Data center with data encryption and method for operating data center

US 10,515,022 B2
Filed: 12/29/2017
Issued: 12/24/2019
Est. Priority Date: 05/04/2017
Status: Active Grant

First Claim

Patent Images

1. A data center, comprising:

at least one data storage device each having a non-volatile memory and a controller chip, wherein each controller chip has an encryption and decryption circuit module; and

a host, operating the non-volatile memory via the controller chip; and

an encryption and decryption key space storing a key for the encryption and decryption circuit module to perform data encryption and decryption, which is isolated from the data storage device and the host by default so that a user who does not pass identity authentication is unable to operate the encryption and decryption circuit module through the host to decrypt data of the non-volatile memory,wherein the key is generated by the host via an encryption and decryption application or is a user input prompted by the encryption and decryption application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A high-security data center, having at least one data storage device, a host and an encryption and decryption key space. Each data storage device has a non-volatile memory and a controller chip. The controller chip includes an encryption and decryption module. The host machine operates the non-volatile memory via the controller chip. The encryption and decryption key space stores a key for the encryption and decryption module to perform data encryption and decryption. The encryption and decryption key space is isolated from the data storage device and the host machine by default so that a user who does not pass identity authentication is unable to operate the encryption and decryption module through the host to decrypt data of the non-volatile memory.

14 Citations

18 Claims

1. A data center, comprising:
- at least one data storage device each having a non-volatile memory and a controller chip, wherein each controller chip has an encryption and decryption circuit module; and
  
  a host, operating the non-volatile memory via the controller chip; and
  
  an encryption and decryption key space storing a key for the encryption and decryption circuit module to perform data encryption and decryption, which is isolated from the data storage device and the host by default so that a user who does not pass identity authentication is unable to operate the encryption and decryption circuit module through the host to decrypt data of the non-volatile memory,wherein the key is generated by the host via an encryption and decryption application or is a user input prompted by the encryption and decryption application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The data center as claimed in claim 1, wherein:
    - the encryption and decryption key space is disconnected from the host after the key is stored in the encryption and decryption key space and, when the identity authentication succeeds, the encryption and decryption key space is reconnected to the host.
  - 3. The data center as claimed in claim 2, wherein:
    - the encryption and decryption circuit module is driven by the host through vendor unique commands.
  - 4. The data center as claimed in claim 3, wherein:
    - the host calls the vendor unique commands by executing the encryption and decryption application.
  - 5. The data center as claimed in claim 4, wherein:
    - when determining that user data is confidential data, the host calls the vendor unique commands via the encryption and decryption application to drive the encryption and decryption circuit module to use the key to encrypt and store the confidential data in the non-volatile memory; and
      
      a particular logical block address is allocated to manage the confidential data.
  - 6. The data center as claimed in claim 5, wherein:
    - after storing the key in the encryption and decryption key space, the host removes the key from the host and the data storage device via the encryption and decryption application.
  - 7. The data center as claimed in claim 6, wherein:
    - when receiving a read request for reading the particular logical block address, the host calls for the identity authentication via the encryption and decryption application.
  - 8. The data center as claimed in claim 7, wherein:
    - when the identity authentication succeeds and the encryption and decryption key space is reconnected to the host, the host calls the vendor unique commands via the encryption and decryption application to drive the encryption and decryption circuit module to use the key to decrypt the data of the non-volatile memory to respond to the read request.
  - 9. The data center as claimed in claim 8, wherein:
    - after the encryption and decryption circuit module finishes data decryption, the host removes the key from the host and the data storage device via the encryption and decryption application.

10. A method for operating a data center, comprising:
- providing at least one data storage device in the data center, wherein each data storage device has a non-volatile memory and a controller chip, and each controller chip has an encryption and decryption circuit module;
  
  using a host of the data center to operate the non-volatile memory via the controller chip;
  
  providing an encryption and decryption key space storing a key for the encryption and decryption circuit module to perform data encryption and decryption; and
  
  using the host to generate the key via an encryption and decryption application or executing the encryption and decryption application to prompt a user input as the key,wherein the encryption and decryption key space is isolated from the data storage device and the host by default so that a user who does not pass identity authentication is unable to operate the encryption and decryption circuit module through the host to decrypt data of the non-volatile memory.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method as claimed in claim 10, wherein:
    - the encryption and decryption key space is disconnected from the host after the key is stored in the encryption and decryption key space and, when the identity authentication succeeds, the encryption and decryption key space is reconnected to the host.
  - 12. The method as claimed in claim 11, further comprising:
    - using the host to drive the encryption and decryption circuit module through vendor unique commands.
  - 13. The method as claimed in claim 12, further comprising:
    - using the host to call the vendor unique commands by executing the encryption and decryption application.
  - 14. The method as claimed in claim 13, further comprising:
    - when the host determines that user data is confidential data, using the host to call the vendor unique commands via the encryption and decryption application to drive the encryption and decryption circuit module to use the key to encrypt and store the confidential data in the non-volatile memory; and
      
      allocating a particular logical block address to manage the confidential data.
  - 15. The method as claimed in claim 14, further comprising:
    - after storing the key in the encryption and decryption key space, using the host to remove the key from the host and the data storage device via the encryption and decryption application.
  - 16. The method as claimed in claim 15, further comprising:
    - when receiving a read request for reading the particular logical block address, using the host to call for the identity authentication via the encryption and decryption application.
  - 17. The method as claimed in claim 16, further comprising:
    - when the identity authentication succeeds and the encryption and decryption key space is reconnected to the host, using the host to call the vendor unique commands via the encryption and decryption application to drive the encryption and decryption circuit module to use the key to decrypt the data of the non-volatile memory to respond to the read request.
  - 18. The method as claimed in claim 17, further comprising:
    - after the encryption and decryption circuit module finishes data decryption, using the host to remove the key from the host and the data storage device via the encryption and decryption application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Silicon Motion Incorporated California (Silicon Motion)
Original Assignee
Silicon Motion Incorporated California (Silicon Motion)
Inventors
Lin, Ting-Kuan
Primary Examiner(s)
Shayanfar, Ali

Application Number

US15/858,087
Publication Number

US 20180322068A1
Time in Patent Office

725 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/10   Protecting distributed prog...

G06F 21/31   User authentication

G06F 21/6218   to a system of files or obj...

H04L 9/0897   involving additional device...

Data center with data encryption and method for operating data center

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

14 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Data center with data encryption and method for operating data center

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links