What is offline secure storage?

Offline secure storage (OSS) is a data protection method where data is physically disconnected from the internet when not in use. Unlike cloud storage, data stored offline has zero remote attack surface — it cannot be hacked, ransomed or accessed remotely because it is not connected to any network. Firevault provides this through hardware-encrypted vaults that are physically isolated.

How does Firevault protect against ransomware?

Firevault protects against ransomware by physically disconnecting your data from the internet. Ransomware can only encrypt data it can reach over a network. When your data is stored offline in a Firevault, ransomware attacks cannot reach it. Even if your entire network is compromised, your offline vault remains untouched and intact.

How much does Firevault cost?

Firevault Vault starts from £75 per month (inc VAT) for individuals. Business Storage starts from £360 per month (inc VAT). Enterprise Platform pricing is available on request. All plans include hardware encryption, identity verification, and physical disconnection by default.

Who is Firevault designed for?

Firevault is designed for individuals protecting passports, wills and crypto keys; professionals such as solicitors, accountants and consultants protecting client data; SMEs and businesses protecting crown jewel data; and regulated industries including healthcare, financial services and legal sectors requiring offline backup for compliance with GDPR, NIS2, DORA and FCA regulations.

Is Firevault GDPR compliant?

Yes. Firevault is designed to support GDPR compliance by keeping sensitive personal data physically isolated and offline. Physical disconnection ensures data is not exposed to network-based attacks, supports data minimisation principles, and provides an audit trail of access. Firevault is also designed to support NIS2, DORA, FCA and SRA compliance requirements.

What is a physical air gap?

A physical air gap is a security measure where a computer or storage device is completely isolated from the internet and all unsecured networks. Unlike a logical or software air gap, a physical air gap cannot be bridged remotely. Firevault uses a Layer 1 physical air gap — your data is stored on hardware that is physically disconnected from any network when not in active use.

Back to Guides

Strategic Planningintermediate

Crown Jewels Audit: What Deserves Disconnection

Not everything needs to go offline. The Crown Jewels Audit is a structured framework for identifying exactly which assets deserve the protection that only physical disconnection can provide.

12 min read

Not Everything Is a Crown Jewel

The instinct to protect everything equally is the enemy of effective protection. When organisations treat all data with the same level of security, they dilute their defences and overspend on assets that do not warrant it, while under-protecting the handful of assets whose compromise would be genuinely existential.

The Crown Jewels Audit is a structured process for identifying exactly which assets require the strongest possible protection: physical disconnection through offline secure storage.

The Three Questions

For every digital asset your organisation holds, ask three questions:

If this asset were encrypted tomorrow, could we still recover our business? If the answer is no, it is a crown jewel.
If this asset were exfiltrated and published, would the damage be existential? If the answer is yes, it is a crown jewel.
If this asset were silently modified without detection, could it undermine our entire security posture? If the answer is yes, it is a crown jewel.

Most organisations discover they have between 15 and 40 crown jewels. Not thousands. Not hundreds. A focused set of assets that, if compromised, would fundamentally alter the organisation's ability to operate, recover, or survive.

The Five Categories of Crown Jewels

1. Recovery Credentials

Domain administrator passwords, break-glass access codes, service account credentials, and emergency access tokens. These are the keys that unlock recovery. If they are encrypted alongside production data, recovery becomes a negotiation, not a procedure.

2. Cryptographic Material

Root CA private keys, intermediate certificates, code signing keys, and encryption master keys. Certificate infrastructure compromise enables attackers to impersonate trusted systems, issue fraudulent certificates, and maintain persistent access even after remediation.

3. Privileged Communications

Legal privilege files, board minutes covering sensitive strategy, M&A documentation, and investigation materials. These are assets whose mere exposure creates liability, regardless of whether they are modified.

4. Governance Documentation

Incident response playbooks, business continuity plans, recovery procedures, and regulatory notification templates. These documents were written for the exact scenario in which they become inaccessible. They must survive the incident they describe.

5. Identity-Critical Data

Biometric templates, identity verification records, and authentication system configurations. Once compromised, identity data cannot be reissued. You cannot change someone's fingerprint.

Conducting the Audit

Assemble stakeholders. Include IT, legal, finance, operations, and the board secretary. Crown jewels are not exclusively technical assets.
Map dependencies. For each critical business process, trace the chain of dependencies backwards until you reach the foundational assets. These are your candidates.
Apply the three questions. Systematically evaluate each candidate against the encryption, exfiltration, and modification tests.
Classify and prioritise. Not all crown jewels require immediate action. Prioritise based on current exposure and consequence severity.
Document and govern. Create a Crown Jewels Register with ownership, update schedules, and access controls for each asset.

Common Mistakes

Including too much. If your crown jewels list exceeds 50 items, you have not been selective enough. Physical disconnection is for the vital few, not the trivial many.
Forgetting non-digital assets. The combination to the server room safe, the location of physical backup tapes, the personal mobile numbers of your incident response team: these are crown jewels too.
Static lists. Crown jewels change as the organisation evolves. The audit should be repeated annually and after any significant organisational change.

Conclusion

The Crown Jewels Audit transforms data protection from a blanket exercise into a precise, strategic discipline. By identifying exactly which assets deserve physical disconnection, organisations can allocate their strongest protections where they matter most, and demonstrate to regulators, insurers, and boards that their approach is deliberate, proportionate, and governed.