FV-Vault: Encrypted Offline Storage
Critical data — recovery copies, configurations, crown jewels — must exist beyond the reach of network-based attacks. Vault provides encrypted, physically disconnected storage that ensures your most important assets remain intact regardless of what happens on your network.
Control Module
You cannot protect data from network attacks by putting it on a different part of the network. Physical disconnection is the only storage protection that an attacker on your network cannot reach.
Air-gapped
Physically disconnected from all network infrastructure
AES-256
Encryption at rest with hardware key management
Zero
Network paths to stored data during isolation periods
Verified
Cryptographic integrity on every retrieval
Network-connected storage is network-accessible to attackers.
Backup Encryption
Ransomware specifically targets backup infrastructure. Network-connected backups, including cloud backups, are encrypted alongside production data, eliminating the primary recovery mechanism.
Immutability Bypasses
Immutable storage solutions still require network connectivity for management. If an attacker reaches the management interface, immutability settings can be overridden or the storage controller compromised.
Cloud Storage Risks
Cloud storage depends on credential security. Compromised cloud credentials or a misconfigured access policy can expose backup data to exfiltration or destruction.
The Scenario
Scenario: Air-Gapped Recovery After Total Encryption
A financial services firm experiences a ransomware attack that encrypts all production systems, including the primary backup server and the cloud-replicated copies. The attackers had compromised the backup administrator's credentials three weeks earlier and used them to delete cloud snapshots and encrypt the on-premises backup appliance. With Vault, the firm's critical data — database backups, system configurations, and regulatory records — exists on physically disconnected, encrypted storage. The ransomware never reached it because there was no network path to traverse. Recovery begins within hours using the Execute module, with cryptographic verification of every restored asset.
"They encrypted our production, our backups, and our cloud replicas. The only copies they did not reach were in the Vault, because there was no network path for them to follow."
Data protection through physical disconnection.
FV-Vault provides encrypted, air-gapped storage that keeps critical data beyond the reach of any network-based attack. Combined with controlled transfer windows, cryptographic integrity verification, and multi-party access governance, Vault ensures that your most important assets remain available for recovery regardless of what happens on your network.
- Physically disconnected storage beyond network reach
- AES-256 encryption with hardware key management
- Cryptographic integrity verification on every retrieval
- Controlled, time-bound transfer windows
- Multi-party authorisation for all access operations
- Configurable retention policies for regulatory compliance
Vault — How It Works
Module 1 of 4Vault stores encrypted data on physically disconnected infrastructure. Data is transferred during controlled windows through the Transfer module, encrypted with AES-256 using hardware key management, and verified with cryptographic hashes. Between transfer windows, no network path to the stored data exists.
Featured In
'%3e%3cpath%20fill='%23E40784'%20d='M141.363%2026.6a5.905%205.905%200%200%201-5.899-5.9%205.905%205.905%200%200%201%205.899-5.895%205.901%205.901%200%200%201%205.895%205.895%205.9%205.9%200%200%201-5.895%205.9Zm0-8.347a2.448%202.448%200%200%200%200%204.895%202.449%202.449%200%200%200%202.447-2.448%202.449%202.449%200%200%200-2.447-2.447ZM141.363%200c-.821%200-1.638.052-2.447.144v3.731a16.897%2016.897%200%200%201%202.447-.177c9.373%200%2017.002%207.626%2017.002%2017.002%200%20.825-.063%201.642-.177%202.448h3.732c.095-.81.143-1.627.143-2.448%200-11.411-9.285-20.7-20.7-20.7Z'/%3e%3cpath%20fill='%23E40784'%20d='M141.363%207.268c-.825%200-1.645.077-2.447.228v3.787a9.733%209.733%200%200%201%202.447-.313c5.369%200%209.734%204.368%209.734%209.734%200%20.832-.107%201.652-.313%202.447h3.783c.151-.802.228-1.623.228-2.447.004-7.412-6.024-13.436-13.432-13.436Z'/%3e%3cpath%20fill='%23fff'%20d='M71.382%207.537h-2.84a5.82%205.82%200%200%200-5.815%205.818v9.785h4.037v-9.789a1.78%201.78%200%200%201%201.777-1.777h2.841V7.537ZM80.539%2019.1a3.787%203.787%200%200%201-3.783-3.784%203.787%203.787%200%200%201%203.783-3.783%203.787%203.787%200%200%201%203.783%203.784%203.787%203.787%200%200%201-3.783%203.783Zm0-11.6c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82%201.372%200%202.66-.357%203.78-.982v.982h4.036V15.32c.004-4.313-3.503-7.82-7.816-7.82ZM41.806%2018.71a5.512%205.512%200%200%201-4.34%202.1%205.55%205.55%200%200%201-5.541-5.541%205.55%205.55%200%200%201%205.542-5.543c1.696%200%203.279.766%204.339%202.102l.088.114%201.656-1.656-.077-.092a7.865%207.865%200%200%200-6.01-2.797c-4.339%200-7.871%203.533-7.871%207.872s3.532%207.871%207.871%207.871a7.865%207.865%200%200%200%206.01-2.797l.077-.091-1.656-1.656-.088.113ZM19.479%207.397c-4.34%200-7.872%203.53-7.872%207.872%200%204.342%203