Systems and methods for unlocking self-encrypting data storage devices

US 10,460,110 B1
Filed: 02/17/2017
Issued: 10/29/2019
Est. Priority Date: 02/17/2017
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a data storage device configured to;

removably connect to a first server having a first operating system configured to perform native operating system functions of the first server;

load a second operating system stored locally in the data storage device into the memory of the first server, the second operating system configured to execute security functions of the data storage device, including;

unlocking a first secure area of the data storage device;

retrieving a first access key from the first secure area;

unlocking a second secure area of the data storage device with the first access key;

determining a second access key based on information stored to the second secure area; and

unlocking a secure storage area of another data storage device with the second access key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security of computers, data storage devices, and servers can be improved with a multiple key access system. In some embodiments, a local key management device can be a locally (or virtually) located data storage device such as a HDD or SDD. The key management device may be part of a computer or server system and can have a first secure area protected by a cryptographic module (e.g. hardware integrated circuit). The first secure area can store a key to access a second secure area, which may function as a local key management server (LKMS) and store access information to authenticate another data storage device coupled to the computer. For example, the LKMS may store an access key to provide the computer with access to another data storage device.

35 Citations

View as Search Results

20 Claims

1. An apparatus comprising:
- a data storage device configured to;
  
  removably connect to a first server having a first operating system configured to perform native operating system functions of the first server;
  
  load a second operating system stored locally in the data storage device into the memory of the first server, the second operating system configured to execute security functions of the data storage device, including;
  
  unlocking a first secure area of the data storage device;
  
  retrieving a first access key from the first secure area;
  
  unlocking a second secure area of the data storage device with the first access key;
  
  determining a second access key based on information stored to the second secure area; and
  
  unlocking a secure storage area of another data storage device with the second access key.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1 further comprising:
    - the second operating system configured to;
      
      retrieve a drive information table (DIT) from the first secure area;
      
      determine a unique identifier corresponding to the DSD; and
      
      request the second access key based on the unique identifier.
  - 3. The apparatus of claim 2 further comprising:
    - the data storage device configured to;
      
      connect to be removable from the first server by a physical and electrical connection to the first server which allows the data storage device to be removed from the first server without physically modifying the first server.
  - 4. The apparatus of claim 1 further comprising:
    - the second operating system configured to;
      
      access an encrypted hardware module of the first server;
      
      obtain access to the first secure area of the data storage device via the encrypted hardware module; and
      
      retrieve the first key from the first secure area when access is granted to the operating system.
  - 5. The apparatus of claim 1 further comprising:
    - the second operating system configured to;
      
      determine if there is an unregistered DSD coupled to the first server, where an unregistered DSD is a DSD that does not have a corresponding key stored in the second server;
      
      obtain a unique identifier from the unregistered DSD;
      
      generate an encryption key based on the unique identifier;
      
      lock the unregistered DSD with the encryption key; and
      
      store the encryption key in the second secure area.
  - 6. The apparatus of claim 1 further comprising:
    - the second operating system configured to;
      
      determine if there is a registered DSD to be unregistered coupled to the first server;
      
      obtain a unique identifier from the registered DSD to be unregistered;
      
      retrieve an encryption key from the second secure area based on the unique identifier;
      
      unlock the registered DSD to be unregistered with the encryption key;
      
      erase the unregistered DSD; and
      
      delete the unique identifier and the encryption key from the second secure area.
  - 7. The apparatus of claim 1 further comprising:
    - the second operating system configured to;
      
      determine if there is a DSD registration to modify corresponding to a DSD coupled to the first server;
      
      obtain a unique identifier from the DSD;
      
      retrieve an encryption key from the second secure area based on the unique identifier;
      
      unlock the DSD with the encryption key;
      
      generate a different encryption key associated with the unique identifier;
      
      lock the DSD with the different encryption key; and
      
      store the different encryption key in the second secure area.

