background

Vault Legend

Vault Storage

Professional Vault Storage

Are you interested in owning physical gold and silver, but would rather not keep it at home?. City Union Security has relationships with the world’s finest professional storage services. These secure vault facilities are strategically located around the world and have excellent reputations.

Secured Vault Legend

When it comes to security, Our Secured Vault Legend compares to most commercial grade safes for businesses that handle large amounts of cash or valuables. It's UL listed due to its 1/4" thick steel, uni-body construction, internal 10-gauge stainless steel reinforced liner, remote relocker system, drill deflector bolt guard and patented multi-gear drive, 5 to 1 reduction rack & pinion locking mechanism with up to 55 rack and pinion machined gears. Combine all of that security with (28) 1.5" active solid steel locking bolts strategically placed at the sides, top, corners and bottom of the door and you have a vault that is extremely difficult to get into, even when you know what you're doing. Unique to City Union secured vault master is our unlimited remote access and encryption that adds significant pry resistance to the vault.

Stats & Charts

Given the architecture of Vault, there are 3 distinct systems we are concerned with for Vault. There is the client, which is speaking to Vault over an API. There is Vault or the server more accurately, which is providing an API and serving requests. Lastly, there is the storage backend, which the server is utilizing to read and write data.

There is no mutual trust between the Vault client and server. Clients use TLS to verify the identity of the server and to establish a secure communication channel. Servers require that a client provides a client token for every request which is used to identify the client. A client that does not provide their token is only permitted to make login requests.

The storage backends used by Vault are also untrusted by design. Vault uses a security barrier for all requests made to the backend. The security barrier automatically encrypts all data leaving Vault using a 256-bit Advanced Encryption Standard (AES) cipher in the Galois Counter Mode (GCM) with 96-bit nonces. The nonce is randomly generated for every encrypted object. When data is read from the security barrier the GCM authentication tag is verified during the decryption process to detect any tampering.

Depending on the backend used, Vault may communicate with the backend over TLS to provide an added layer of security. In some cases, such as a file backend this is not applicable. Because storage backends are untrusted, an eavesdropper would only gain access to encrypted data even if communication with the backend was intercepted.