Skip to main content

Lyve Cloud Documentation

Secure Features

Data security and privacy begins from the moment customers login to the Lyve Cloud portal. This is where users create user accounts and manage their S3 buckets and storage-as-a-service subscription with two-factor identification. When creating an S3 bucket, users can enable object immutability and object versioning, which will make objects immutable for a fixed amount of time. To access S3 buckets, customers can create bucket permissions for write- or read-only access. Further, they can create service accounts and select corresponding access permissions. This service account will have its own secret access key, and its credentials will grant access for the application targeting the customer’s S3 bucket. Customers can also turn on audit logs per S3 bucket to keep records of their S3 bucket access and usage. From start to finish, all aspects of the Lyve Cloud portal are user friendly and easily navigable. Customers can rest assured knowing data in flight and at rest is fully encrypted. They can also breathe easy knowing their data integrity is validated to meet compliance and data privacy requirements. Within the Lyve Cloud portal, customers can have clear visibility into Lyve Cloud S3 storage usage. As such, it’s imperative that all Lyve Cloud login, user console access, and service account credentials be stored in a safe and secure location.


From the first bits of data transmitted over the wire to the exabytes of data stored on disk, Lyve Cloud’s comprehensive data protection assures the confidentiality and integrity of your data throughout its life cycle. This starts with secure communication through transport layer security (TLS), continues through authentication and integrity validation in the API protocol, as well as robust envelope encryption of the object storage with secure key management, and ends with cryptographically secure erasure processes. In this section, we’ll dive deeper into these and other security features of the Lyve Cloud service.

Transport Security

The Lyve Cloud service enforces standard TLS 1.2 with 256-bit advanced encryption standard (AES) Galois/Counter Mode (GCM)—otherwise known as AES-256-GCM—to establish secure communications to the customer. As an authenticated encryption algorithm, GCM provides proven security of the symmetric-key cryptographic cipher with wide adoption for its performance.

Authentication, Authorization, and Data Integrity

Authentication, authorization, and data integrity are handled in every transaction with the Lyve Cloud API through the authorization header. The authorization header contains both the account’s access key and a cryptographic signature. By validating the account access key and verifying the signature—which contains a checksum of the data chunk—the Lyve Cloud API can ensure the validity and integrity of the request before processing it further.

Envelope Encryption and Key Management

A key security feature of Lyve Cloud is that all data is encrypted before it’s stored, regardless of whether it’s encrypted at the source. There is no option to dial back the protection. Two options for server-side encryption are supported:

  • Server-side encryption with client-provided key (SSE-C)

  • Server-side encryption with a key generated by the Lyve Cloud key management system (KMS) (SSE-S3)

In both SSE-C and SSE-S3, the key used for object encryption—the object encryption key (OEK)—is uniquely generated using a cryptographically secure pseudo-random number generator (CSPRNG). The OEK is never stored in clear text; rather, it’s stored in encrypted form as part of the object metadata. The OEK is encrypted by the key encrypting key (KEK), which is generated by a key-derivation algorithm using either the client-provided key (SSE-C) or Lyve Cloud KMS key (SSE-S3) and other object-specific metadata. The cryptographic primitive used for all the object encryption operations is AES-256-GCM.