IDrive® e2 follows industry-best security models and design practices
- HTTPS is supported for the secure upload/download of data
- Buckets are only accessible to the bucket and object creators
- User authentication support to control access to data
- Access keys with policies can be used to selectively grant permissions to users and groups of users
- Two-factor authentication to control access to the data via web-console
Learn more about IDrive® e2 encryption at rest methods (also known as DARE or data-at-rest-encryption) in the following section.
IDrive® e2 encrypts object data before it is written to a disk drive on encryption enabled buckets
Encryption is done using an AES 256-bit key that can be provided in two different methods:
If the S3 client app provides an encryption key in the S3 PUT Object Data REST request (the SSE-C approach described here), that key is used to encrypt the object data before writing to disk. After the PUT Object operation is completed, the key is discarded. The S3 client app must provide the same encryption key in an S3 GET Object REST request to access the data. In this mode IDrive® e2 does not keep a copy/store the encryption key.
If no encryption key is provided by the S3 client app (meaning SSE-C approach is not used), then it falls back to SSE-S3 and a random AES 256-bit key is generated using a cryptographic random routine in IDrive® e2. A different encryption key is generated for each object stored in the system. This AES-256 bit key is stored in the meta-data secure layer of the IDrive® e2 (until you delete that object) and is used again for decryption when you make a GET call for your object(s), and hence you get the same data back in your native format.