Abstract: Storage apparatus (20) includes a memory (30) and an encryption processor (28), which is configured to receive and encrypt data transmitted from one or more computers (24) for storage in the memory. A one-way link (32) couples the encryption processor to the memory so as to enable the encryption processor to write the encrypted data to the memory but not to read from the memory.

Abstract: A computer-implemented method for protecting a computer network (22) includes receiving at a gateway (24) data transmitted from a source address for delivery to a destination on the computer network. The data are encrypted at the gateway using an encryption key selected from a set of one or more keys that are not available to the source address. The encrypted data are transmitted over the computer network toward the destination. The transmitted encrypted data are received and decrypted for use at the destination by means of one of the keys in the set.