Rolling out encryption at rest

We take great care to select highly secure datacenter locations which feature security measures such as double entry man-trap doors, recorded CCTV, proximity card and biometric access controls, individually locking cabinets and segregated secure loading bays and staging areas. It really would be quite a feat to break in and steal a hard drive or SSD.

That being said, data security is a very hot topic these days, and we are frequently asked about measures we can offer to help protect our customers’ vital data. One topic that comes up frequently is encryption at rest.

Encryption at rest means that data is encrypted before being written to physical media, such as hard drives or SSDs. This is as opposed to encryption in transit, which covers the encryption of data while being transmitted from server to server or client to server.

Encryption in transit is commonly provided by protocols such as TLS (https, imaps, smtps etc) and SSH.

Encryption at rest on the other hand requires a method of encrypting and decrypting data on the fly as it is written and read from storage systems. If you have a Mac laptop or desktop, you might already be using encryption at rest using FileVault.

Linux has an equivalent solution called Linux Unified Key Setup or LUKS for short.

For many years we have used LUKS on security sensitive virtual machines for storing specific data such as secure databases. There is a small performance overhead (about 4.8% in our tests) and some extra configuration involved in setting it up, but otherwise once it’s running it is completely transparent.

Now, as of November 2018, we have begun to implement encryption at rest as standard on all new physical server deployments.

This means all of the services we provide will be fully encrypted at rest as standard. When we provision new virtual machines, the virtual hard drive will be stored on an encrypted RAID array.

We won’t be immediately rolling out encryption at rest to existing servers as it’s not a simple job, so it will take a few years before all our servers have it enabled.

Practically this means two things:

  1. In the extremely unlikely event that someone pulled off the herculean effort of physically breaking in and stealing one of our servers, your data would be totally scrambled and unreadable by the thief.
  2. If someone asks you if your data is encrypted at rest (and yes, in our experience it does happen!) then you can confidently tell them it is. Just check in with support@anu.net first to make sure your data is on one of our new servers that has it enabled!

Announcing Hybrid Storage

We are happy to announce that we are now able to offer a new type of storage in our Amsterdam 2 (ams2) datacenter: Hybrid Storage. This is a clever mix combining Standard Storage powered by enterprise SATA drives and a fast SSD based cache. The result is a significant boost in write performance and lower latency for access to regularly used files.

Hybrid Storage is ideally suited for servers that require a large amount of storage space and high performance but where only a small subset of the stored data is frequently accessed.

Examples include email servers and file servers (eg. ownCloud). Typically users want easy access to all their data but only work with a small subset on a daily basis. This active data is automatically cached on the SSD for fast access. Non-cached data is transparently read directly from the spinning RAID array.

The SSD cache is automatically managed by the underlying block storage layer on our Xen servers and no special configuration is required on the customer server. This makes our Hybrid Storage a simple and cost effective solution.

We have capacity available. If you are interested in testing, purchasing or migrating to a Hybrid Storage based Virtual Server, contact us on support@anu.net today!