Removable circuit for unlocking self-encrypting data storage devices

US 10,382,201 B1
Filed: 07/20/2016
Issued: 08/13/2019
Est. Priority Date: 09/22/2015
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a key data storage device (“

DSD”

) configured to;

connect to be removable from a first server;

load an operating system stored locally in the key DSD into the memory of the first server, the operating system configured to;

transmit, from the first server to a second server, a request for a key corresponding to an encrypted DSD, the request including an authentication certificate;

receive the key from the second server;

unlock a secure storage area of the encrypted DSD with the key;

determine if there is an unregistered DSD coupled to the first server, where an unregistered DSD is another DSD that does not have a corresponding key stored in the second server;

obtain a unique identifier from the unregistered DSD;

provide the unique identifier and a request for another corresponding key to the second server;

receive the other corresponding key from the second server; and

lock the unregistered DSD with the other corresponding key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security of data storage devices and servers can be improved by the system and methods described herein. In some embodiments, a key management device of a server can be a locally (or virtually) located data storage device such as a HDD or SDD. The key management device may be part of a server system and can have a secure area protected by a cryptographic module (e.g. hardware integrated circuit). The secure area can store a certificate needed to authenticate another data storage device coupled to the server. A second server may authenticate the certificate and provide the access key to the another data storage device.

Citations

17 Claims

1. An apparatus comprising:
- a key data storage device (“
  
  DSD”
  
  ) configured to;
  
  connect to be removable from a first server;
  
  load an operating system stored locally in the key DSD into the memory of the first server, the operating system configured to;
  
  transmit, from the first server to a second server, a request for a key corresponding to an encrypted DSD, the request including an authentication certificate;
  
  receive the key from the second server;
  
  unlock a secure storage area of the encrypted DSD with the key;
  
  determine if there is an unregistered DSD coupled to the first server, where an unregistered DSD is another DSD that does not have a corresponding key stored in the second server;
  
  obtain a unique identifier from the unregistered DSD;
  
  provide the unique identifier and a request for another corresponding key to the second server;
  
  receive the other corresponding key from the second server; and
  
  lock the unregistered DSD with the other corresponding key.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The apparatus of claim 1 further comprising:
    - the operating system configured to;
      
      determine a unique identifier corresponding to the encrypted DSD;
      
      provide the unique identifier and the request for the key corresponding to the encrypted DSD to the second server; and
      
      receive the key from the second server and provide the key to the encrypted DSD to unlock the encrypted DSD.
  - 3. The apparatus of claim 2 further comprising:
    - the key DSD configured to;
      
      connect to be removable from the first server by a physical and electrical connection to the first server which allows the key DSD to be removed from the first server without physically modifying the first server.
  - 4. The apparatus of claim 1 further comprising:
    - the operating system configured to;
      
      access an encrypted hardware module of the first server;
      
      obtain access to a secure data storage area of the key DSD via the encrypted hardware module; and
      
      retrieve the authentication certificate from the secure data storage area when access is granted to the operating system.
  - 5. The apparatus of claim 1 further comprising:
    - the operating system configured to;
      
      determine if there is a registered DSD to be unregistered coupled to the first server;
      
      obtain another unique identifier from the registered DSD to be unregistered;
      
      provide the other unique identifier and a request for a third key to the second server;
      
      receive the third key from the second server;
      
      unlock the registered DSD to be unregistered with the third key to unregister the registered DSD;
      
      erase the unregistered DSD; and
      
      transmit a command to the second server to remove the other unique identifier and the third key from the second server.
  - 6. The apparatus of claim 1 further comprising:
    - the operating system configured to;
      
      determine if there is a DSD registration to modify corresponding to a another DSD coupled to the first server;
      
      obtain another unique identifier from the other DSD;
      
      provide the other unique identifier and a request for a third key to the second server;
      
      receive the third key from the second server;
      
      unlock the other DSD with the third key;
      
      provide the other unique identifier and a request for a fourth key to the second server;
      
      receive the fourth key from the second server; and
      
      lock the other DSD with the fourth key.

