6.3 Security

Tinc got its name from “TINC,” short for There Is No Cabal; the alleged Cabal was/is an organisation that was said to keep an eye on the entire Internet. As this is exactly what you don’t want, we named the tinc project after TINC.

But in order to be “immune” to eavesdropping, you’ll have to encrypt your data. Because tinc is a Secure VPN (SVPN) daemon, it does exactly that: encrypt. Tinc by default uses blowfish encryption with 128 bit keys in CBC mode, 32 bit sequence numbers and 4 byte long message authentication codes to make sure eavesdroppers cannot get and cannot change any information at all from the packets they can intercept. The encryption algorithm and message authentication algorithm can be changed in the configuration. The length of the message authentication codes is also adjustable. The length of the key for the encryption algorithm is always the default length used by LibreSSL/OpenSSL.