Self-contained key management device

US 10,678,953 B1
Filed: 04/26/2017
Issued: 06/09/2020
Est. Priority Date: 04/26/2017
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a data storage device configured to;

connect to be removable from a first server;

load an unified extensible firmware interface (“

UEFI”

) basic input/output system (“

BIOS”

) stored locally in the data storage device into the memory of the first server and executed at the first server, the UEFI BIOS configured to;

unlock a first secure area of the data storage device;

retrieve a first access key from the first secure area;

unlock a second secure area of the data storage device with the first access key;

retrieve a second access key from the second secure area; and

unlock a secure storage area of another data storage device with the second access key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A local key management system can be implemented with a unified extensible firmware interface (“UEFI”) basic input/output system (“BIOS”). The local key management system may be part of a removable data storage device that has a first secure area protected by a cryptographic module (e.g. hardware integrated circuit). The removable data storage device may also have a second secure area that stores a key to unlock a security enabled data storage device. The UEFI BIOS may be implemented to manage unlocking of security enabled data storage devices or data bands. The UEFI BIOS may also load a UEFI registration shell to manage registration of one or more security enabled drives or bands.

Citations

10 Claims

1. An apparatus comprising:
- a data storage device configured to;
  
  connect to be removable from a first server;
  
  load an unified extensible firmware interface (“
  
  UEFI”
  
  ) basic input/output system (“
  
  BIOS”
  
  ) stored locally in the data storage device into the memory of the first server and executed at the first server, the UEFI BIOS configured to;
  
  unlock a first secure area of the data storage device;
  
  retrieve a first access key from the first secure area;
  
  unlock a second secure area of the data storage device with the first access key;
  
  retrieve a second access key from the second secure area; and
  
  unlock a secure storage area of another data storage device with the second access key.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1 further comprising:
    - the UEFI BIOS configured to;
      
      retrieve a drive information table (DIT) from the first secure area;
      
      determine a unique identifier corresponding to the DSD; and
      
      request the second access key based on the unique identifier.
  - 3. The apparatus of claim 2 further comprising:
    - the UEFI BIOS configured to execute a key management module configured to access a hardware encryption circuit of the first server;
      
      the UEFI BIOS configured to;
      
      connect to be removable from the first server by a physical and electrical connection to the first server which allows the data storage device to be removed from the first server without physically modifying the first server; and
      
      the data storage device further including;
      
      an interface circuit;
      
      a memory configured to store the UEFI BIOS; and
      
      a controller configured to manage the loading of the UEFI BIOS into the memory of the first server.
  - 4. The apparatus of claim 1 further comprising:
    - the UEFI BIOS configured to;
      
      access an encrypted hardware circuit of the first server;
      
      obtain access to the first secure area of the data storage device via the encrypted hardware circuit; and
      
      retrieve the first key from the first secure area when access is granted to the UEFI BIOS.
  - 5. The apparatus of claim 1 further comprising:
    - the UEFI BIOS configured to;
      
      determine if there is an unregistered DSD coupled to the first server, where an unregistered DSD is a DSD that does not have a corresponding key stored in the second server;
      
      obtain a unique identifier from the unregistered DSD;
      
      generate an encryption key based on the unique identifier;
      
      lock the unregistered DSD with the encryption key; and
      
      store the encryption key in the second secure area.
  - 6. The apparatus of claim 1 further comprising:
    - the UEFI BIOS configured to;
      
      determine if there is a registered DSD to be unregistered coupled to the first server;
      
      obtain a unique identifier from the registered DSD to be unregistered;
      
      retrieve an encryption key from the second secure area based on the unique identifier;
      
      unlock the registered DSD to be unregistered with the encryption key;
      
      erase the unregistered DSD; and
      
      delete the unique identifier and the encryption key from the second secure area.
  - 7. The apparatus of claim 1 further comprising:
    - the UEFI BIOS configured to;
      
      determine if there is a DSD registration to modify corresponding to a DSD coupled to the first server;
      
      obtain a unique identifier from the DSD;
      
      retrieve an encryption key from the second secure area based on the unique identifier;
      
      unlock the DSD with the encryption key;
      
      generate a different encryption key associated with the unique identifier;
      
      lock the DSD with the different encryption key; and
      
      store the different encryption key in the second secure area.

8. A memory device storing instructions that when executed cause a processor to perform a method comprising:
- loading a unified extensible firmware interface (“
  
  UEFI”
  
  ) basic input/output system (“
  
  BIOS”
  
  ) and a key management module from a removable storage device to a server memory;
  
  executing the UEFI BIOS at the server to unlock a self-encrypting drive (SED) attached to the server;
  
  executing the key management module at the server to access a local key management server (LKMS) on the removable storage device;
  
  receiving a key from the LKMS at the UEFI BIOS; and
  
  unlocking the SED based on the key.
- View Dependent Claims (9, 10)
- - 9. The memory device of claim 8 further comprising executing the key management module includes retrieving a drive information table stored within a first secure nonvolatile data storage area, the drive information table identifying whether data storage devices are registered and have a corresponding key.
  - 10. The memory device of claim 9 further comprising the method including implementing an automatic registration mode when a data storage device is detected that does not have a key registered in the drive information table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Seagate Technology LLC (Seagate Technology Holdings Plc)
Original Assignee
Seagate Technology LLC (Seagate Technology Holdings Plc)
Inventors
Allo, Christopher Nicholas, Biswas, Saheb
Primary Examiner(s)
Perungavoor, Venkat

Application Number

US15/498,348
Time in Patent Office

1,140 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/78   to assure secure storage of...

G06F 9/4403   Processor initialisation

G06F 9/445   Program loading or initiati...

H04L 9/0877   using additional device, e....

H04L 9/0897   involving additional device...

Self-contained key management device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Self-contained key management device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links