7. A system comprising:
- a key data storage device (“
  
  DSD”
  
  ) configured to be connectable and removable from a first server, the key DSD including;
  
  an interface circuit;
  
  a secure nonvolatile data storage area;
  
  a memory storing a key management operating system;
  
  a controller configured to;
  
  load the key management operating system into the memory of the first server, the key management operating system configured to;
  
  access a hardware encryption circuit of the first server;
  
  obtain access to the secure nonvolatile data storage area of the key DSD via the hardware encryption circuit;
  
  retrieve an authentication certificate from the secure nonvolatile data storage area when access is granted to the key management operating system;
  
  transmit, from the first server to a second server, a request for a key corresponding to an encrypted DSD connected to the first server, the request including the authentication certificate;
  
  receive the key from the second server; and
  
  unlock the encrypted DSD with the key; and
  
  a drive information table stored within the secure nonvolatile data storage area, the drive information table identifying whether encrypted data storage devices connected to the first server have keys registered with the second server.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The system of claim 7 further comprising:
    - the system includes the first server coupled to the key DSD;
      
      the hardware encryption circuit includes a cryptographic integrated circuit within the first server that is not within the key DSD;
      
      an array of encrypted data storage devices within the first server; and
      
      a memory within the first server storing a native operating system configured to operate the first server, the native operating system different than the key management operating system.
  - 9. The system of claim 8 further comprising each encrypted data storage device of the array of encrypted data storage devices includes a setting to activate a lock-on-power-cycle feature which forces a drive to become locked if there is an unexpected power event.
  - 10. The system of claim 7 further comprising:
    - the operating system configured to;
      
      determine if the encrypted DSD has been unlocked; and
      
      provide an error indicator when the encrypted DSD has not been unlocked.
  - 11. The system of claim 7 further comprising the operating system configured to establish a secure communication channel between the first server and the second server.
  - 12. The system of claim 7 further comprising:
    - the operating system configured to;
      
      implement an automatic drive registration mode whereby each unregistered encrypted data storage device connected to the first server that is not registered and does not have a corresponding authentication certificate and key at the second server is automatically determined;
      
      automatically send a request to the second server to register any unregistered encrypted data storage devices;
      
      receive a key from the second server corresponding to each unregistered encrypted data storage device;
      
      lock each unregistered encrypted data storage device with each unregistered encrypted data storage device'"'"'s corresponding key received from the second server; and
      
      update the drive information table to indicate each locked encrypted data storage device is registered.
  - 13. The system of claim 7 further comprising:
    - the operating system configured to;
      
      implement a manual drive registration mode whereby a user can submit a command to the operating system to have an unregistered encrypted data storage device that is not registered and does not have a corresponding authentication certificate and key at the second server manually registered.
  - 14. The system of claim 7 further comprising:
    - the key DSD is configured to be connected and removed from the first server while the first server is powered on.
  - 15. The system of claim 7 further comprising:
    - the key DSD is located outside of the first server; and
      
      the key DSD is physically connected and disconnected from the first server via an external interface without physically modifying the first server.

16. A memory device storing instructions that when executed cause a processor to perform a method comprising:
- accessing a hardware encryption circuit of a first server;
  
  obtaining access to a secure nonvolatile data storage area of a first data storage device via the hardware encryption circuit;
  
  retrieving an authentication certificate from the secure nonvolatile data storage area when access is granted;
  
  transmitting, from the first server to a second server, a request for a key corresponding to a second data storage device connected to the first server, the request including the authentication certificate;
  
  receiving the key from the second server; and
  
  unlocking the second data storage device with the key; and
  
  the method further including implementing an automatic registration mode when a data storage device is detected that does not have a key registered with the second server.
- View Dependent Claims (17)
- - 17. The memory device of claim 16 further comprising the method including retrieving a drive information table stored within the secure nonvolatile data storage area, the drive information table identifying whether data storage devices have keys registered with the second server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Seagate Technology LLC (Seagate Technology Holdings Plc)
Original Assignee
Seagate Technology LLC (Seagate Technology Holdings Plc)
Inventors
Allo, Christopher Nicholas, Biswas, Saheb, Sternberg, Kevin Gautam
Primary Examiner(s)
Simitoski, Michael

Application Number

US15/214,965
Time in Patent Office

1,119 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/575   Secure boot

G06F 21/80   in storage media based on m...

G06F 9/4406   Loading of operating system

H04L 2209/24   Key scheduling, i.e. genera...

H04L 63/06   for supporting key manageme...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 9/0897   involving additional device...

H04L 9/3263   involving certificates, e.g...

Removable circuit for unlocking self-encrypting data storage devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Removable circuit for unlocking self-encrypting data storage devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links