Technically Speaking

The Official Bigstep Blog


Data at Rest, Data in Motion: How We Use Encryption

From chats to e-mails, encryption is a hot topic as people want to be able to send, receive, and store data as securely as possible. When we go on to discuss infrastructure services, encryption is a major aspect due to the importance of data integrity for companies, preventing data breaches, and protecting your organization from cyberattacks or unauthorized access. How do we use encryption at Bigstep on bare metal infrastructure as a service?

What is Encryption?


Encryption is the process through which data is converted into code (or through which readable text is scrambled) to ensure data remains protected and hidden from unauthorized users, and that can be deciphered only by the person who has the secret code or the decryption key.

Encryption at Bigstep


We believe in control without access, and which does not require access to customer’s data in order to control and automate applications. Various services have various uses of encryption and some require additional configurations to fully enable.


However, most services support both encryption at rest, encryption of data in motion, row-level encryption as well as secure authentication and high granularity authorization mechanisms. Let’s see how we use encryption in more detail on Bigstep Metal Cloud.

Encryption for Data in Motion


Traffic between Bigstep and on-premises infrastructure is always performed using encrypted channels, such as SSL/TLS or by routing traffic via an IPSEC VPN appliance.


Most applications that we offer as a service - especially Hadoop - use or can be configured to use encryption to secure their binary (protobuf) inter-process traffic. All of our services, such as the DataLake or the DataLab also use TLS by default.

Encryption for Data at Rest


Most applications support encryption for data at rest. The encryption keys for the data that gets encrypted can be stored either in the cloud in a specialized service or on-premises in an Hardware Security Modele (HSM) or Key Management Module (KMS).


Authentication of the customer is done via either Kerberos configured to only allow AES 256 keys or via a custom dual encryption mechanism that we have built on top of AES 256 and HMAC.


Our authorization mechanism is based around our infrastructure concept. Users that have access to an infrastructure will be allowed to access various services in the respective infrastructure. The DataLake is configured to apply the Portable Operating System Interface (POSIX) group permissions to users which are delegates. Also the specific applications can be configured to use either a hosted Kerberos/AD service or an on-premises AD service.


We also provide instances with Self Encrypting Drives (SED) and we use the encryption key erase out when decommissioning the respective nodes.

Bigstep Internal Use of Encryption


All our sensitive information is stored in the database using strong cryptographic functions and long salts. All our in-transit credentials such as passwords in configuration files or potentially sensitive information is stored on disk in encrypted files which are encrypted with a random key which only lives during the deployment phase.


For more information on security in Bigstep Metal Cloud, please check our Security Overview.

Got a question? Need advice? We're just one click away.
Sharing is caring:TwitterFacebookLinkedinPinterestEmail

Readers also enjoyed:

"I Thought You Would Secure That S3 Bucket"

As a Romanian Real Estate company recently found out the hard way, diving head first into the cloud can have some devastating consequences, at least from…

5 Rules for Avoiding a Big Crash & Burn with Big Data

In the wide world of racing, the goal is to field a car capable of zooming around the track at optimal speeds, avoiding a fiery crash into the wall or…

Leave a Reply

Your email address will not be published.

* Required fields to post your comments.
Please review our Privacy Notice in order to understand how we process your personal data and what are your rights in this respect.