Overview
For Entersekt, ZFS is not just a storage product but a core architectural layer used across application and data systems. FreeBSD has been the foundation of this infrastructure dating back to 2003; ZFS joined the stack in 2008, making it one of the longest-running enterprise deployments of FreeBSD and ZFS in the financial technology sector.
Across the entire stack, ZFS provides capabilities that would otherwise require separate tools and budgets — from automated deployment rollback and tiered encryption to compression and end-to-end data integrity. Combined with database replication, this eliminates the need for a dedicated backup platform entirely. This architectural choice reflects a broader goal: maintaining control over infrastructure in a security-sensitive environment where reliability, compliance, and operational transparency are essential.
In this case study:
- 1The Challenge: Sovereign infrastructure in a regulated industry
- 2The Approach: FreeBSD and ZFS as a unified layer across the entire stack
- 3The Impact: Full operational control, no backup platform required, and more
About Entersekt
Entersekt is a financial technology company that develops authentication and fraud prevention solutions used by banks and financial institutions to secure digital banking and payment transactions. Its technology helps financial institutions protect online and mobile banking experiences while enabling secure digital interactions for their customers.
Operating in a sector where security, reliability, and regulatory compliance are essential, Entersekt designs its infrastructure and platforms to support high levels of data integrity, operational resilience, and long-term platform control, helping financial institutions deliver secure digital banking services in an increasingly complex threat environment.
Industry: Financial Technology
Location: Global – with offices in Europe, North America, South Africa, and Australia
Founded: 2008
The Challenge
Building Infrastructure with Control, Security, and Longevity
Entersekt operates in a regulated environment where infrastructure decisions must hold up to scrutiny from both customers and industry authorities. For the engineering team, that means making architectural choices that are deliberate and defensible.
Data sovereignty as a customer requirement
Entersekt's European customers require their data to be processed on infrastructure physically located within the EU, infrastructure they can, in principle, visit and inspect. Contractual data residency guarantees from cloud or offshore providers don't satisfy this requirement.
“Having our own infrastructure ‘on the ground’ in the EU is something many of our customers either expressly require or strongly prefer. While they don’t often visit the data centers, the knowledge that they can is comforting," Eirik Øverby says.
Independence from external providers
Maintaining independence from external providers is another key goal for Entersekt to support long-term architectural stability. Relying on large, extra-European cloud or software providers can introduce risks such as pricing changes, service discontinuation, support, or licensing shifts.
“With the way the world is going, being independent from extra-European service providers helps ensure the longevity of the architecture.”
For teams running security-sensitive systems, that level of control reduces operational risk and gives them the ability to evolve the platform on their own terms.
The technology gap
In 2003, Eirik Øverby built the FreeBSD platform at Modirum, which Entersekt later inherited through acquisition. The technology landscape was different then — satisfying requirements for integrity, sovereignty, and operational control with a single open-source technology was genuinely difficult.
“We were considering a switch from FreeBSD to Solaris 10, as it not only had Zones (inspired by FreeBSD’s jails) but also ZFS, which already at that time was wildly superior to all other volume- and storage-management solutions.”
The import of ZFS into FreeBSD 7.0 resolved that tension. When Oracle acquired Sun Microsystems shortly after, and Solaris went into commercial decline, it confirmed the decision was the right one.
The Approach
ZFS as a Core Infrastructure Technology
Rather than deploying ZFS as a dedicated storage platform, Entersekt made it a foundational component of every system in the stack. Routers, firewalls, monitoring systems, application clusters, and database servers are all built on FreeBSD with ZFS. This means the capabilities ZFS provides (integrity checking, snapshots, replication, encryption, compression) are available uniformly across the environment without requiring additional tooling.
Replacing backups with database replication and local snapshots
Entersekt does not operate a traditional backup system. Instead, multiple instances of each critical system maintain their own independent set of ZFS snapshots. Each instance effectively acts as an immutable backup for the others. The combination of ZFS snapshot clones and FreeBSD jails provides reliable point-in-time data recovery in seconds or minutes.
This eliminates a dedicated backup platform entirely, reducing cost, complexity, and a potential point of failure. This approach is also vastly superior to traditional backups in terms of resiliency and recovery time.
“We do not do backups at all; we simply have multiple instances of databases, all maintaining their own independent sets of snapshots, so they all act as immutable backups for each other.”
Automated snapshots in the deployment pipeline
Every deployment on Entersekt's application clusters triggers automated ZFS snapshots on the underlying host — a precise safety net on every release.
“This gives not only very rapid rollback capability, but also an extremely detailed view of changes between deployments.”
Beyond rollback, snapshot pairs can be interrogated with zfs diff to surface exactly what changed between any two deployments — a precise, tamper-evident audit trail of every change.
“Combining frequent snapshots with change detection (‘zfs diff’), we can both defend against and quickly detect unexpected changes in files on shared storage, for example, through ransomware introduced on someone’s PC.”
Compartmentalized encryption across a shared pool
Dataset-level encryption allows Entersekt to apply different key management policies to data with different sensitivity levels, even when that data lives on the same physical storage pool.
