Local key management for storage devices
First Claim
1. A method in an information handling system (IHS) for local key management of storage enclosures, the method comprising:
- retrieving a first security content from a security vault of a service processor;
dynamically detecting an interface, from among a backplane controller interface and a host bus adapter interface, communicatively coupled to the service processor;
dynamically detecting a data storage device communicatively coupled to the detected interface;
in response to detecting the data storage device, determining whether the data storage device is a self-encrypting capable data storage device, wherein the data storage device can be one of a self-encrypting capable data storage device and a non-self-encrypting data storage device;
in response to the data storage device not being a self-encrypting capable data storage device, enabling transmission of only non-encrypted data to and from the data storage device;
in response to the data storage device being a self-encrypting capable data storage device, retrieving a second security content;
validating an association between the first security content and the second security content;
in response to validating the association between the first security content and the second security content;
transmitting one or more security keys to the data storage device via the detected one of the backplane controller interface and the host bus adapter interface; and
enabling access to the data storage device.
14 Assignments
0 Petitions
Accused Products
Abstract
A method and system provide local key management for storage enclosures. The method includes retrieving first security content from a security vault of a service processor, then dynamically detecting a hardware interface communicatively coupled to the service processor. A data storage device, communicatively coupled to the hardware interface is dynamically detected. A dynamic determination is made as to whether the data storage device is a self-encrypting capable data storage device. In response to the data storage device being a self-encrypting capable data storage device, a second security content is retrieved from the data storage device, and a validation regarding an association between the first security content and the second security content is made. Finally, in response to a positive validation of the association between the first security content and the second security content, security keys are transmitted to the data storage device, and access to the data storage device is enabled.
12 Citations
18 Claims
-
1. A method in an information handling system (IHS) for local key management of storage enclosures, the method comprising:
-
retrieving a first security content from a security vault of a service processor; dynamically detecting an interface, from among a backplane controller interface and a host bus adapter interface, communicatively coupled to the service processor; dynamically detecting a data storage device communicatively coupled to the detected interface; in response to detecting the data storage device, determining whether the data storage device is a self-encrypting capable data storage device, wherein the data storage device can be one of a self-encrypting capable data storage device and a non-self-encrypting data storage device; in response to the data storage device not being a self-encrypting capable data storage device, enabling transmission of only non-encrypted data to and from the data storage device; in response to the data storage device being a self-encrypting capable data storage device, retrieving a second security content; validating an association between the first security content and the second security content; in response to validating the association between the first security content and the second security content;
transmitting one or more security keys to the data storage device via the detected one of the backplane controller interface and the host bus adapter interface; andenabling access to the data storage device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An information handling system (IHS) comprising:
-
a processor; a service processor; a controller, communicatively coupled to a first device interface, including a first terminal for coupling to a data storage device and for transmitting one or more security keys to the data storage device; and
a memory system communicatively coupled to the service processor and having thereon a security manager module that executes on the controller and configures the controller to;retrieve a first security content from a security vault of the service processor; dynamically detect one of a backplane controller interface and a host bus adapter interface communicatively coupled to the service processor; dynamically detect a data storage device communicatively coupled to one of the backplane controller interface and host bus adapter interface; in response to detection of the data storage device, dynamically determine whether the data storage device is a self-encrypting capable data storage device, wherein the data storage device can be one of a self-encrypting capable data storage device and a non-self-encrypting capable data storage device; in response to the data storage device not being a self-encrypting capable data storage device, prevent an exchange of self-encrypting data; in response to the data storage device being a self-encrypting capable data storage device, retrieve a second security content; validate an association between the first security content and the second security content; in response to validating the association between the first security content and the second security content, transmit one or more security keys to the data storage device via one of the backplane controller interface and the host bus adapter interface; and enable access to the data storage device. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification