What is offline secure storage?

Offline secure storage (OSS) is a data protection method where data is physically disconnected from the internet when not in use. Unlike cloud storage, data stored offline has zero remote attack surface — it cannot be hacked, ransomed or accessed remotely because it is not connected to any network. Firevault provides this through hardware-encrypted vaults that are physically isolated.

How does Firevault protect against ransomware?

Firevault protects against ransomware by physically disconnecting your data from the internet. Ransomware can only encrypt data it can reach over a network. When your data is stored offline in a Firevault, ransomware attacks cannot reach it. Even if your entire network is compromised, your offline vault remains untouched and intact.

How much does Firevault cost?

Firevault Vault starts from £75 per month (inc VAT) for individuals. Business Storage starts from £360 per month (inc VAT). Enterprise Platform pricing is available on request. All plans include hardware encryption, identity verification, and physical disconnection by default.

Who is Firevault designed for?

Firevault is designed for individuals protecting passports, wills and crypto keys; professionals such as solicitors, accountants and consultants protecting client data; SMEs and businesses protecting crown jewel data; and regulated industries including healthcare, financial services and legal sectors requiring offline backup for compliance with GDPR, NIS2, DORA and FCA regulations.

Is Firevault GDPR compliant?

Yes. Firevault is designed to support GDPR compliance by keeping sensitive personal data physically isolated and offline. Physical disconnection ensures data is not exposed to network-based attacks, supports data minimisation principles, and provides an audit trail of access. Firevault is also designed to support NIS2, DORA, FCA and SRA compliance requirements.

What is a physical air gap?

A physical air gap is a security measure where a computer or storage device is completely isolated from the internet and all unsecured networks. Unlike a logical or software air gap, a physical air gap cannot be bridged remotely. Firevault uses a Layer 1 physical air gap — your data is stored on hardware that is physically disconnected from any network when not in active use.

Back to Guides

Architectureintermediate

Physical Layer Security Architecture

Firewalls, endpoint detection, identity management, and immutable backups are all software layers. Every software layer depends on the integrity of the layer beneath it. The physical layer is the foundation that no software attack can compromise.

11 min read

Security Is Built in Layers

Defence in depth is the foundational principle of modern security architecture. Organisations deploy multiple layers of controls: network security, endpoint protection, identity management, application security, and data protection. Each layer reduces the probability of a successful attack.

But every layer in a typical security architecture shares a common characteristic: it is software. Firewalls run on firmware. Endpoint detection runs on operating systems. Identity management runs on cloud platforms. Even "immutable" backup runs on storage software. Each software layer depends on the integrity of the software beneath it.

The Software Ceiling

Software-based security has a ceiling. No matter how many layers of software you deploy, every layer is vulnerable to:

Zero-day vulnerabilities: Undiscovered flaws in any layer can be exploited before patches exist
Configuration errors: A single misconfiguration in any layer can create an exploitable gap
Credential compromise: Administrative credentials for any layer can be phished, purchased, or brute-forced
Supply chain attacks: Compromised updates to any layer can bypass all controls in that layer
Insider threats: Personnel with administrative access can bypass controls in any layer they manage

This is not a criticism of software security. These layers are essential. But they represent probability reduction, not elimination. There is always a non-zero probability that a sufficiently sophisticated attacker can traverse all software layers.

The Physical Layer: Where Probability Becomes Zero

The physical layer operates on a different principle entirely. Rather than reducing the probability of successful attack, it eliminates the possibility of remote attack by removing the attack surface.

Data stored in physically disconnected hardware has no IP address, no network interface, no API endpoint, and no remote management console. There is no software to exploit, no credentials to compromise, and no configuration to misconfigure. The only attack vector is physical access, which is governed through identity verification and access controls that create accountability.

Where the Physical Layer Fits

The physical layer does not replace software security layers. It provides the foundation beneath them:

The Security Architecture Stack

Layer 5 (Application): Application-level security controls, input validation, authentication
Layer 4 (Identity): Identity management, multi-factor authentication, least privilege
Layer 3 (Network): Firewalls, segmentation, intrusion detection
Layer 2 (Endpoint): Endpoint detection and response, device management
Layer 1 (Physical): Offline secure storage for recovery credentials, certificates, and critical assets

When Layers 2 through 5 are all compromised simultaneously (as happens in sophisticated ransomware attacks), Layer 1 remains intact because it operates on different physics. This is the foundation from which all other layers can be rebuilt.

What Lives at the Physical Layer

The physical layer governs the assets that every other layer depends on:

The credentials that configure Layer 3: Firewall admin passwords and network device credentials
The certificates that underpin Layer 4: Root CA keys and identity system configuration
The procedures that rebuild Layers 2 through 5: System rebuild documentation and configuration baselines
The evidence that validates all layers: Audit logs, compliance documentation, and governance records

The Architecture of Certainty

Software layers provide confidence. The physical layer provides certainty. Confidence says "we believe our controls will hold." Certainty says "regardless of what happens to our software controls, we can recover."

This distinction matters most in board rooms, regulatory conversations, and insurance negotiations. Confidence requires explanation. Certainty requires only demonstration.

Conclusion

Every security architecture that consists exclusively of software layers has a ceiling. The physical layer breaks through that ceiling by providing a foundation that no software attack can reach. For the assets that matter most, the credentials and procedures that enable recovery from total compromise, the physical layer is not optional. It is the foundation that makes every other layer rebuildable.