# FenixPyre On-Prem Secure Sharing Solution: Architecture Overview

## 1. Overview

The **FenixPyre On-Prem Secure Sharing Solution** provides organizations with a robust, self-hosted environment for secure file storage and collaboration. Engineered to meet the stringent security and compliance requirements of frameworks like **CMMC 2.0**, this solution ensures that your organization's most sensitive data, including **Controlled Unclassified Information (CUI)**, remains protected within your own network perimeter at all times.

### Why Is This Solution Necessary?

In today's regulatory landscape, organizations that handle sensitive government or enterprise data are required to implement verifiable security controls. For members of the Defense Industrial Base (DIB) and other regulated industries, simply using a cloud service is often not enough. CMMC and other mandates require that CUI be protected with validated cryptography and strict access controls.

This on-premise solution offers the ultimate level of control, allowing you to:

* **Maintain Data Sovereignty**: All files and metadata are stored on your own infrastructure, within your own network.
* **Enforce Strict Security Policies**: You retain full control over network access, firewall rules, and physical security.
* **Meet and Exceed Compliance Requirements**: The solution is purpose-built to provide the FIPS-validated cryptographic foundation required for CMMC 2.0 Level 2 and above.

## 2. Security and Compliance Posture

The **FenixPyre On-Prem Secure Sharing Solution** is engineered from the ground up for high-security environments.

### CMMC 2.0 Alignment

The solution is designed to be a cornerstone of your CMMC 2.0 compliance strategy. It directly addresses the need to protect CUI by providing a secure, auditable environment for data storage and sharing, separate from public cloud infrastructure. By deploying this solution, you establish a foundational component that helps satisfy numerous CMMC controls related to access control, media protection, and system integrity.

### Commitment to FIPS 140 Validated Cryptography

The security of cryptographic modules is governed by the **Federal Information Processing Standards (FIPS)**, issued by **NIST**. The FenixPyre solution is engineered to meet these exacting standards, which are critical for protecting sensitive government data and achieving compliance with frameworks like **CMMC** and **FedRAMP**.

**Understanding FIPS 140-2 and FIPS 140-3**

* **FIPS 140-2**: For many years, FIPS 140-2 has been the benchmark for validating the effectiveness of cryptographic hardware and software. It defines four levels of security and ensures that validated modules have been independently tested and verified.
* **FIPS 140-3**: As of March 2019, FIPS 140-3 is the latest standard, aligning more closely with the international ISO/IEC 19790 standard. It introduces more rigorous security requirements, especially against physical and side-channel attacks. While FIPS 140-2 modules are still accepted during a transition period (until September 2026), FIPS 140-3 represents the current and future benchmark for cryptographic security.

**Our solution utilizes FIPS 140-3 validated cryptographic modules to meet the highest security requirements.** **This includes:**

* **FIPS-Enabled Components**: The solution leverages specific FIPS-validated components to ensure compliance. The core On-Prem Sharing Service utilizes modern **FIPS 140-3** validated cryptographic modules, while the Secure Storage Service is powered by a robust Docker image validated against **FIPS 140-2**.
* **Validated Cryptographic Operations**: All cryptographic functions—including encryption, hashing, and key generation—are performed by modules that have undergone and passed the rigorous FIPS 140-3 validation process.
* **Host Environment Hardening**: To achieve end-to-end compliance, the virtual machines hosting the solution must run in a FIPS-enabled mode. This ensures that the underlying operating system also enforces the use of validated cryptographic algorithms, creating a verifiable, defense-in-depth posture.

## 3. Solution Architecture

The **FenixPyre On-Prem Secure Sharing Solution** consists of three core services deployed across two dedicated virtual machines, creating a distributed and resilient architecture.

<figure><img src="/files/DSB8l6y9xlXdHEPkVsf1" alt=""><figcaption></figcaption></figure>

### Services to be Deployed

**1. FenixPyre On-Prem Sharing Service (VM 2)** This is the core application that orchestrates secure sharing and access control. It serves two distinct APIs:

* **Private API**: Used for communication with internal clients, such as the FenixPyre Windows Agents, within your network. This API is secured with mutual TLS (mTLS) and must only be accessible on your internal network (default port: `8080`).
* **Public API**: Used by external recipients to access shared files. This API is protected by HMAC and other strong authentication methods and must be exposed to the internet (port: `443`).

**2. Secure Storage Service (VM 1)** This service provides a high-performance, S3-compatible object storage layer where all files are securely persisted. It is powered by a FIPS-enabled MinIO Docker image, ensuring that data at rest is handled within a FIPS-compliant boundary.

**3. PostgreSQL Database (Deployed on VM 2)** A dedicated PostgreSQL instance serves as the backend database for the On-Prem Sharing Service. It stores all critical metadata, including file information, ensuring the integrity and availability of the service.

## Setup

For setup instructions, reach out to [FenixPyre Support](mailto:support@fenixpyre.com).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fenixpyre.com/fenixpyre-for-admins/cloud-integrations/on-prem-secure-sharing-solution/fenixpyre-on-prem-secure-sharing-solution-architecture-overview.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.