.533%207.871%207.872%207.871a7.883%207.883%200%200%200%207.205-4.71l.081-.18H24.15l-.037.058a5.543%205.543%200%200%201-10.05-1.873h13.2l.015-.11c.048-.357.073-.714.073-1.053%200-4.346-3.529-7.875-7.871-7.875Zm-5.417%206.705a5.54%205.54%200%200%201%205.417-4.376%205.54%205.54%200%200%201%205.417%204.376H14.06ZM46.192%2023.14h2.33v-8.847a4.599%204.599%200%200%201%204.593-4.592%204.599%204.599%200%200%201%204.592%204.592v8.844h2.33v-9.149h-.008a6.887%206.887%200%200%200-2.082-4.648%206.89%206.89%200%200%200-4.832-1.972%206.863%206.863%200%200%200-4.593%201.751V.545h-2.33V23.14ZM2.686%207.393H0v2.33h2.686v8.471a4.944%204.944%200%200%200%204.94%204.939h2.435v-2.33H7.625a2.613%202.613%200%200%201-2.609-2.612V9.726h3.772v-2.33H5.016V1.84h-2.33v5.553ZM101.968%208.457a7.721%207.721%200%200%200-2.547-.858c-.088-.014-.177-.03-.265-.04-.1-.011-.199-.022-.302-.03a9.993%209.993%200%200%200-.574-.029c-.022%200-.04-.004-.062-.004h-.037c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82h.037c.25%200%20.496-.014.743-.04l.037-.003a7.742%207.742%200%200%200%203.003-.939v.979h4.037L106.005.537h-4.037v7.92Zm0%206.863a3.788%203.788%200%200%201-3.769%203.78%203.786%203.786%200%200%201-3.76-3.78c0-2.08%201.688-3.772%203.764-3.78a3.787%203.787%200%200%201%203.765%203.78ZM119.75%2023.11h4.037V15.299c-.011-4.302-3.515-7.798-7.82-7.798-4.313%200-7.821%203.507-7.821%207.82%200%204.313%203.508%207.82%207.821%207.82%201.372%200%202.66-.357%203.783-.982v.953Zm-3.783-4.01a3.786%203.786%200%200%201-3.783-3.784%203.786%203.786%200%200%201%203.783-3.783%203.79%203.79%200%200%201%203.783%203.78v.003a3.787%203.787%200%200%201-3.783%203.784ZM132.273%207.5a5.824%205.824%200%200%200-5.818%205.818v9.822h4.037v-9.822a1.78%201.78%200%200%201%201.777-1.777h2.841V7.5h-2.837ZM173.736%2020.807a5.534%205.534%200%200%201-5.527-5.527%205.534%205.534%200%200%201%205.527-5.528%205.535%205.535%200%200%201%205.528%205.528%205.535%205.535%200%200%201-5.528%205.527Zm0-13.399a7.852%207.852%200%200%200-5.527%202.274V7.393h-2.344V30h2.344v-9.127a7.836%207.836%200%200%200%205.527%202.275c4.339%200%207.872-3.533%207.872-7.872s-3.533-7.868-7.872-7.868ZM186.735%2023.14h-2.385v-9.81a5.84%205.84%200%200%201%205.833-5.834h2.848v2.385h-2.848a3.45%203.45%200%200%200-3.448%203.448v9.811ZM202.813%209.774a5.535%205.535%200%200%200-5.528%205.528%205.535%205.535%200%200%200%205.528%205.527%205.534%205.534%200%200%200%205.527-5.527%205.534%205.534%200%200%200-5.527-5.528Zm0%2013.4c-4.339%200-7.872-3.533-7.872-7.872%200-4.34%203.533-7.872%207.872-7.872s7.872%203.53%207.872%207.872c0%204.339-3.533%207.871-7.872%207.871Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h210.68v30H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
Key Capabilities
Physical Disconnection
Vault storage is physically disconnected from all network infrastructure. No network path, logical or physical, exists between Vault and production systems during isolation periods.
AES-256 Encryption
All data stored in Vault is encrypted at rest using AES-256 with hardware-managed keys. Even physical access to the storage media yields nothing without the encryption keys.
Cryptographic Integrity
Every data asset stored in Vault is hashed at ingestion. On retrieval, the hash is verified to confirm the data has not been tampered with or corrupted.
Controlled Transfer Windows
Data moves into and out of Vault through time-bound, policy-controlled windows. The transfer conduit physically disconnects after each operation.
Immutable Access Logs
Every transfer, retrieval, and access attempt is logged on physically disconnected storage that cannot be modified by any network-connected user or system.
Regulatory Retention
Vault supports configurable retention policies that meet GDPR, NIS2, DORA, and industry-specific data retention requirements.
Demo to Live
Adoption Guide
Critical Data Inventory
Identify all data assets that require air-gapped protection: recovery copies, configurations, regulatory records, and organisational crown jewels.
Vault Architecture Design
Define storage capacity, encryption requirements, transfer schedules, retention policies, and multi-site replication needs.
Initial Data Ingestion
Transfer critical data to Vault through controlled windows, verify cryptographic integrity, and validate retrieval procedures.
Operational Integration
Automate transfer schedules, integrate with Execute for recovery orchestration, and establish ongoing integrity verification procedures.
Critical Data Inventory
Identify all data assets that require air-gapped protection: recovery copies, configurations, regulatory records, and organisational crown jewels.
Vault Architecture Design
Define storage capacity, encryption requirements, transfer schedules, retention policies, and multi-site replication needs.
Initial Data Ingestion
Transfer critical data to Vault through controlled windows, verify cryptographic integrity, and validate retrieval procedures.
Operational Integration
Automate transfer schedules, integrate with Execute for recovery orchestration, and establish ongoing integrity verification procedures.
Questions
Frequently Asked
Ready to take the next step?
See how Control can govern your data paths with physical enforcement no software exploit can bypass.