Encrypted VPS — Full-Disk Encryption on Every Server

AnubizHost encrypted VPS uses AES-256-XTS encryption on the underlying storage volumes. Encryption is applied at the block device level, below the filesystem, so every byte written to disk is encrypted regardless of what application or process writes it. Temporary files, swap space, log files, and database storage are all encrypted uniformly.

Encryption keys are generated per-VPS and are never stored on the same physical hardware as the encrypted data. Key management uses a distributed architecture where key material is split across multiple isolated systems, requiring consensus to reconstruct. No single employee or system has access to a complete decryption key.

The encryption is transparent to your operating system and applications. You see a normal block device and filesystem. There is no performance penalty for standard workloads because modern CPUs include AES-NI hardware acceleration that handles encryption at near-native speed.

The primary threat that full-disk encryption defends against is physical access to the storage media. If a data center is raided, a server is stolen, or a decommissioned drive is improperly disposed of, the data on the disk is unreadable without the encryption key.

AnubizHost encryption architecture ensures that even if an entire server chassis is physically removed from the data center, the data it contains is cryptographically inaccessible. Our key management system is designed so that physical possession of the hardware is insufficient to decrypt the contents.

This protection extends to data center staff as well. Technicians who perform hardware maintenance, drive replacements, or server migrations cannot access the data on encrypted volumes. Physical security and logical security work together to create defense in depth.

AnubizHost full-disk encryption provides the base layer of protection. On top of this, you have full root access to implement additional encryption layers tailored to your specific requirements. Many customers deploy LUKS-encrypted partitions within their VPS for application data that requires an additional encryption boundary.

For database workloads, you can enable transparent data encryption (TDE) at the database engine level. For file storage, you can use encrypted filesystems like eCryptfs or fscrypt. For communication channels, you can deploy TLS with your own certificates and key material.

This layered approach means that even in a theoretical worst case where our base encryption were somehow compromised, your application-level encryption would still protect your most sensitive data. Defense in depth is not paranoia — it is sound engineering practice for any system handling sensitive information.

Encryption overhead is a legitimate concern for performance-sensitive workloads. AnubizHost addresses this by deploying exclusively on processors with AES-NI instruction set extensions, which offload encryption and decryption operations to dedicated hardware circuits within the CPU.

In benchmarks, our encrypted VPS instances deliver within two to three percent of unencrypted raw disk performance for sequential read and write operations. Random I/O performance shows an even smaller delta because the bottleneck is typically the SSD controller rather than the encryption layer. For most real-world workloads, the performance difference is unmeasurable.

Our NVMe SSD storage further minimizes any encryption overhead. NVMe drives deliver dramatically higher IOPS and throughput compared to SATA SSDs, providing headroom that more than compensates for the marginal cost of encryption. You get both security and speed without having to choose between them.