Decentralized. Anonymous. Yours.
No servers. No accounts. No phone number.
Encrypted messaging over the Tor network — peer to peer.
🐧 Linux only · Python ≥ 3.12 · Android in development
What is Legion
Legion is a messaging application with no company behind it, no server storing your data, and no business model built on your information. Your messages go directly to the person you're writing to — through Tor, end-to-end encrypted — and nowhere else.
When you write to someone, that message is for them. Not for an algorithm, not for a data warehouse, not for anyone but the person you addressed it to.
Most apps store your conversations on someone's server. That is a target: something that can be hacked, leaked, or accessed without your knowledge. Legion removes the server entirely.
With most apps, privacy is a toggle you configure or a policy that can change. In Legion, it is not a feature — it is the structure.
Freedom of expression is a right. What you do with it is a matter of your own conscience — not something to be pre-approved, filtered, or recorded by a system that has decided you are a suspect before you have said a word. A private conversation should not need to justify itself.
Interface
End-to-end encrypted conversation with delivery status, TTL picker and burn-after-reading toggle.
Group chats with peer-to-peer delivery, member management and automatic key rotation.
Settings panel: identity, contact card QR code, message expiry and the panic button.
Features
X25519 + XSalsa20-Poly1305 via libsodium. Group chats use a shared SecretBox key. Plaintext never touches disk.
Every node is a .onion address derived from your Ed25519 key. Your IP is invisible to everyone, always.
Peer-to-peer delivery to every member. Automatic key rotation when a member is removed. Files and images supported.
Images are re-encoded by Pillow before sending — GPS, EXIF, camera model and all metadata permanently stripped.
Messages delete themselves from both devices. The burn flag is inside the encrypted payload — invisible in transit.
One tap destroys all local data instantly: identity, messages, contacts, groups. Followed by a VACUUM pass — no forensic recovery.
How it works
An Ed25519 keypair is generated locally. Your private key never leaves your device — encrypted with Argon2id at rest.
Your node registers a v3 Hidden Service. Your .onion address is derived from your key — it never changes and never reveals your IP.
Messages travel peer-to-peer through Tor. No middleman. Encrypted on your device, decrypted only on theirs.
Security
Legion underwent a complete white-box penetration test conducted by Claude — an AI model developed by Anthropic — with full access to every line of source code. Every component was systematically reviewed: cryptographic implementation, protocol logic, API surface, GUI input handling, file sanitization, and subprocess isolation.
The project author directed the entire audit process — defining scope, verifying findings, making the final call on every fix, and ensuring each decision aligned with Legion's security model. Two medium-severity vulnerabilities were found and fixed before release. All findings are public in SEC_AUDIT.md. Rejected design decisions are documented in DECISIONS.md.
| Key generation | Ed25519 — libsodium CSPRNG |
| Private key at rest | Argon2id + XSalsa20-Poly1305 |
| Message encryption | X25519 + XSalsa20-Poly1305 |
| Group encryption | XSalsa20-Poly1305 SecretBox |
| Signatures | Ed25519 |
| Image sanitization | Pillow re-encode |
All via libsodium (PyNaCl). Zero custom algorithms.
Vision
Legion is the work of a single developer driven by a straightforward conviction: privacy is not a privilege — it is a right. In a world where communication infrastructure is increasingly centralised, surveilled, and vulnerable to pressure from governments and corporations, the answer is not a better app on someone else's server. The answer is no server at all.
The project was built with deliberate simplicity: every architectural decision was made to be understandable, auditable, and justifiable. No black boxes. No clever tricks. No dependencies that haven't been carefully evaluated. The goal was not to build the most feature-rich messenger — it was to build the most trustworthy one.
Legion was developed in close collaboration with Claude, an AI model by Anthropic. Every feature — from the cryptographic architecture to the panic button, from burn-after-reading to the security audit — was implemented through a dialogue between human vision and AI execution.
This is not a disclaimer. It is a statement of intent: Legion is a demonstration that responsible AI collaboration, with a human firmly in control of every decision, can produce software that is safer, more consistent, and more thoroughly considered than either could achieve alone.
All intellectual property, all architectural decisions, and all responsibility for the project belong to its human author. AI was — and remains — a tool.
Install
Supports Arch / EndeavourOS / Manjaro · Debian / Ubuntu / Mint · Fedora / RHEL / Rocky Linux
$ git clone https://github.com/n3ur0-f4ll/legion.git $ cd legion $ bash install.sh
./legion launcher and a desktop entry
Your password cannot be recovered. If you forget it, your identity is permanently inaccessible — by design. Write it down and keep it somewhere safe.
Requires Python ≥ 3.12 · Linux only · Manual installation →
Because there is no central server, your device connects directly to your contact's device through Tor. If they are offline when you send, Legion keeps the message in a local queue and retries every 10 seconds — for as long as the app is running.
Once you close Legion, retries pause. The message is saved locally — delivery resumes automatically when you reopen the app.
A relay node is in development — an optional self-hosted server that keeps messages moving 24/7 without ever seeing their content. Coming in a future release.
Legion has no user directory, no phone numbers, no usernames. To message someone you must exchange contact cards — small signed JSON files containing your public key and .onion address. Both sides must add each other before messages can flow.
The card is cryptographically signed with your private key. It cannot be forged. Legion verifies the signature before accepting any contact.
API reference, database schema, cryptographic internals, security model, architecture decisions.
Development
Legion is a living project. Here is what has been delivered, what is being worked on now, and what is planned.
Legion is a one-person project. Progress is steady but not rushed — correctness and security take priority over release speed.