Encryption

Important:  Back-end metadata balancing traffic is not encrypted. You should account for this during your internal security acceptance process. 

The Vault v2 platform supports different encryption methods for objects stored within the system, depending on the organisation's specific security non-functional requirements. These are described below.

For more information see: Amazon S3 User Guide: Protecting data using encryption.

 

Methodology Description
Server-Side Encryption
Facilitates the encryption of data at its destination, by the application or service that receives it.
 
Vault v2 encrypts data at the object level, writing it to disks within the cluster. The data is decrypted when it is accessed. As long as the requested is authenticated, and has the necessary permissions, there is no difference in the way you encrypted or unencrypted objects are accessed.
 
When using Server-Side Encryption with CCL Managed Keys (SSE), each object is encrypted with a unique key. As an additional safeguard, the system encrypts the key itself with a master key that is regularly rotated. Vault v2 server-side encryption uses the 256-bit Advanced Encryption Standard (AES-256) to encrypt data residing within the platform.
Server-Side Encryption with


 

Client Keys
Facilitates the protection of data at rest. The provision of encryption keys (SSE-C) allows control in accordance with the organisation's internal security policies. Using an encryption key provided as part of the request, Vault v2 manages both the encryption, as it writes to disks, and decryption, when an application access objects. There is no need to maintain code to perform the data encryption and decryption. The organisation only needs to manage the encryption keys.
 
Vault v2 doesn't store the encryption keys. Instead, it stores a randomly salted HMAC value of the encryption key to validate future requests. The salted HMAC value cannot be used to derive the value of the encryption key, or to decrypt the contents of the encrypted object. This means that if the encryption key is lost, the object is also lost.
 
By extension, CCL has no ability to decrypt client objects where they are encrypted using the platform’s SSE-C functionality.

The page cannot be found

The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. Please make sure you spelled the page name correctly or use the search box.