Rolling out encryption at rest

We take great care to select highly secure datacenter locations which feature security measures such as double entry man-trap doors, recorded CCTV, proximity card and biometric access controls, individually locking cabinets and segregated secure loading bays and staging areas. It really would be quite a feat to break in and steal a hard drive or SSD.

That being said, data security is a very hot topic these days, and we are frequently asked about measures we can offer to help protect our customers’ vital data. One topic that comes up frequently is encryption at rest.

Encryption at rest means that data is encrypted before being written to physical media, such as hard drives or SSDs. This is as opposed to encryption in transit, which covers the encryption of data while being transmitted from server to server or client to server.

Encryption in transit is commonly provided by protocols such as TLS (https, imaps, smtps etc) and SSH.

Encryption at rest on the other hand requires a method of encrypting and decrypting data on the fly as it is written and read from storage systems. If you have a Mac laptop or desktop, you might already be using encryption at rest using FileVault.

Linux has an equivalent solution called Linux Unified Key Setup or LUKS for short.

For many years we have used LUKS on security sensitive virtual machines for storing specific data such as secure databases. There is a small performance overhead (about 4.8% in our tests) and some extra configuration involved in setting it up, but otherwise once it’s running it is completely transparent.

Now, as of November 2018, we have begun to implement encryption at rest as standard on all new physical server deployments.

This means all of the services we provide will be fully encrypted at rest as standard. When we provision new virtual machines, the virtual hard drive will be stored on an encrypted RAID array.

We won’t be immediately rolling out encryption at rest to existing servers as it’s not a simple job, so it will take a few years before all our servers have it enabled.

Practically this means two things:

  1. In the extremely unlikely event that someone pulled off the herculean effort of physically breaking in and stealing one of our servers, your data would be totally scrambled and unreadable by the thief.
  2. If someone asks you if your data is encrypted at rest (and yes, in our experience it does happen!) then you can confidently tell them it is. Just check in with support@anu.net first to make sure your data is on one of our new servers that has it enabled!