Removable circuit for unlocking self-encrypting data storage devices
First Claim
Patent Images
1. An apparatus comprising:
- a key data storage device (“
DSD”
) configured to;
connect to be removable from a first server;
load an operating system stored locally in the key DSD into the memory of the first server, the operating system configured to;
transmit, from the first server to a second server, a request for a key corresponding to an encrypted DSD, the request including an authentication certificate;
receive the key from the second server;
unlock a secure storage area of the encrypted DSD with the key;
determine if there is an unregistered DSD coupled to the first server, where an unregistered DSD is another DSD that does not have a corresponding key stored in the second server;
obtain a unique identifier from the unregistered DSD;
provide the unique identifier and a request for another corresponding key to the second server;
receive the other corresponding key from the second server; and
lock the unregistered DSD with the other corresponding key.
1 Assignment
0 Petitions
Accused Products
Abstract
Security of data storage devices and servers can be improved by the system and methods described herein. In some embodiments, a key management device of a server can be a locally (or virtually) located data storage device such as a HDD or SDD. The key management device may be part of a server system and can have a secure area protected by a cryptographic module (e.g. hardware integrated circuit). The secure area can store a certificate needed to authenticate another data storage device coupled to the server. A second server may authenticate the certificate and provide the access key to the another data storage device.
-
Citations
17 Claims
-
1. An apparatus comprising:
a key data storage device (“
DSD”
) configured to;connect to be removable from a first server; load an operating system stored locally in the key DSD into the memory of the first server, the operating system configured to; transmit, from the first server to a second server, a request for a key corresponding to an encrypted DSD, the request including an authentication certificate; receive the key from the second server; unlock a secure storage area of the encrypted DSD with the key; determine if there is an unregistered DSD coupled to the first server, where an unregistered DSD is another DSD that does not have a corresponding key stored in the second server; obtain a unique identifier from the unregistered DSD; provide the unique identifier and a request for another corresponding key to the second server; receive the other corresponding key from the second server; and lock the unregistered DSD with the other corresponding key. - View Dependent Claims (2, 3, 4, 5, 6)
-
7. A system comprising:
a key data storage device (“
DSD”
) configured to be connectable and removable from a first server, the key DSD including;an interface circuit; a secure nonvolatile data storage area; a memory storing a key management operating system; a controller configured to; load the key management operating system into the memory of the first server, the key management operating system configured to; access a hardware encryption circuit of the first server; obtain access to the secure nonvolatile data storage area of the key DSD via the hardware encryption circuit; retrieve an authentication certificate from the secure nonvolatile data storage area when access is granted to the key management operating system; transmit, from the first server to a second server, a request for a key corresponding to an encrypted DSD connected to the first server, the request including the authentication certificate; receive the key from the second server; and unlock the encrypted DSD with the key; and a drive information table stored within the secure nonvolatile data storage area, the drive information table identifying whether encrypted data storage devices connected to the first server have keys registered with the second server. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
-
16. A memory device storing instructions that when executed cause a processor to perform a method comprising:
-
accessing a hardware encryption circuit of a first server; obtaining access to a secure nonvolatile data storage area of a first data storage device via the hardware encryption circuit; retrieving an authentication certificate from the secure nonvolatile data storage area when access is granted; transmitting, from the first server to a second server, a request for a key corresponding to a second data storage device connected to the first server, the request including the authentication certificate; receiving the key from the second server; and unlocking the second data storage device with the key; and the method further including implementing an automatic registration mode when a data storage device is detected that does not have a key registered with the second server. - View Dependent Claims (17)
-
Specification