Subsystems Isolation

Our devices incorporate sophisticated enclosure management and data path isolation that allows for complete separation between the enclosure, the OS, and the applications that it runs. Inside the devices the Server, the disks and the self-protection and tracking systems, all enclosed within separate protective cases, are all both physically and electronically separated, while the data-paths are also isolated from the electric and electronic transmissions.



TPM-2 Module

The Trusted Platform Module (ISO/IEC 11889) ensures that the boot process starts from a trusted combination of hardware and software, and continues until the operating system has fully booted and applications are running. TPM works by storing protected key information in a tamper-proof chip that includes a unique Endorsement Key baked into the silicon at manufacture (like a digital fingerprint) to authenticate host system hardware. A dedicated cryptographic microprocessor processes key data and verifies the integrity of low-level system assets like boot files and system firmware. If a change is detected, TPM prevents the compromised files or software from loading, halting attacks before they can start.


AES 256-bit encryption

Advanced Encryption Standard (AES) is one of the most secure encryption algorithms available today. It is publicly accessible and it is the cipher which the NSA uses for securing documents with the classification "top secret". A direct brute-force attack on AES256 would require 2^256 guesses and would not complete before the end of the universe.
Depending on thw OS and applications you will use, our devices may also comply with the Intel® AES New Instructions (Intel® AES-NI), a set of CPU core orders that enable fast and secure data encryption and decryption as well as many more security features that a Xeon Server can provide.

AcroNAS Data Migration OS, SED Drives

Our AcroNAS data migration NAS OS (to be available in Q1/2019) can also be used as a simple yet powerful solution, utilizing both TPM-2 and AES-256 encryption. Additionally, Self-Encrypted Drives (SED) can be installed for doubling the security, so as one AES-256 instance to run on the OS and a second to run on each one of the SED disks.


Mission-based Unlock Module

Depending on the model and the Traceability features installed, our Location Time PIN (LTP) triple factor device unlocking mechanism can be enabled. A device when it is going to be used for a data transport mission is pre-loaded with predefined LTPs. When a device is locked with LTPs, to unlock it, three factors must be met:

1. (Location) a predefined geofenced area of operation that the device should be in when unlocking is performed. 2. (Time) on predefined time window in which unlocking is performed. 3. (PIN) with an 8 digit PIN code that the operator has to enter.

Private unlock PIN

We offer a USB connection to our enclosure control system with an SDK and sample code to build a custom application that will be able to send characters in the front panel sunlight readable O-LED display and also receive key strokes from the 4 buttons of the front panel to create a simple and easy-to-use menu that will allow the local operation of the device without specialized equipment. Our clients have used this capability to allow a user to set an IP for a web interface, or to show the available capacity of the system.


ZFS

ZFS is the most secure and versatile file system available today. ZFS ensures that data is always consistent on the disk using copy-on-write. When data is changed it is not overwritten — it is always written to a new block and check-summed before pointers to the data are changed. The old data may be retained, creating snapshots of the file system through time as changes are made. File writes using ZFS are transactional — either everything or nothing is written to disk. The file system uses a 256-bit checksum stored as metadata separate from the data it relates to when it writes to disk. Unlike a simple disk block checksum, this can detect phantom writes, misdirected reads and writes, DMA parity errors, driver bugs and accidental overwrites as well as "bit rot“. ZFS also checks each piece of data with its corresponding checksum to verify its integrity, detects any silent data corruption, and corrects any errors it encounters where possible. All our devices are ZFS enabled.