Planning to Export Data-at-Rest Storage with Encryption?

Data at Rest Encryption
Data at Rest Encryption
November 12, 2020

Planning to Export Data-at-Rest Storage with Encryption?

If you are developing a deployed vehicle, then you’re likely considering including a device to securely store classified, or at least sensitive, data.  Securely storing data generally implies the use of modern encryption techniques, and which one you chose will have an impact on the export potential of the vehicle. 

A network file server or a network attached storage (NAS) device can be used for on-board data storage.  Modern deployed vehicles rely on Ethernet for communication between the various computer systems and the central data storage device. 

Centralized storage eliminates the need for local storage (like a solid-state disk) in each of the computers, adding size, weight, and power (SWaP), all of which modern deployed systems are trying to eliminate.  With adversaries attempting to obtain your classified data before, during, and after the mission, encryption of the data is crucial and, usually a requirement.

However, any encryption solution won’t suffice. Instead, the solution must be approved by an authority such as the National Security Agency (NSA). There are two options to consider that the NSA supports – Type 1 and Commercial Solutions for Classified(CSfC) .  

For decades the NSA has been evaluating and certifying Type 1 devices that can support top secret and below, or secret and below data, depending on the device.  Type 1 devices may use either classified or commercial encryption algorithms. 

Regarding export, Type 1 devices are almost always ITAR controlled.  This means that export is limited to use by the United States Government or the other Five Eyes (Canada, New Zealand, Australia, or the United Kingdom).  If those countries are your intended export audience, the choice of Type 1 encryption will not limit your export potential. 

By NSA definition, approved CSfC devices can protect top secret and below data just like Type 1 devices, but they use two layers of independent encryption as opposed to only one for Type 1. Also, while Type 1 devices have limited export capability due to ITAR restrictions, CSfC devices are less restricted, making exportability the big difference between the two.

If you plan to export the vehicle to a wider group of countries than the Five Eyes, then CSfC may be the better choice.  CSfC devices are typically categorized as dual use.  As such, they can be exported to a much wider range of destinations like EU and APAC countries.  Of course, you should consult with your local export control experts before making any decision.

Data-At-Rest (DAR) Encryption

Protecting critical data-at-rest (DAR) from unauthorized access