Documentation Index
Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
Use this file to discover all available pages before exploring further.
Physical data isolation
Each Dedicated VAST cluster is provisioned on hardware exclusive to a single tenant. All cluster hardware is dedicated to your organization and not shared with other CoreWeave customers. Your data resides only on your cluster’s storage and does not pass through or reside on any shared storage infrastructure.Encryption at rest
Encryption at rest is enabled on every Dedicated VAST cluster at provisioning time. Unique encryption keys are provisioned per cluster, ensuring that your encryption keys are not shared with any other CoreWeave tenant. Key characteristics:- AES-based encryption at the storage layer, applied transparently to all stored data.
- Keys provisioned at cluster launch: encryption is enabled before any customer data is written.
- Key management: keys are provisioned and managed by VAST during cluster setup. Customers do not manage keys directly.
Encryption in transit
Encryption in transit is the customer’s responsibility to implement and enforce. CoreWeave and VAST do not enforce in-transit encryption by default on cluster protocols. Options depend on the protocol in use:- NFS: NFSv4.1 supports Kerberos-based integrity and encryption (krb5i, krb5p). TLS transport can be configured for NFS over TLS where supported.
- S3: Configure your S3 endpoint to require HTTPS. Do not use plain HTTP endpoints for sensitive data.
- SQL: Configure TLS on your DataBase connection.
Audit logging
Customers have full control over VAST audit logging services through VMS. Audit logging can capture:- File access events (reads, writes, deletes, metadata operations).
- User authentication and authorization events.
- VMS configuration changes and administrative actions.
- S3 API operations.
Access control
Access to data on the cluster is controlled through VAST VMS user accounts. The same user identity governs NFS file access, S3 object access, and SQL access. There is no separate credential store for each protocol.- User management: Customer-managed in VMS. See Cluster management for details.
- SSO and SAML: Dedicated VAST supports federation with external identity providers (Okta, Azure AD, and other SAML 2.0 providers). See Cluster management for details.
- S3 credentials: S3 access keys are generated per VMS user account. Access key scope is tied to the user’s permissions in VMS.
- Network access: CoreWeave provisions network connectivity between your GPU cluster and the VAST cluster IPs. Restricting which cluster nodes can reach VAST is handled at the network layer by CoreWeave. VMS user credentials provide the application-layer access control.
Shared responsibility model
The following table summarizes security and operational responsibilities across CoreWeave, VAST, and the customer.CoreWeave provides a formal Shared Responsibility Model (SRM) document for Dedicated VAST. Contact your CoreWeave account team to obtain the current SRM.
| Responsibility | CoreWeave | VAST | Customer |
|---|---|---|---|
| Physical hardware security | ✓ | ||
| Data center physical access | ✓ | ||
| Network infrastructure and monitoring | ✓ | ||
| Hardware health monitoring | ✓ | ✓ | |
| VAST software maintenance and upgrades | ✓ (coordinated) | ✓ (coordinated) | |
| Cluster software monitoring | ✓ | ✓ | |
| Capacity monitoring | ✓ | ||
| Encryption at rest (key provisioning) | ✓ | ||
| Encryption in transit | ✓ | ||
| User account management | ✓ | ||
| Access control configuration | ✓ | ||
| Audit log configuration and retention | ✓ | ||
| Data protection and disaster recovery | ✓ | ||
| Snapshot policy configuration | ✓ |