Data encryption

This section describes the different layers of encryption in storage. Google Distributed Cloud (GDC) air-gapped appliance

Encryption at rest

There are different layers of data at rest encryption that GDC air-gapped appliance provides.

Encryption in transit

Data in transit is encrypted using IPsec on two types of OTS traffic:

  • External traffic between bare metal hosts and OTS Storage Virtual Machines (SVMs).
  • Internal traffic between OTS worker nodes.

The IPsec on both traffic is implemented by the third party library strongSwan (https://strongswan.org/). The OTS internal traffic is built with the OpenVSwitch vxlan tunnel and it also uses strongSwan to encrypt the data flow under the layer.