8. A system comprising:
- a first data storage device configured to be connectable and removable from a first server having a first operating system, the first data storage device including;
  
  an interface circuit;
  
  a first secure nonvolatile data storage area;
  
  a second secure nonvolatile data storage area;
  
  a memory storing a second operating system configured to perform key management functions for the first data storage device;
  
  a controller configured to;
  
  load the second operating system into the memory of the first server, the second operating system configured to;
  
  access a hardware encryption circuit of the first server;
  
  obtain access to the first secure nonvolatile data storage area via the hardware encryption circuit;
  
  retrieve a first access key from the first secure nonvolatile data storage area when access is granted to the second operating system;
  
  obtain access to the second secure nonvolatile data storage area via the first access key;
  
  determine a second access key based on information stored to the second secure nonvolatile data storage area; and
  
  unlock, via the second access key, an encrypted second data storage device (“
  
  DSD”
  
  ) connected to the first server.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 9. The system of claim 8 further comprising:
    - the system includes the first server coupled to the data storage device;
      
      the hardware encryption circuit includes a cryptographic integrated circuit within the first server that is not within the data storage device;
      
      an array of encrypted data storage devices within the first server;
      
      a drive information table stored within the secure nonvolatile data storage area, the drive information table identifying whether the encrypted data storage devices have keys registered with the second server; and
      
      a memory within the first server storing the first operating system configured to operate the first server, the first operating system different than the second operating system.
  - 10. The system of claim 9 further comprising each encrypted data storage device includes a setting to activate a lock-on-power-cycle feature which forces a drive to become locked if there is an unexpected power event.
  - 11. The system of claim 8 further comprising a drive information table stored within the secure nonvolatile data storage area, the drive information table identifying whether encrypted data storage devices connected to the first server have keys registered with the second server.
  - 12. The system of claim 8 further comprising:
    - the second operating system configured to;
      
      determine if the data storage device has been unlocked; and
      
      provide an error indicator when the data storage device has not been unlocked.
  - 13. The system of claim 8 further comprising:
    - a server that includes;
      
      the first data storage device and the second data storage device; and
      
      an encrypted hardware module configured to manage secure access to the first secure nonvolatile data storage area.
  - 14. The system of claim 8 further comprising:
    - the second operating system configured to;
      
      implement an automatic drive registration mode whereby each drive connected to the first server that is not registered and does not have a corresponding authentication certificate and key at the second server is automatically determined;
      
      automatically initiate registration of any unregistered drives;
      
      generate a key corresponding to each unregistered drive;
      
      lock each drive with each drive'"'"'s corresponding key received from the second server;
      
      update the drive information table to indicate each locked drive is registered; and
      
      store each drive'"'"'s corresponding key in the second secure nonvolatile data storage.
  - 15. The system of claim 14 further comprising:
    - the second operating system configured to;
      
      implement a manual drive registration mode whereby a user can submit a command to the second operating system to have a drive that is not registered manually registered.
  - 16. The system of claim 8 further comprising:
    - the management device is configured to be connected and removed from the first server while the first server is powered on.
  - 17. The system of claim 8 further comprising:
    - the management device is located outside of the first server; and
      
      the management device is physically connected and disconnected from the first server via an external interface without physically modifying the first server.

18. A memory device storing instructions that when executed cause a processor to perform a method comprising:
- accessing a hardware encryption circuit of a first computer;
  
  obtaining access to a first secure nonvolatile data storage area of a first data storage device via the hardware encryption circuit;
  
  retrieving a first key from the first secure nonvolatile data storage area when access is granted;
  
  utilizing the first key to access a second secure nonvolatile data storage area;
  
  determining a second key from information stored in the second secure nonvolatile data storage area; and
  
  unlocking, via the second key, a second data storage device coupled to the first computer.
- View Dependent Claims (19, 20)
- - 19. The memory device of claim 18 further comprising the method including retrieving a drive information table stored within the first secure nonvolatile data storage area, the drive information table identifying whether data storage devices are registered and have a corresponding encryption access key.
  - 20. The memory device of claim 18 further comprising the method including implementing an automatic registration mode when a data storage device is detected that does not have a key registered in the second secure nonvolatile data storage area.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Seagate Technology LLC (Seagate Technology Holdings Plc)
Original Assignee
Seagate Technology LLC (Seagate Technology Holdings Plc)
Inventors
Allo, Christopher Nicholas, Sternberg, Kevin Gautam, Biswas, Saheb
Primary Examiner(s)
Getachew, Abiy

Application Number

US15/436,712
Time in Patent Office

984 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/575   Secure boot

G06F 21/79   in semiconductor storage me...

G06F 21/80   in storage media based on m...

G06F 2221/034   Test or assess a computer o...

G06F 3/0622   in relation to access

G06F 3/0659   Command handling arrangemen...

G06F 3/067   Distributed or networked st...

G06F 9/4406   Loading of operating system

H04L 9/0866   involving user or device id...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

Systems and methods for unlocking self-encrypting data storage devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

35 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for unlocking self-encrypting data storage devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links