Deployment Models
This guide explains how Locktera can be deployed across different environments and infrastructure models. Locktera operates at the data layer, enforcing encryption, access control, and audit logging independently of storage systems, cloud providers, or application architecture.
Locktera integrates into existing environments without requiring changes to storage platforms, infrastructure providers, or application frameworks.
This enables flexible deployment across cloud, on-premises, hybrid, and edge environments while maintaining consistent cryptographic security.
Core Deployment Principle
Locktera separates data security enforcement from storage and infrastructure.
Containers are encrypted client-side, and access policies are enforced cryptographically at the time of decryption.
This ensures:
• Data remains protected regardless of where it is stored
• Infrastructure compromise does not expose protected data
• Security enforcement persists across environments and platforms
• Deployment flexibility without weakening security
Deployment affects where Locktera components run — not how security is enforced.
Locktera Deployment Components
A complete Locktera deployment consists of three logical components:
1. Container Creation Environment
The environment where files are encrypted into Locktera containers.
Examples:
• Application servers
• Workstations
• Backend services
• ETL pipelines
• Edge devices
Responsibilities:
• Encrypt files into containers
• Define container access policies
• Upload or distribute containers
Encryption always occurs before storage or transfer.
2. Storage and Distribution Infrastructure
The environment where encrypted containers are stored or distributed.
Examples:
• Cloud storage (S3, Azure Blob, GCS)
• On-premises storage systems
• Backup infrastructure
• Content delivery networks (CDNs)
• File systems or data lakes
Storage infrastructure:
• Never accesses plaintext data
• Cannot decrypt containers
• Stores encrypted containers only
Storage acts as a transport and persistence layer.
3. Authorized Access Environment
The environment where authorized users or systems decrypt containers.
Examples:
• Application servers
• AI systems
• Deployment systems
• Edge devices
• User workstations
Responsibilities:
• Request container access
• Decrypt containers if authorized
• Process decrypted data locally
Access enforcement occurs cryptographically at decryption.
Deployment Models
Locktera supports multiple deployment models depending on infrastructure architecture.
Cloud Deployment Model
In a cloud deployment, Locktera integrates with cloud-hosted applications and storage.
Architecture:
Application → Locktera Container → Cloud Storage → Authorized Cloud System
Typical components:
• Cloud application servers
• Cloud object storage
• Cloud-hosted AI systems
• Cloud deployment pipelines
Benefits:
• Integrates with existing cloud infrastructure
• Protects data stored in cloud environments
• Prevents cloud provider access to plaintext data
• Enables secure multi-region deployment
Security enforcement remains independent of the cloud provider.
On-Premises Deployment Model
Locktera can be deployed entirely within on-premises environments.
Architecture:
Internal System → Locktera Container → On-Prem Storage → Authorized Internal System
Typical components:
• Internal application servers
• Enterprise storage systems
• Backup appliances
• Internal deployment pipelines
Benefits:
• Supports air-gapped and restricted environments
• Protects sensitive enterprise or government data
• Enables secure internal and external data sharing
No external infrastructure is required for container protection.
Hybrid Deployment Model
Locktera supports hybrid deployments across cloud and on-premises environments.
Architecture:
On-Prem System → Locktera Container → Cloud Storage → On-Prem or Cloud Access System
Typical use cases:
• Backup and archive systems
• Cloud-based analytics pipelines
• Secure data transfer between environments
• Multi-cloud architectures
Benefits:
• Secure data movement between environments
• Consistent security enforcement across environments
• Enables secure hybrid infrastructure operation
Security policies persist regardless of storage location.
Edge and Device Deployment Model
Locktera supports deployment on edge devices and distributed systems.
Architecture:
Vendor System → Locktera Container → Device or Edge System → Authorized Decryption
Typical use cases:
• Software update distribution
• Edge computing systems
• IoT and embedded devices
• AI model deployment
Benefits:
• Protects distributed software and model assets
• Prevents unauthorized device access
• Enables secure update and deployment pipelines
Access enforcement occurs locally on the device.
Multi-Tenant SaaS Deployment Model
Locktera enables secure multi-tenant deployments.
Architecture:
SaaS Platform → Locktera Containers → Shared Storage → Authorized Tenant Systems
Benefits:
• Cryptographic tenant isolation
• Secure shared infrastructure
• Prevents cross-tenant access
• Simplifies SaaS security architecture
Tenant isolation does not depend on application logic.
Deployment Architecture Diagram
General Locktera deployment flow:
Data Source
│
│ Encrypt into container
▼
Encrypted Container (.tera)
│
│ Store or distribute
▼
Storage Infrastructure
│
│ Authorized access request
▼
Authorized System
│
│ Decrypt if authorized
▼
Secure Data Access
Security enforcement occurs at container decryption.
Deployment Options by Integration Method
Locktera can be integrated using several methods:
SDK Integration
Integrated directly into applications.
Best for:
• Backend systems
• AI pipelines
• SaaS platforms
API Integration
Applications interact with Locktera using secure APIs.
Best for:
• Cloud-native systems
• Distributed systems
• Integration with existing applications
Runtime Integration
Locktera runtime deployed locally on systems or devices.
Best for:
• Edge devices
• Deployment systems
• Software distribution
Security Properties Across All Deployment Models
Locktera ensures:
• Encryption occurs before storage or transfer
• Storage systems cannot decrypt containers
• Access enforcement is cryptographic
• Infrastructure compromise does not expose plaintext data
• Access policies persist across environments
• Containers remain immutable
• All access is audit logged
Security enforcement is consistent regardless of deployment model.
Deployment Selection Guidance
Choose deployment model based on infrastructure architecture:
Cloud environments → Cloud deployment
On-premises environments → On-prem deployment
Mixed environments → Hybrid deployment
Device or distributed environments → Edge deployment
Multi-tenant platforms → SaaS deployment
Locktera supports all deployment models simultaneously.
Relationship to Other Architecture Guides
This deployment model guide complements:
• Zero-Trust Data Security
• Secure Multi-Tenant Isolation
• Identity and Key Management
• AI Deployment Architecture
• OTA Update Architecture
These guides describe specific use cases built on Locktera deployment architecture.
Summary
Locktera supports flexible deployment across cloud, on-premises, hybrid, and edge environments. Containers remain encrypted and access is enforced cryptographically regardless of where they are stored or accessed.
This enables organizations to deploy Locktera within existing infrastructure while ensuring consistent, enforceable data security independent of infrastructure trust.
