You send the message and feel safe, because the little padlock told you it was encrypted. Then a thought lands at the edge of your attention, the one you keep swatting away: the words are locked, sure — but who knows you sent them? Who knows the time, the frequency, the shape of who you talk to most? That part isn’t on your phone. It’s sitting on a server in a building you’ll never see, owned by a company that decides, not you, who gets to read the pattern of your life.
The short version: Encryption hides the contents of a message, but the metadata — who, when, how often, from where — still lives on someone else’s server, and that’s the part that maps your whole social graph. Start9 Embassy is a hardened Linux operating system that runs on a small dedicated server you own, hosting your own Matrix chat, password vault, and other services. Each service is cryptographically isolated, everything routes through Tor by default, and there’s no central company for a warrant to compel. It isn’t plug-and-play and it asks for basic technical comfort, but it removes the platform risk of cloud apps entirely. For cross-border-sized privacy stakes — activists, small teams, anyone done renting their own data — it’s the most serious self-hosting option there is.
Why encrypted messaging alone isn’t enough: the metadata you can’t hide
You’ve been told Signal or another encrypted app protects your privacy. That’s half true, and the missing half is the half that matters.
The 12-point setup for a private, secure, high-output digital life — in one afternoon. No spam, unsubscribe anytime.
The message body may be locked tight. But the metadata — who you’re talking to, when, how often, from where — still has to live somewhere, and that somewhere is a server you don’t own. The owner of that server, or a government holding a warrant, can read your entire social graph and communication rhythm without ever decrypting a single word. They don’t need the message. The pattern is the message.
Slack admins can read your DMs. WhatsApp can see exactly when you’re online. Discord knows every server you’ve ever joined. None of this is malice by default — they simply have the technical ability, and an ability that exists is an ability that can be misuseed by a bad actor, a competitor, a subpoena, or a future owner with worse intentions. The leak was never the encryption. It was the address: your data living on hardware someone else controls.
The villain: it’s not the app, it’s the location of the server
Here’s the reframe most privacy advice never reaches. You keep shopping for a more private app — a better messenger, a stricter setting, a no-logs promise. But you’re solving the wrong layer. As long as the server lives in someone else’s data centre, you are trusting a stranger’s policy, a stranger’s lawyers, and a stranger’s future change of heart. A promise is not a property right.
Start9 Embassy moves the server itself onto hardware sitting in your physical space. That’s the whole turn: privacy stops being a feature you’re granted and becomes a boundary you own. The question changes from “do I trust this company?” to “do I control this box?” — and the second question has an answer you can hold in your hands.
How Start9 works: the isolation model
Start9 runs on a dedicated mini-server (the Embassy One or Embassy Pro) and operates on three core principles.
- Service isolation: Each app — Matrix, Vaultwarden, a Bitcoin node — runs in its own sandboxed container. One service getting hacked doesn’t expose the others; they can’t see each other’s data or processes.
- Tor by default: Every service gets its own unique .onion address. You don’t connect over a regular public IP — you reach it through Tor, which routes the connection through multiple relays. ISPs, network monitors, and casual scanners can’t even see that you’re running services.
- Cryptographic credentials: Services don’t lean on human-managed passwords. Start9 generates cryptographic material automatically, so there’s no weak, reused, guessable password standing between an incidenter and your vault.
The result is concrete: only machines you explicitly add can reach your services. Your ISP doesn’t know you’re running a server. Your neighbours can’t scan for it. Government requests go nowhere, because there is no central company to compel — the only door is the one you hold the key to.
The communications stack: Matrix plus Vaultwarden
Start9’s killer app is hosting your own Matrix homeserver. Matrix is the open protocol behind Element, a Slack-style chat that’s actually private. Run your own homeserver on Start9 and the trade-offs flip in your favour:
- You’re not tied to a phone number or email, unlike Signal or Telegram.
- You control the end-to-end encryption keys.
