Lyve Cloud Documentation

Secure Features

From the first bits of data transmitted over the wire to the exabytes of data stored on disk, Lyve Cloud’s comprehensive data protection assures the confidentiality and integrity of your data throughout its life cycle. This starts with secure communication through transport layer security (TLS), continues through authentication and integrity validation in the API protocol, as well as robust envelope encryption of the object storage with secure key management, and ends with cryptographically secure erasure processes. In this section, we’ll dive deeper into these and other security features of the Lyve Cloud service.

Transport Security

The Lyve Cloud service enforces standard TLS 1.2 with 256-bit advanced encryption standard (AES) Galois/Counter Mode (GCM)—otherwise known as AES-256-GCM—to establish secure communications to the customer. As an authenticated encryption algorithm, GCM provides proven security of the symmetric-key cryptographic cipher that has wide adoption for its performance. Seeing as Seagate is Federal Information Processing Standards (FIPS) 140-2/3 certified, this aligns directly with the Lyve Cloud focus on security and performance.

Authentication, Authorization, and Data Integrity

Authentication, authorization, and data integrity are handled in every transaction with the Lyve Cloud API through the authorization header. The authorization header contains both the account’s access key and a cryptographic signature. By validating the account access key and verifying the signature—which contains a checksum of the data chunk—the Lyve Cloud API can ensure the validity and integrity of the request before processing it further.

Data_Security_Overview-Authe_Author_and_DataInte.png
Envelope Encryption and Key Management

A key security feature of Lyve Cloud is that all data is encrypted before it’s stored, regardless of whether it’s encrypted at the source. There is no option to dial back the protection. Two options for server-side encryption are supported:

  • Server-side encryption with client-provided key (SSE-C)

  • Server-side encryption with a key generated by the Lyve Cloud key management system (KMS) (SSE-S3)

In both SSE-C and SSE-S3, the key used for object encryption—the object encryption key (OEK)—is uniquely generated using a cryptographically secure pseudo-random number generator (CSPRNG). The OEK is never stored in clear text; rather, it’s stored in encrypted form as part of the object metadata. The OEK is encrypted by the key encrypting key (KEK), which is generated by a key-derivation algorithm using either the client-provided key (SSE-C) or Lyve Cloud KMS key (SSE-S3) and other object-specific metadata. The cryptographic primitive used for all the object encryption operations is AES-256-GCM.

Data_SecurityOverview-Data_Encryption_Key_process.png