Bitmask is lovingly created by the LEAP Encryption Access Project and currently runs on Android, Linux, MacOS and Windows. We plan to have an iOS client in the future if we find funding for it (suggestions welcome!). Select your operating system, and follow the install instructions.
Bitmask’s full stack is open source, this includes the applications and server side components. The code for all desktop apps is here and for the Android app here. And, unlike most VPNs, all server side components are also open source and can be viewed here.
F-Droid is an alternative app store for open-source and privacy-aware Android apps. You can search for “Bitmask” on F-droid or use the link below.
Go to F-DroidYou can search for “Bitmask” in the Google Play store or use the link below. If you want to see the latest features and bug fixes and would like to contribute to Bitmask by testing the app, you can get the beta version from the Google Play Store. The beta version will be less stable, only sign up to use this if you plan on contributing feedback as a beta tester.
Advanced users with special needs can download the Bitmask app directly from our servers at leap.se. You will need to enable the option Settings > Security > Unknown Sources in your Android system settings for this method to work. If you would like to manually verify the download instructions are below.
Download Stable VersionThe two latest Ubuntu LTS versions are supported. Please install from the LEAP ppa using:
sudo add-apt-repository ppa: coming soon.
sudo apt update
sudo apt install bitmask
Unfortunately the Snap package is currently out of support. Please don’t install Bitmask from the Snap store, as it is an out of date version. We plan to have this available in 2025. Community support on this has and continues to be very useful!
Currently there is no packaging for Bitmask. We plan to have this available in 2025. Community support on this has and continues to be very useful!
Use link below to downloaded “Bitmask-installer-
Use link below to downloaded “Bitmask-installer-
DNS leaks: We believe there is no DNS or IP leaks in RiseupVPN on windows, but it is not very well battle tested. Unlike Mac or linux, there is no killswitch on Windows yet. We will remedy this in 2025, if you find any kind of leaks we are very interested in hearing about it.
Installation of Android and Mac apps will have their signatures verified automatically. However, we provide signatures for these files if you wish to verify them manually. Instructions below. Instructions below.
All the files have been signed with the “LEAP archive signing key”. The first step is to import this key into your local keyring. These instructions will use gpg, a free implementation of OpenPGP that works on Mac, Windows, and Linux.
The easiest way to get the LEAP archive signing key is to just download it from the bitmask.net website and import into your keyring:
wget -O- dl.bitmask.net/apt.key | gpg --import
You should see output that looks like this:
gpg: key 0x1E34A1828E207901: public key "LEAP archive signing key <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0 valid: 4 signed: 7 trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: depth: 1 valid: 7 signed: 22 trust: 6-, 1q, 0n, 0m, 0f, 0u
Alternately, you can import the LEAP archive signing key by fetching from a keyserver:
gpg --recv-key 1E453B2CE87BEE2F7DFE99661E34A1828E207901
If you want to make the keyserver connection use TLS, you can use the sks-keyserver pool. To use this keyserver pool, you will need to download the sks-keyservers.net CA and save it somewhere on your machine. Additionally, you can verify the certificate’s finger print.
Once you have downloaded the SKS keyserver pool CA, the recv-key command looks like this:
gpg --keyserver hkps://pool.sks-keyservers.net --keyserver-options 'ca-cert-file=sks-keyservers.netCA.pem' --recv-key 1E453B2CE87BEE2F7DFE99661E34A1828E207901
Assuming you saved the CA certificate to the file sks-keyservers.netCA.pem. For more information, see this OpenPGP best practices page.
There is absolutely no guarantee that the key just imported with recv-key is the one you just requested. To confirm, you need to manually check the fingerprint:
gpg --fingerprint 1E453B2CE87BEE2F7DFE99661E34A1828E207901
Which should produce output like so:
pub 4096R/0x1E34A1828E207901 2013-02-06 [expires: 2015-02-07]
Key fingerprint = 1E45 3B2C E87B EE2F 7DFE 9966 1E34 A182 8E20 7901
uid [ undef ] LEAP archive signing key <[email protected]>
The signature file for each download has the same name as the file but with .asc appended.
For a listing of the available signature files, see:
All Android files
All Linux files
All Mac files
All Windows files
Make sure you put the signature file and the download you want to authenticate in the same directory, and that they have the same name (other than the .asc suffix for the signature file).
Now, just run this command:
gpg --verify FILE.asc
Where FILE is the name of the download you want to authenticate.
You should see some output like so:
gpg: Signature made Mon 15 Sep 2014 07:49:07 AM PD
gpg: using RSA key 0x1E34A1828E207901
gpg: Good signature from "LEAP archive signing key <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1E45 3B2C E87B EE2F 7DFE 9966 1E34 A182 8E20 7901
If you have trusted one of the keys that has signed the LEAP key, then you will not see the warning.
If you do not see the text – Good signature from “LEAP archive signing key [email protected]” then something is wrong and you should not run the application you downloaded.