Full Report
We ported a complete Matrix homeserver to Cloudflare Workers — delivering encrypted messaging at the edge with automatic post-quantum cryptography.
Analysis Summary
# Research: Building a Serverless, Post-Quantum Matrix Homeserver
## Metadata
- Authors: Nick Kuntz
- Institution: Cloudflare
- Publication: The Cloudflare Blog
- Date: January 27, 2026 (Inferred from post date)
## Abstract
This research demonstrates the feasibility of porting a complete Matrix homeserver, initially built in Rust, to run entirely on Cloudflare Workers. The objective was to eliminate the substantial operational burden associated with running traditional Matrix servers (e.g., provisioning VPS, managing databases like PostgreSQL and Redis) while leveraging the edge network for lower latency and inherent security hardening, all while integrating default post-quantum cryptography readiness.
## Research Objective
The core objective was to determine if the operational tax—the complexity, cost, and administrative overhead of running a stateful Matrix homeserver—could be eliminated by migrating it to a serverless, edge-based architecture. A secondary objective was to integrate post-quantum cryptography protection by default into this deployment model.
## Methodology
### Approach
The team ported the logic of an existing Rust-based Matrix homeserver, **Tuwunel**, to the Cloudflare Workers runtime. This involved recompiling the Rust core logic into WebAssembly (Wasm) and adapting storage mechanisms to fit Cloudflare's primitives.
### Dataset/Environment
The system was tested as a production deployment scenario, handling real encrypted communications, including state resolution, event authorization, and cryptographic verification flow as defined by the Matrix protocol. The environment studied was the Cloudflare Workers runtime, utilizing Durable Objects for state management.
### Tools & Technologies
* **Base Application:** Tuwunel (a Rust-based Matrix homeserver).
* **Runtime Bridging:** `workers-rs` crate.
* **Compute Platform:** Cloudflare Workers.
* **State Management:** Cloudflare Durable Objects (to provide necessary strong consistency and atomicity).
* **Compilation Target:** WebAssembly (Wasm).
* **Security Feature:** Built-in Post-Quantum Cryptography protection (implied via Cloudflare's infrastructure modernization).
## Key Findings
### Primary Results
1. A complete Matrix homeserver can be successfully executed within the constraints and primitives of the Cloudflare Workers ecosystem.
2. The serverless deployment drastically reduces administrative overhead; deployment is reduced to `wrangler deploy`, eliminating the need for VPS provisioning, database management (PostgreSQL/Redis), TLS renewal, and manual load balancing setup.
3. The architecture results in usage-based costs, meaning low-traffic servers cost near zero when idle, contrasting sharply with the fixed costs of traditional VPS hosting.
4. Latency for global users is significantly reduced because Workers execute geographically closer to the end-user (e.g., in 300+ global locations).
### Supporting Evidence
* The core Matrix protocol logic (state resolution, event authorization, cryptographic verification) translated directly because Rust code compiles effectively to Wasm.
* The shift replaced traditional state management (PostgreSQL/Redis) with **Durable Objects** which provide the required strong consistency for Matrix state resolution at the edge.
### Novel Contributions
* Demonstrating the viability of porting complex, stateful distributed systems like Matrix homeservers to modern serverless edge runtimes (Workers/Durable Objects).
* Providing a Matrix deployment model that inherently includes advanced security features (DDoS protection, WAF, IP reputation filtering) as baseline infrastructure, abstracting significant hardening effort away from the developer.
* Automatically equipping the deployment with post-quantum cryptographic protection by leveraging Cloudflare's underlying infrastructure upgrades.
## Technical Details
The critical technical hurdle addressed was storage. Traditional Matrix relies on SQL databases for persistence and strong consistency. The solution mapped this requirement onto **Cloudflare Durable Objects (DOs)**. DOs provide the necessary strong consistency and transactional atomicity required for the Matrix state machine resolution, while maintaining the distributed nature of the edge environment. The reliance on Rust compiling to Wasm allowed the existing protocol logic to be reused with minimal adaptation to the runtime interface, bridged by `workers-rs`.
## Practical Implications
### For Security Practitioners
This approach significantly shifts cryptographic readiness and infrastructure security from a developer responsibility to a platform guarantee. Security practitioners can deploy secure systems without dedicating staff time to patching operating systems, managing firewalls, or manually updating TLS libraries to future-proof standards like Post-Quantum Cryptography.
### For Defenders
The implementation offers automatic, robust defense-in-depth: DDoS mitigation, rate limiting, WAF rules, and IP reputation filtering are inherent to the platform, shielding the application logic from the majority of common attack vectors.
### For Researchers
This work provides a template for migrating other stateful, distributed consensus protocols (beyond Matrix) onto edge computing platforms, validating Durable Objects as a viable building block for complex, strongly consistent serverless applications.
## Limitations
The primary limitation acknowledged is the dependency on the specific primitives offered by the Cloudflare ecosystem (Workers and Durable Objects). While this provides benefits, it locks the deployment to that vendor's roadmap and structure. The performance characteristics are contingent on the overhead introduced by the Wasm runtime and the abstraction layer provided by DOs compared to highly optimized native deployments.
## Comparison to Prior Work
Prior Matrix deployments required substantial operational investment (VPS, database tuning, Redis). This research directly confronts this burden by offering a zero-operational overhead solution. Unlike typical small-scale Matrix deployments relying on embedded databases or simpler persistent storage, this successfully implemented the requirements of a *complete* homeserver, including the demanding state resolution logic, utilizing advanced primitives like Durable Objects rather than simpler key-value stores (like KV).
## Real-world Applications
* **Low-Traffic Communities:** Ideal for small organizations or personal servers where maintaining a dedicated server is not feasible.
* **Global Incident Response:** Deploying communication infrastructure quickly with low latency across disparate geographic locations.
* **Privacy-Focused Deployments:** Utilizing the default PQC readiness for long-term protection of stored communication history.
## Future Work
The source code is open-sourced, suggesting future work will involve community contributions based on this foundation. Potential future directions include exploring optimization of the Wasm execution within the Workers runtime for even lower latency and stress-testing the durability guarantees of Durable Objects under extremely high Message-per-Second loads characteristic of enterprise chat.
## References
* Tuwunel (Matrix homeserver project): [matrix-construct.github.io/tuwunel/]
* Cloudflare Workers Documentation
* Cloudflare Durable Objects Documentation
* Source Code Repository Link (Implied for deployment information)