- You own the social graph — your contact list isn’t mined for advertising or sold to data brokers.
- You can federate with other Matrix servers or run in complete isolation.
Pair Matrix with Vaultwarden, a self-hosted password manager, and you have a complete communications-and-secrets infrastructure. Your passwords, two-factor codes, and secure notes stay encrypted on your own hardware. You can even share credentials with teammates through your Vaultwarden instance without trusting the servers of Bitwarden or 1Password. The data never leaves a box you can physically unplug.
What happens if your server loses power?
The most legitimate worry about self-hosted infrastructure is resilience, so name it plainly. Start9 handles power loss three ways:
- Auto-recovering Tor addresses on reboot — your .onion addresses don’t change when the device restarts, so nothing you’ve shared breaks.
- Persistent service state — when power returns, Matrix, Vaultwarden, and the rest come back online automatically.
- Encrypted backups — the entire system state can be backed up to an external SSD, encrypted at rest.
You’re not hand-recovering a database or redeploying containers at midnight. Power returns, the device comes up, services are live. For most operators that’s enough. For anything you’d call critical, you add a UPS battery and redundant external backups — and that honest ceiling is exactly why you should know it before you commit, not after.
The technical architecture: what’s actually running
Service containers: Each application — Matrix Synapse, Vaultwarden, Bitcoin Core — runs in its own Docker container with minimal permissions. One service cannot touch another’s filesystem or network interface. This is container hardening, baked in rather than bolted on.
Networking layer: Start9 uses Tor hidden services for all external communication. Instead of exposing services on a public IP, each gets a unique .onion address. Your ISP sees Tor traffic and nothing more — they don’t know what’s on the other end. Stealth is the default, not a setting you have to remember.
Storage layer: Start9 uses ZFS, a filesystem that detects silent data corruption. If a bit flips on disk — a cosmic ray, a failing SATA cable, aging hardware — ZFS catches it, so your backups stay cryptographically verified instead of quietly rotting.
Identity layer: Every service has its own root key, separate from your system key. Compromise of one service doesn’t cascade into the others. This is cryptographic isolation at the filesystem level, not a security policy you’re trusted to follow.
Getting started: the sovereign hosting checklist
1. Acquire hardware. Buy a Start9 Embassy One (entry-level, fanless) or Embassy Pro (more storage, faster CPU). They ship with EmbassyOS preloaded. Plug into power and Ethernet. You are not building a server from scratch.
2. Initialise the system. Open the web interface, set a root password, and let it initialise. The UI walks you through the basics. You won’t touch a terminal unless you want to.
3. Install your stack. From the Start9 app store, install:
- Matrix (Synapse): your messaging homeserver — pair with Element for a Slack-like interface.
- Vaultwarden: your private password vault.
- Bitcoin Core (optional): run your own full node for financial sovereignty.
- Mastodon (optional): your own microblogging instance, federated or fully isolated.
4. Back up to an external SSD. Plug in a dedicated USB SSD. Start9 encrypts and syncs your entire system state on a schedule. That’s your continuity guarantee. The first real win takes an afternoon — and the first service you stand up is the moment the abstraction becomes yours.
Limitations and real risks
The honest version of this review names what could bite you, because a recommendation that hides its failure modes isn’t a recommendation, it’s a sales pitch.
Technical competency: Start9 is far friendlier than raw Linux hosting, but it isn’t consumer-grade. You need basic comfort with networking ideas (port forwarding, DNS, Tor), a willingness to read documentation, and patience to troubleshoot. If you’ve genuinely never opened a terminal, expect a real learning curve.
Uptime dependency: Your services exist only while your device is online. You can’t reach Matrix from your phone if the hardware is unplugged in your closet. Most operators run it 24/7 on standby power.
Physical security: The device is itself a physical risk surface. Someone with access to your home who steals or tampers with it could try to extract keys or plant harmful software. Start9 offers tamper detection — it flags if the case has been opened — but this isn’t military-grade, and you should treat it as one layer, not the whole defence.
