Nuremberg/Zurich, 18.09.2019: ownCloud and the Swiss IT security specialist Securosys SA are now offering the integration of hardware security modules (HSM) when encrypting and decrypting files. With the solution, the master key required for decrypting a file always remains on the module. During the exchange process, this means that only the sender and the recipient have access to the file. The integration of HSM´s into ownCloud makes it possible to exclude even system administrators from the ability to decrypt files stored at rest by putting the master key onto a hardware device in which special cryptographic algorithms ensure that it cannot be accessed. For enterprise users who want to integrate hardware security modules into their private cloud, ownCloud provides detailed instructions on its website.
With the option of integrating HSM´s into the encryption and decryption process, ownCloud and Securosys offer companies and other organizations another secure option for using private cloud technology in particularly data-critical scenarios. This happens by allowing access to files via transmitting individual file keys to the HSM, which are decrypted only inside the device using the master key.
The decrypted file keys are transmitted back to the ownCloud application server. In following, a process inside the ownCloud application decrypts the actual files by using the corresponding decrypted file keys and then finally provides the decrypted files to the users. As long as the integrity of the ownCloud application server is intact, there is no way for the system administrator to read any content.
Organizations, which are looking to store their sensitive data in a professionally run data center must consider the risk of a malicious system administrator gaining remote or physical access to the data at rest. This risk can be of business nature (corporate espionage), reputational and financial (losses of customer data leading to media exposure and lawsuits), or regulatory (GDPR and other legislation).
Encryption at Rest – but with Performance
Usually, encryption at rest solutions have a distinct disadvantage in regards of performance: any encryption operation normally needs cycles and makes ownCloud slower. For example, if you share 20,000 files with another user, a lot of keys must be added to the system and decryption and encryption of file keys must happen. For each file, a call to the HSM is needed. This problem was addressed with the development of the enterprise-grade HSM solution by Securosys: With their transaction throughput, load-balancing, and HA capabilities, the HSM´s keep up with the demand of big organizations.
The Primus HSM can easily be integrated by installing the “Primus PKCS#11” provider on the ownCloud server and enabling ownCloud’s HSM daemon to generate, store, and use the master key securely on the HSM. Users can find complete instructions on the ownCloud website.
ownCloud is the market leading open source content collaboration solution worldwide. ownCloud enables users to securely access and share data from any device, anywhere in the world. With more than 200,000 installations and 50 million users, ownCloud provides organizations a modern collaborative experience, thereby boosting productivity without compromising on security. At the same time, it gives organizations the visibility and control required to manage sensitive data.
To get the latest updates, please visit https://owncloud.com/newsroom/ or follow us on Twitter @ownCloud.
Securosys is a leader in high-security information technology and cryptography. Its products and services – developed, manufactured, and operated in Switzerland – are widely used and recognized by Fortune Global 500 companies. Securosys HSMs protect the Swiss interbank clearing (SIC) and Swiss stock market settlement system operated by SIX Group AG on behalf of the Swiss National Bank. In this system, financial transactions of more than CHF 100 Billion are secured every day. In addition, Securosys products and services secure PKI systems, database encryption, digital identity and signature, new FinTech applications such as blockchain, crypto currencies, and tokenized assets, as well as Internet of Things (IoT) applications.