AS393941 DataFort

DataFort sits between your red (plaintext) and black (ciphertext) networks, encrypting all traffic that crosses the boundary. It operates as a hardened Linux appliance with dedicated network zones, zone-based policy routing, and a tamper-resistant key vault replacing fragile VPN configurations with a managed, auditable encryption layer.

•  Point-to-Point - Encrypted tunnel between two sites with automatic session rekeying
•  Hub-and-Spoke - Central server accepting connections from multiple remote client sites, each with its own pre-shared key and tunnel
•  CCSDS Spacecraft - Red-to-Black and Black-to-Red UDP encryptors for CCSDS telemetry frames, with bypass SA support for ground station integration

• AES-256-GCM & AES-256-GCM-SIV encryption with 3-way PSK session handshake and HKDF key derivation
•  Automatic session rekeying on time and byte thresholds for forward secrecy
•  Encrypted key vault with Argon2id key derivation, token-based access control, and optional USB Crypto Ignition Key (CIK) for two-factor vault authentication
•  Zone-based nftables firewall with management, red, and black network isolation
•  Zone policy routing — dedicated kernel routing tables per zone prevent cross-zone traffic leakage
•  Ed25519 licence system with hardware-bound device fingerprinting and per-NIC resilience for virtualised deployments
•  Signed secure updates with Ed25519 signature verification, atomic deployment, and automatic rollback on failure
•  Encrypted backup/restore for disaster recovery with passphrase-protected encrypted bundles