Subsystems Isolation
Our devices incorporate sophisticated enclosure management and data path isolation that allows for complete separation between the enclosure, the OS, and the applications that they rub. Inside the devices the Server, the disks and the self-protection and tracking systems, all enclosed within separate protective cases, are all both physically and electronically separated, while the data-paths are also isolated from electric and electronic transmissions.
TPM-2 Module
The Trusted Platform Module (ISO/IEC 11889) ensures that the boot process starts from a trusted combination of hardware and software, and continues until the operating system has fully booted and applications are running. TPM works by storing protected key information in a tamper-proof chip that includes a unique Endorsement Key baked into the silicon at manufacture (like a digital fingerprint) to authenticate host system hardware. A dedicated cryptographic microprocessor processes key data and verifies the integrity of low-level system assets like boot files and system firmware. If a change is detected, TPM prevents the compromised files or software from loading, halting attacks before they can even start.
AES 256-bit encryption
Advanced Encryption Standard (AES) is one of the most secure encryption algorithms available today. It is publicly accessible and it is the cipher which the NSA uses for securing documents with "top secret" classification. A direct brute-force attack on AES-256 would require 2^256 guesses and would not complete before the end of the universe.
Depending on the OS and applications you will use, our devices may also comply with Intel® AES New Instructions (Intel® AES-NI), a set of CPU core orders that enable fast and secure data encryption and decryption, as well as many more security features that a Xeon Server can provide.
Your OS of choice, SED Drives
With a full-fledged server, you are provided with the power of choice. Whether it is Windows Server, Ubuntu Server, RHEL, you can choose the OS that fits to your needs and meets your security criteria, you can utilize both TPM-2 and AES-256 encryption. Additionally, Self-Encrypted Drives (SED) can be installed for doubling the security, so as one AES-256 instance to run on the OS and a second to run on each one of the SED disks.
Mission-based Unlock Module
Depending on the model and the Traceability features installed, our Location Time PIN (LTP), triple-factor device unlocking mechanism can be enabled. When a device is to be used for data transport, a mission is pre-loaded with predefined LTPs. When a device is locked with LTPs, three factors must be met to unlock:
1. Location: a predefined geofenced area of operation that the device should be in when unlocking is performed. 2. Time: a predefined time window in which unlocking is allowed. 3. PIN: an 8-digit PIN code that the operator has to enter.
Private unlock PIN
We offer a USB connection to our enclosure control system together with an SDK and sample code, so as our clients can build a custom application that will be able to send characters in the front panel, sunlight readable O-LED display, and also receive key strokes from the 4 buttons of the front panel, in order to create a simple and easy-to-use menu that will allow the local operation of the device without specialized equipment. Our clients have used this capability to allow a user to set an IP for a web interface, or to show the available capacity of the system.
ZFS
ZFS is the most secure and versatile file system available today. ZFS ensures that data is always consistent on the disk using copy-on-write. When data is changed it is not overwritten — it is always written to a new block and check-summed before pointers to the data are changed. The old data may be retained, creating snapshots of the file system through time as changes are made. File writes using ZFS are transactional — either everything or nothing is written to disk. The file system uses a 256-bit checksum stored as metadata separate from the data it relates to when it writes to disk. Unlike a simple disk block checksum, this can detect phantom writes, misdirected reads and writes, DMA parity errors, driver bugs and accidental overwrites, as well as "bit rot“. ZFS also checks each piece of data with its corresponding checksum to verify its integrity, detects any silent data corruption, and corrects any errors it encounters where possible. All our devices are ZFS enabled.