The Context

The digital transformation accelerates the adoption of containers as it brings agility and scalability to the business. Containers face new security challenges that require new security tools!

How We Help

CYSEC aims at providing trust in infrastructure that organizations don’t own or control, but use to run their services and to process their sensitive data.

ARCA Trusted OS: Empowering Secure and Robust Container Environments
  • A hardened Linux-based micro-distribution Operating System combined with container management tools that can be deployed on premise, on the cloud, and in the edge.
  • A Trusted Execution Environment for containers that contains attack propagation in container clusters and avoids compromission of container data.
  • An easy adoption of confidential computing providing the protection of data in all states: at-rest, in transit, and in-use.
  • A robust Operating System with integrity enforcement mechanisms and extended automation capabilities to limit the need for human interaction in operation.
  • ARCA Trusted OS runs on x86 and ARM architectures.
The Main Features of ARCA Trusted OS
Protection against Attack Propagation
Slide 1
Image is not available

Reduced attack surface

A micro-distribution explicitly designed to only run containers with a read-only root file system.

Image is not available

Trustworthiness

An enforced chain of trust relying on a hardware root of trust combined with an immutable root file system.

Image is not available

Security Maintenance

Security maintenance performed by CYSEC associated with an authenticated and atomic OTA update mechanism.

Protection against Data Compromission
Slide 1
Image is not available

Data at rest Protection

A by-default full disk encryption mechanism with a key protected by a hardware security component.

Image is not available

Data in transit Protection

The support of Wireguard at the kernel level allowing simple setup of VPNs between nodes and pods.

Image is not available

Data in Use Protection

Support of the AMD Secure Encrypted Virtualization (SEV) feature and implementation of a Key Management Systems (KMS) in the ARM TrustZone.

Image is not available

Access to certified crypto

Simple access to certified Hardware Security Module (HSM) resources for containerized applications.

Robustness Through Automation and Alteration Prevention
Slide 1
Image is not available

Alteration Prevention

An immutable root file system, including the security setting configurations, combined with authenticity and integrity verification of booted and updated OS images.

Image is not available

Automation

Full Disk Encryption automatically unlocked after successful secure boots, automatic rollback after unsuccessful boots, and error correction attempts on booted code.

The advantages of ARCA Trusted OS
Slide 1
Image is not available

Protection

check

Reduces your attack surface to prevent attack propagation via the host OS.

check

Checks its authenticity and integrity to deliver a trustworthy execution environment

check

Applies encryption mechanisms to protect your data at-rest, in-transit, and in-use.

check

Supports Confidential Computing to allow higher isolation in shared infrastructures.

Image is not available

Simplification

check

Provides security in a transparent manner (no code modification).

check

Offers homogeneous security from the Data Center to the Cloud and the Edge.

check

Eases the use of Confidential Computing to facilitate its adoption.

check

Eases access for containers to secure hardware elements (e.g., HSM).

check

Comes with processes and tools for continuous security maintenance of your host OS.

Image is not available

Compliance

check

Provides several security features needed in a Zero Trust approach

ARCA Trusted OS requirements

Hardware Requirements

CPU

x86-64

ARM

(Raspberry Pi 4 and STM32MP157)

Firmware

UEFI or OVMF enabling the upload of CYSEC secure boot public keys

SOC enabling the secure storage of CYSEC Secure boot public keys

TPM

Physical TPM 2.0 or vTPM of fTPM or OTP 

Software Requirements

Application

OCI Container

Container Management Tools

Want to Know More?

Videos

Slide 1
Play

What is hardware-based security?

Play

ARCA immutable OS

Play

Secure booth chain for Raspberry Pi 4B

Play

Advantage by default FDE

Blogs