XCrypt for PostgreSQL Database
Zettaset
XCrypt for PostgreSQL Database
Zettaset
XCrypt for PostgreSQL Database
Zettaset
Encrypt volumes or partitions on virtual machines, cloud and bare metal servers running PostgreSQL
Overview
Zettaset XCrypt Full Disk is a partition-level encryption solution that delivers the security of the military-grade AES 256-bit encryption algorithm while yielding the high-performance ideal for bulk encryption and distributed environments.
XCrypt Full Disk encrypts entire partitions under the UNIX file system layer. When a partition is unlocked (by
authenticating to a key server and retrieving the key) the file system is mounted and becomes available. All users with
sufficient UNIX file system permissions can read and write the plaintext. Those without permissions cannot access the
decrypted data.
Installation is performed from the command line.
The deployment relies on three types of entities:
Installer - This is the device used to launch the initial Zettaset software installation. This node can be a target node, or a separate device with access to the target nodes. It must have the Zettaset software and license files, ansible, and the client and CA certificates needed to communicate with any 3rd-party Key Management device used. (No certificates are needed when using Zettaset’s own Key Manager.) After the initial installation, the installer can be used to add new nodes, but it doesn’t have any more managerial function.
Target Nodes - These are the nodes that contain the partitions to be encrypted. After the Zettaset installation, each node will contain the client and CA certificates needed to communicate with the Key Manager. Key rotation, decryption, and encryption of new partitions are done directly on the target nodes.
Key Manager - This is the secure device used to store keys for the encrypted nodes. It also contains the CA used for secure communication with the target nodes. You can use a 3rd-party Key Management device, or use Zettaset’s software-based key server, which can be installed anywhere in your cluster. The 3rd-party Key Manager must be KMIP compliant.