Data protection at rest

ESCUDO-CLOUD aims to improve data security in cloud storage platforms such as Openstack Swift. One important aspect of data security is data-at-rest protection, meaning that the data is encrypted before being written to persistent storage media. This aspect is complementary to data-in-transit protection, where the data is encrypted while it travels over a network. In data-at-rest protection, the customer’s plaintext data is encrypted in the data center of the cloud provider, who therefore in principle has access to the plaintext data. The access to the plaintext data is, however, restricted to those systems in the data center that handle the encryption, while the actual storage systems only deal with encrypted data. Besides minimizing the exposure of plaintext data, this also protects the data in case, for instance, storage media such as hard disks are replaced and discarded.


data at rest protection

A hierarchical key-management scheme.



The architecture of the data-at-rest protection in Openstack Swift is based on a hierarchical key-management scheme as shown in the figure above. A single master key is used to wrap several lower-level keys, such as one key per user account, which can each be used to wrap multiple keys corresponding to different types of data, and so on. The actual object data is then encrypted with the keys at the lowest level of the hierarchy. One main advantage of a key hierarchy is that it allows for selective key-rotation, meaning that any key in the hierarchy can be updated without re-encrypting lots of data. Apart from providing enterprise cloud customers with strong protection for their cryptographic keys, the scheme also has a secondary use in ensuring the proper deletion of files. We all know that traces of data remain even when we empty the virtual trash bin, but this is not acceptable for highly sensitive or personal data. Cloud providers need to offer this assurance and guarantee it – we call this novel feature secure deletion.


data at rest protection

If only erasing data was that easy.


The technology developed in ESCUDO-CLOUD has been contributed to the open-source project Openstack Swift. The initial version of encryption of object data at rest was released as part of version 2.9.0 of Swift. The key management work has continued with functionality to integrate the key management with an OpenStack Barbican key management server for managing the master key. Furthermore, the design for more comprehensive, hierarchical key management for Swift has been reviewed by the Swift community and presented at the Barcelona OpenStack Summit.

Related Publications