Architecture Deep Dive

Mansfeld-Südharz, Germany - October 19, 2025

How rural counties run enterprise-grade security without owning a single hyper-scaler VM

The first thing you notice when the rack doors open is the silence. No screaming fans, no blinking disco rows, just six 2U chassis stamped “Made in Frankfurt (Oder)” and a single LED breathing like a sleeping cat. That quiet is deliberate: the entire workload of the Cyber Resilience Alliance—127 member organisations, 2.3 million events per day—fits into 480 cores and 6 TB of NVMe that together draw less power than the building’s espresso machine. We designed the stack to prove that sovereignty does not require scale; it requires clarity. Every binary that runs here is compiled in-house, every kernel module is signed with a key that never leaves the county, and every configuration drift is rejected at boot time by a policy engine that speaks law before it speaks code.

The lowest layer is hardware, but treated as firmware for trust. Each node ships with an LPC bus TPM and a NationZ cipher chip that implements the German eIDAS qualified signature profile. On first power-on the chip generates a 384-bit ECC root, exports the public half to the county notary, and then physically burns the private exponent access fuse. From that moment the chassis can attest its own identity to any upstream verifier, but no vendor—not even the original manufacturer—can reproduce the key. This turns the classic cloud problem on its head: instead of asking “do I trust the provider’s hypervisor?” we ask “does the hypervisor trust itself enough to prove it to me?” The attestation payload is sent over an isolated BMC VLAN to an observer service written in Rust that holds the reference measurements in an append-only Merkle tree. If a single byte in the bootloader or in the initramfs changes, the node is quarantined and the county’s physical key custodian must drive to the site and insert a smart-card to re-enrol. We have done this twice in eighteen months: once after a firmware update forgot to re-sign its own blob, and once when a trainee plugged a rescue USB into the wrong port. Both events took less than thirty minutes to remediate, and the custodian still made it home for lunch.

Above the metal sits the sovereign cloud layer, built from OpenStack Yoga but stripped to the bone. We removed every service that phones home—no telemetry, no licence checks, no marketplace metrics—and replaced them with thin wrappers that speak the county’s own REST dialect. The hypervisor is KVM compiled with STACKPROTECTOR_STRONG and linked against musl to shrink the attack surface; the virtual machine images are built by a GitLab runner that lives on a separate VLAN and signs each qcow2 with Sigstore cosign. Even the image metadata is policy-checked: if a VM requests more than eight vCPUs or asks for a public IPv4 address, the policy-as-code compiler rejects the template before it reaches the scheduler. This means that an SME cannot accidentally deploy a misconfigured bastion host; the error message is a concise German sentence that cites the exact clause in the BSI Grundschutz catalogue that would have been violated. The side effect is educational: every failed deployment teaches the developer a paragraph of compliance text, and the learning curve flattens itself without workshops or slide decks.

Identity is handled by an in-house federation broker we call ElbeID, a pun on the river that flows past the data centre. ElbeID speaks SAML 2.0, OpenID Connect and the German eIDAS SAML profile, but its novel feature is attribute-minimisation enforced at the protocol level. When a user authenticates, the broker receives the full attribute set from the upstream identity provider—corporate directory, bank identity card, government eID—but immediately discards any claim not listed in the requesting service’s manifest. The manifest itself is a JSON document signed by the county data-protection officer and stored in an immutable Git repository; changing it requires a pull request and a four-eye review. Thus the accounting SaaS can receive a payroll number, but never the date of birth, while the incident-response portal can receive the mobile number, but never the home address. Because the filtering happens inside the broker, the downstream application cannot override it even if it is compromised. This architectural habit removes the classic “scope creep” that haunts most federations, and it satisfies the GDPR’s data-minimisation principle without asking developers to think about privacy every time they parse a JWT.

“We replaced noise with attestation—every fanless rack proves identity before it serves a single packet."

The policy-as-code compiler, codename Styx, consumes legislation the way other pipelines consume unit tests. A team of lawyers and engineers meets every Tuesday to transpose new paragraphs—NIS2 updates, GDPR guidance, county bylaws—into Rego files that Open Policy Agent can evaluate at millisecond latency. The trick is to write the rules in the same language the auditor speaks: if the BSI says “logging must be tamper-evident,” we translate that into an append-only Loki configuration with Write-Ahead-Log enabled and S3 immutable buckets; if the GDPR says “data must be portable,” we expose a signed URL endpoint that exports the user’s data as a single cryptographically signed ZIP. Because the policies are versioned alongside the code, a rollback of the application also rolls back the legal interpretation, eliminating the drift that usually appears six months after the compliance consultant has left the building. An unexpected side benefit is that auditors no longer need slide decks: they read the Rego files, run the test suite, and sign the attestation in the same pull request that developers use for feature branches.

Finally, the observability plane is itself observed. Metrics, traces and logs are written to a VictoriaMetrics cluster that runs on its own hardened nodes, but the crucial twist is that every sample is accompanied by a provenance token—a short-lived HMAC that proves the observation was produced by a node in attested state. If an attacker manages to spoof a thousand fake hosts and flood the cluster with synthetic CPU metrics, the token check fails and the samples are rejected before they can distort auto-scaling decisions. This closes the feedback loop between trust and telemetry: the system will not act on data unless it can cryptographically verify that the data came from a computer it still recognises. In practice this means that scaling events, alert thresholds and even SLA invoices are gated through the same root of trust that secures the bootloader, creating a single chain of evidence that stretches from the TPM fuse to the monthly member invoice.

The result is a stack that feels monolithic to the user but is fractal to the auditor: every layer repeats the same attestation ritual, the same policy gate, the same immutable ledger. A rural SME can therefore deploy a micro-service that handles payroll, vulnerability scanning and encrypted backup without ever learning the four-letter acronyms that usually crowd compliance spreadsheets. The machine speaks the law so the developer can speak the product, and the county keeps the keys so the citizen keeps the sovereignty. That, ultimately, is the quiet victory inside the silent rack: technology that disappears into trust, and trust that scales like code.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.