Local key management for storage devices

US 10,255,201 B2
Filed: 05/18/2016
Issued: 04/09/2019
Est. Priority Date: 05/18/2016
Status: Active Grant

First Claim

Patent Images

1. A method in an information handling system (IHS) for local key management of storage enclosures, the method comprising:

retrieving a first security content from a security vault of a service processor;

dynamically detecting an interface, from among a backplane controller interface and a host bus adapter interface, communicatively coupled to the service processor;

dynamically detecting a data storage device communicatively coupled to the detected interface;

in response to detecting the data storage device, determining whether the data storage device is a self-encrypting capable data storage device, wherein the data storage device can be one of a self-encrypting capable data storage device and a non-self-encrypting data storage device;

in response to the data storage device not being a self-encrypting capable data storage device, enabling transmission of only non-encrypted data to and from the data storage device;

in response to the data storage device being a self-encrypting capable data storage device, retrieving a second security content;

validating an association between the first security content and the second security content;

in response to validating the association between the first security content and the second security content;

transmitting one or more security keys to the data storage device via the detected one of the backplane controller interface and the host bus adapter interface; and

enabling access to the data storage device.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system provide local key management for storage enclosures. The method includes retrieving first security content from a security vault of a service processor, then dynamically detecting a hardware interface communicatively coupled to the service processor. A data storage device, communicatively coupled to the hardware interface is dynamically detected. A dynamic determination is made as to whether the data storage device is a self-encrypting capable data storage device. In response to the data storage device being a self-encrypting capable data storage device, a second security content is retrieved from the data storage device, and a validation regarding an association between the first security content and the second security content is made. Finally, in response to a positive validation of the association between the first security content and the second security content, security keys are transmitted to the data storage device, and access to the data storage device is enabled.

12 Citations

18 Claims

1. A method in an information handling system (IHS) for local key management of storage enclosures, the method comprising:
- retrieving a first security content from a security vault of a service processor;
  
  dynamically detecting an interface, from among a backplane controller interface and a host bus adapter interface, communicatively coupled to the service processor;
  
  dynamically detecting a data storage device communicatively coupled to the detected interface;
  
  in response to detecting the data storage device, determining whether the data storage device is a self-encrypting capable data storage device, wherein the data storage device can be one of a self-encrypting capable data storage device and a non-self-encrypting data storage device;
  
  in response to the data storage device not being a self-encrypting capable data storage device, enabling transmission of only non-encrypted data to and from the data storage device;
  
  in response to the data storage device being a self-encrypting capable data storage device, retrieving a second security content;
  
  validating an association between the first security content and the second security content;
  
  in response to validating the association between the first security content and the second security content;
  
  transmitting one or more security keys to the data storage device via the detected one of the backplane controller interface and the host bus adapter interface; and
  
  enabling access to the data storage device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - in response to detecting the backplane controller interface, storing the first security content in one or more storage registers, wherein the one or more storage registers are within a microcontroller communicatively coupled to the backplane controller interface.
  - 3. The method of claim 1, wherein retrieving the second security content further comprises:
    - in response to detecting the backplane controller interface, retrieving the second security content from the self-encrypting capable data storage device, wherein the backplane controller interface is a first general purpose input output (GPIO) interface, and wherein an interface associated with the self-encrypting capable data storage device is a next GPIO interface.
  - 4. The method of claim 3, further comprising:
    - in response to validating the association between the first security content and the second security content, transmitting the one or more security keys from the first GPIO interface to the next GPIO interface.
  - 5. The method of claim 1, wherein retrieving the second security content further comprises:
    - in response to detection of the host bus adapter interface, transmitting the second security content to an enclosure management module, wherein the enclosure management module is communicatively coupled to the self-encrypting capable data storage device.
  - 6. The method of claim 5, further comprising:
    - receiving, from the enclosure management module, one of a security content validation and a security content non-validation;
      
      in response to receiving a security content validation;
      
      transmitting one or more security keys from the host bus adapter interface to the enclosure management module; and
      
      enabling the enclosure management module to apply the one or more security keys to unlock the data storage device; and
      
      in response to receiving a security content non-validation, generating a query to assign a new security content to the data storage device.
  - 7. The method of claim 1, further comprising:
    - dynamically detecting an unsecure data storage device communicatively coupled to one of the backplane controller interface and the host bus adapter interface subsequent to the initialization of the service processor;
      
      in response to detection of the unsecure data storage device, receiving a request at the service processor to secure the unsecure data storage device; and
      
      in response to receipt of the request to secure the unsecure data storage device;
      
      generating a new first security content and a new second security content, wherein the new first security content is transmitted to the service processor, and the new second security content is transmitted to the unsecure data storage device; and
      
      securing the unsecure data storage device using the combination of the new first security content with the new second security content.
  - 8. The method of claim 7, wherein dynamically detecting the unsecure data storage device communicatively coupled to one of the backplane controller interface and the host bus adapter interface subsequent to the initialization of the service processor further comprises:
    - receiving a command to automatically secure the unsecure data storage device; and
      
      in response to receipt of the command to secure the unsecure data storage device, automatically generating a security key, wherein when the security key is generated the security key is automatically applied to secure the unsecure data storage device.
  - 9. The method of claim 1, further comprising:
    - in response to detection of the host bus adapter interface, enabling transmission, from the host bus adapter interface to the data storage device, of the first security content, second security content, and one or more associated security keys via serial attached small computer system interface and serial management protocol (SCSI/SMP).

