open groups are available for Enterprise users only.
What are Glacier teams?
Within Glacier, users cannot manually add contacts. Contacts are assigned to users through Teams within the Management Console.
For example, an organization may not want everyone to see each other in their contact list. An admin could create Teams (i.e. Sales, Marketing, Engineering). Users are only able to see contacts that are on the same team. Users can be a member of multiple teams.
What is Glacier Dial? How do I make external calls?
Glacier Dial is our app designed for secure external calling. It can replace your Android or iPhone's native phone app. Glacier Dial gives users a virtual phone number, voicemail, call forwarding, and conferences.
Glacier Dial does not currently support SMS messages.
How does Glacier Dial protect my call history?
You can disable call history in the app by tapping the eye icon in the Call History section.
What is Glacier Core?
Glacier Core is a VPN client that leverages Glacier's moving network to provide data security, obfuscation, and privacy for all apps on your device. Glacier uses the OpenVPN protocol for Android and IPSEC for iOS.