“Having dataset-level encryption is an absolute sensation for us, as it lets us have tiered key management for data with different protection requirements, even if it lives on the same storage pool.”
Compression that changes storage economics
On database workloads—which make up the bulk of the data Entersekt manages—ZFS consistently delivers compression ratios of 3-4×. The practical effect is that the company’s physical storage footprint is many times smaller than it would otherwise require, achieving substantial savings.
“With 3–4× compression ratio on our most voluminous data, our physical storage total is about 1 PB rather than the 3–4 PB it would have to be without compression. With the storage prices today, this represents an absolutely insaneamount of savings.”
Operating all of this at depth, and evolving it over fifteen years, is where the Klara partnership becomes essential.
“ZFS is much more than ‘just’ a foundation for storage infrastructure; it serves a lot of purposes in our environment. All our systems, from routers and firewalls, through monitoring platforms like Grafana, Prometheus, InfluxDB, and OpenSearch, to application and database servers, are built on FreeBSD and ZFS.”
Eirik Øverby, Director of Technology Operations, Entersekt
What ZFS Enables in Entersekt’s Environment
Immutable snapshots for operational safety
Every deployment triggers automated snapshots, enabling rapid rollback and detailed change inspection.
End-to-end data integrity
ZFS’s integrity model and self-healing capabilities help ensure data consistency across long-lived systems.
Database replication and local snapshots
Multiple instances of each critical system maintain independent ZFS snapshots, eliminating the need for a dedicated backup platform.
Security monitoring and ransomware detection
Snapshot comparisons using zfs diff allow the team to quickly detect unexpected file changes.
Tiered encryption policies
Dataset-level encryption allows different protection requirements within the same storage pool.
Storage efficiency through compression
Database workloads achieve 3–4× compression, reducing the physical storage footprint from an estimated 3–4PB to about 1PB.
Working with Klara
Operating a production environment of this scope, with FreeBSD and ZFS across every layer of a financial technology stack, requires deep technical expertise and access to people who understand edge cases, failure modes, and performance characteristics. This is the reason Entersekt partnered with Klara. The relationship is collaborative and ongoing, covering everything from operational support to architectural evolution.
The strength of the partnership comes from Klara’s focus and time investment in gaining a deep understanding of Entersekt’s infrastructure. As a result, new questions can be addressed quickly and effectively.
“The desire Klara shows to understand precisely how we use ZFS and FreeBSD makes it easy to bring new questions to the table. After working with the team for several years, there is a strong sense of familiarity and continuity in our relationship.”
The Impact
Operational Confidence in a Security-Critical Environment
For Entersekt, the most important outcome of this partnership is operational confidence.
“The main benefit is the peace of mind of having the world's foremost experts on ZFS and FreeBSD available on short notice — whether in a crisis situation or during planning, bug hunting or other situations.”
Beyond troubleshooting, the collaboration also strengthens internal expertise.
“Plus of course the fact that every time we interact, we learn things that we can put to use in a variety of situations.”
Reduced Infrastructure Requirements and Avoided Infrastructure Costs
Entersekt operates at a scale where storage efficiency directly impacts infrastructure spend. By leveraging ZFS compression, they are able to significantly reduce the amount of storage required for large production datasets.
In a comparable scenario, a database requiring over 3 petabytes of raw storage can be reduced to approximately 600 terabytes using a 3.5:1 compression ratio.
After accounting for parity, spares, and real-world overhead in a dual-parity NVMe array, this results in requiring approximately 1 petabyte of flash instead of 3+ petabytes.
- Approximately 2 petabytes of NVMe storage saved
- $300K–$450K avoided per petabyte
- Infrastructure costs reduced by around $750K
In mirrored configurations, this increases to:
- $500K+ avoided per petabyte
- Up to ~$1M+ in avoided infrastructure costs from compression alone
This reduction in required infrastructure creates additional capacity for redundancy and future growth, while fundamentally changing how storage environments are sized and scaled.
Outcomes to Date
Instant Deployment Rollback
Every deployment snapshot-protected. Rollback in seconds.
3–4× Data Compression
~1 PB of storage doing the work of 3–4 PB.
No Backup Platform Required
Database replication and local snapshots replace dedicated backup entirely.
Dataset-Level Encryption
Independent key per dataset — same pool, different protection levels.
Full EU Data Sovereignty
On-premises. Customer-visitable. No exceptions.
Lessons for Security-Focused Organizations
- Sovereignty is a customer requirement, not just a preference
- Open source can replace entire infrastructure layers, not just supplement them
- Own your stack, own your audit trail
Entersekt’s experience demonstrates that open-source infrastructure can successfully power security- and performance-critical environments.
“The main lesson would be that it is entirely possible to run security- and performance-critical systems on your own hardware and infrastructure. ZFS replaces many technologies that would otherwise both be expensive and in breach with our policy of ‘Open Source Only.’”
For infrastructure teams evaluating how to build sovereign, auditable, long-lived systems, Entersekt's fifteen-year production deployment provides a practical and well-tested example of how open-source technologies can support both operational control and long-term architectural stability.