10. An information handling system (IHS) comprising:
- a processor;
  
  a service processor;
  
  a controller, communicatively coupled to a first device interface, including a first terminal for coupling to a data storage device and for transmitting one or more security keys to the data storage device; and
  
  a memory system communicatively coupled to the service processor and having thereon a security manager module that executes on the controller and configures the controller to;
  
  retrieve a first security content from a security vault of the service processor;
  
  dynamically detect one of a backplane controller interface and a host bus adapter interface communicatively coupled to the service processor;
  
  dynamically detect a data storage device communicatively coupled to one of the backplane controller interface and host bus adapter interface;
  
  in response to detection of the data storage device, dynamically determine whether the data storage device is a self-encrypting capable data storage device, wherein the data storage device can be one of a self-encrypting capable data storage device and a non-self-encrypting capable data storage device;
  
  in response to the data storage device not being a self-encrypting capable data storage device, prevent an exchange of self-encrypting data;
  
  in response to the data storage device being a self-encrypting capable data storage device, retrieve a second security content;
  
  validate an association between the first security content and the second security content;
  
  in response to validating the association between the first security content and the second security content, transmit one or more security keys to the data storage device via one of the backplane controller interface and the host bus adapter interface; and
  
  enable access to the data storage device.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The IHS of claim 10, wherein the security manager module further enables the controller to:
    - in response to detection of the backplane controller interface, store the first security content in one or more storage registers, wherein the one or more storage registers are within a microcontroller communicatively coupled to the backplane controller interface.
  - 12. The IHS of claim 10, wherein to retrieve the second security content, the controller:
    - in response to detection of the backplane controller interface, retrieves the second security content from the self-encrypting capable data storage device, wherein the backplane controller interface is a first general purpose input output (GPIO) interface, and wherein an interface associated with the self-encrypting capable data storage device is a next GPIO interface.
  - 13. The IHS of claim 12, wherein the controller:
    - in response to a positive validation of the association between the first security content and the second security content, transmits the one or more security keys from the first GPIO interface to the next GPIO interface.
  - 14. The IHS of claim 10, wherein in response to the data storage device being a self-encrypting capable data storage device, following the controller retrieving the second security content, the controller further:
    - in response to detection of the host bus adapter interface, transmits the second security content to an enclosure management module, wherein the enclosure management module is communicatively coupled to the self-encrypting capable data storage device.
  - 15. The IHS of claim 14, wherein the security manager module further enables the controller to:
    - receive, from the enclosure management module, one of;
      
      a security content validation and a security content non-validation;
      
      in response to receipt of security content validation, transmit the one or more security keys from the host bus adapter interface to the enclosure management module;
      
      enable the enclosure management module to apply the one or more security keys to unlock the data storage device; and
      
      in response to receipt of a security content non-validation, generate a query to assign a new security content to the data storage device.
  - 16. The IHS of claim 10, wherein the security manager module further enables the controller to:
    - dynamically detect an unsecure data storage device communicatively coupled to one of the backplane controller interface and the host bus adapter interface subsequent to an initialization of the service processor;
      
      in response to detection of the unsecure data storage device, receive a request at the service processor to secure the unsecure data storage device;
      
      in response to receipt of a command to secure the unsecure data storage device, generate a new first security content and a new second security content, wherein the new first security content is transmitted to the service processor, and the new second security content is transmitted to the unsecure data storage device; and
      
      secure the unsecure data storage device using the combination of the new first security content with the new second security content.
  - 17. The IHS of claim 16, wherein dynamic detection of the unsecure data storage device communicatively coupled to one of the backplane controller interface and the host bus adapter interface subsequent to the initialization of the service processor further enables the controller to:
    - receive a command to automatically secure the unsecure data storage device;
      
      in response to receipt of the command to secure the unsecure data storage device, automatically generate a security key; and
      
      automatically apply the security key to secure the unsecure data storage device.
  - 18. The IHS of claim 10, wherein the controller:
    - in response to detection of the host bus adapter interface, enables transmission, from the host bus adapter interface to the data storage device, of the first security content, second security content, and the one or more security keys via serial attached small computer system interface and serial management protocol (SCSI/SMP).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dell Products LP (Dell Technologies Inc.)
Original Assignee
Dell Products LP (Dell Technologies Inc.)
Inventors
Ragupathi, Dinesh Kunnathur, Bisa, Rama Rao, Kumar, Pavan, Poluri, Syama Sundar, Dambal, Sanjeev S., Desai, Satyajit Dipakbhai, Mundt, Kevin Warren
Primary Examiner(s)
Gee, Jason K
Assistant Examiner(s)
Gao, Shu C

Application Number

US15/157,916
Publication Number

US 20170337140A1
Time in Patent Office

1,056 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 13/4282   on a serial bus, e.g. I2C b...

G06F 21/60   Protecting data

G06F 21/602   Providing cryptographic fac...

G06F 21/78   to assure secure storage of...

G06F 2212/1052   Security improvement

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 67/1097   for distributed storage of ...

Local key management for storage devices

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Local key management for storage devices

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links