Scaling: Start9 is comfortable for 1–50 users. Past 100 concurrent users you’d be optimising hardware, managing load, and possibly running distributed infrastructure. It’s built for personal and small-team sovereignty, not enterprise scale.
Start9 vs. other self-hosting options
| Option | Learning curve | Isolation | Tor by default | Best for | |—|—|—|—|—| | Start9 Embassy | Moderate | Excellent (containers + keys) | Yes | Personal sovereignty, small teams | | Umbrel | Easy | Good (basic containers) | No | Bitcoin nodes, simple apps | | Proxmox + bare metal | High | Excellent (VMs) | No (your config) | Advanced operators, multiple VMs | | VPS (Linode, Hetzner) | Moderate–High | None (shared host) | No (your config) | Public-facing apps, not sovereignty |
Start9’s real advantage is that it bakes isolation and Tor in as defaults. You don’t configure your way to security — it arrives with the system. Umbrel is simpler but less hardened. A VPS removes the sovereignty advantage entirely: it’s someone else’s hardware, and someone else’s hardware is government-accessible by definition.
Frequently asked questions
Can I access my Start9 services from outside my home?
Yes. Each service has a unique .onion address, reachable from anywhere using Tor Browser or a Tor client. You can also set up a reverse proxy to publish services over clearnet if you need non-Tor access, though that reduces privacy. Start9 gives you both options.
What if I forget my password?
Root-password recovery requires physical access to the device and a reset via the hardware console. There’s no “forgot password” email recovery, because there’s no cloud backend to send it from. Keep your password secure, or be ready to restore from a backup.
Can I run Start9 on my own computer instead of buying the hardware?
Technically yes — EmbassyOS runs on most x86-64 Linux systems. But you’d lose the convenience and the tamper-evident packaging. Running it on a laptop you also browse on isn’t recommended, because it mixes risk signal models. A dedicated device creates a clean security boundary.
Is Tor slow?
Tor adds latency — expect 100–500ms of extra delay. For messaging and vault access, that’s imperceptible. For video calls or real-time collaboration, it’s noticeable but usable. If speed is critical for a given service, you can run it over clearnet, accepting the privacy trade-off.
What if the Start9 company shuts down?
EmbassyOS is open-source. You can keep running your installed version indefinitely. You’d stop getting new updates from the official store, but the core system works without them. Your data isn’t locked in proprietary formats — it’s standard Docker containers, ZFS filesystems, and open protocols like Matrix. Portability is built in, which means the company’s survival isn’t a single point of failure for you.
The core case for Start9
Leaning on centralised platforms in an age of AI-driven metadata analysis and mass surveillance turns your entire communication graph into one fragile point of failure. A hardened personal embassy removes that risk by changing where the data lives — from a stranger’s data centre to a box on your shelf.
Start9 makes that move accessible. You’re not writing Docker configs by hand or debugging networking at 2am. You’re opening a web UI and deploying sovereignty.
If you care about who knows when you’re online, who holds your passwords, or whether your team’s conversations are quietly mined for insight, the answer isn’t a better promise from a bigger company. It’s a smaller box you actually own. You can read the hardware specs and order direct from start9.com. The shift it represents is bigger than the device: you stop being a tenant of your own conversations and become the landlord. Un-hacked isn’t a product you buy — it’s the moment you stop renting the server your life runs on.
Related reading: The Sovereign Operating System: The Unified Logic and the Audit of the Total Human Machine, Docker Hardening: The Zero-Trust Container Protocol and the Logic of Infrastructure Sovereignty, Umbrel Home Review, and Proton Pass vs. Bitwarden.
📚 More in Digital Sovereignty →
Join the Inner Circle
Weekly dispatches. No algorithms. No surveillance. Just sovereign intelligence.