Use of Device Driver to Function as a Proxy Between an Encryption Capable Tape Drive and a Key Manager

US 20080065898A1
Filed: 09/07/2006
Published: 03/13/2008
Est. Priority Date: 09/07/2006
Status: Active Grant

First Claim

Patent Images

1. A storage system comprising:

a host;

a storage device coupled to the host, the storage device interacting with storage media to store and retrieve information from the storage media, the storage device comprisingan encryption module, the encryption module enabling encryption and decryption of data stored on storage media; and

,a device driver executing on the host, the device driver checking for encryption related information from the storage device, the encryption related information being generated in response to a command issued by the host, when encryption related information is present, the device driver facilitating encryption independent of whether the host is encryption enabled.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A tape system is provided with an encryption capable tape drive and an encryption enabled tape drive device driver for the encryption capable tape drive. The encryption enabled tape drive device driver functions as a proxy which connects the encryption capable tape drive to a key manager which serves keys to the tape drive. When the encryption capable device driver causes a command to be sent to the drive, the tape drive is configured to respond with a message that is intended for a key manager such as an External Key Manager (EKM). The encryption capable device driver recognizes that this is a message intended for the EKM and forwards that message to the EKM (e.g., via an Internet Protocol (IP) connection). The EKM then responds to the key request by issuing a new key (for a new cartridge which is to be written from beginning of tape (BOT)) or an existing key (for a cartridge which needs to be read). The device driver connects all EKM responses to the encryption capable tape drive and the EKM from which the encryption capable tape drive obtains its keys.

42 Citations

View as Search Results

43 Claims

1. A storage system comprising:
- a host;
  
  a storage device coupled to the host, the storage device interacting with storage media to store and retrieve information from the storage media, the storage device comprisingan encryption module, the encryption module enabling encryption and decryption of data stored on storage media; and
  
  ,a device driver executing on the host, the device driver checking for encryption related information from the storage device, the encryption related information being generated in response to a command issued by the host, when encryption related information is present, the device driver facilitating encryption independent of whether the host is encryption enabled.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The storage system of claim 1 further comprising:
    - a key manager, the key manager serving keys to the storage device via the device driver.
  - 3. The storage system of claim 2 further comprising:
    - a proxy, the proxy establishing a communication path between the storage device and the key manager to facilitate serving keys to the storage device.
  - 4. The storage system of claim 2 wherein:
    - the keys are served to the storage device via a push method.
  - 5. The storage system of claim 2 wherein:
    - the keys are served to the storage device via a pull method.
  - 6. The storage system of claim 1 wherein:
    - the command is issued by an application executing on the host.
  - 7. The storage system of claim 6 wherein:
    - the application comprises a backup program that transfers data to and from the storage device.
  - 8. The storage system of claim 1 wherein:
    - the storage device comprises a tape drive.
  - 9. The storage system of claim 1 wherein:
    - the encryption related information comprises a status indication issued by the storage device indicating that an encryption operation is needed to be performed before the command can be executed by the storage device.

10. A storage device for interacting with storage media to store and retrieve information from the storage media comprising:
- an encryption module, the encryption module enabling encryption and decryption of data stored on storage media; and
  
  ,a controller coupled to the encryption module, the controller interacting with the encryption module to enable storage and retrieval of information to and from the storage media; and
  
  whereinthe storage device receives information from and transmits information to a device driver, the device driver checking for encryption related information from the storage device, the encryption related information being generated by the storage device in response to a command issued by the host, when encryption related information is present, the device driver facilitating encryption independent of whether the host is encryption enabled.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The storage device of claim 10 wherein:
    - the device driver interacts with a key manager, the key manager serving keys to the storage device via the device driver.
  - 12. The storage device of claim 11 wherein:
    - the device driver interacts with a proxy, the proxy establishing a communication path between the storage device and the key manager to facilitate serving keys to the storage device.
  - 13. The storage device of claim 11 wherein:
    - the keys are served to the storage device via a push method.
  - 14. The storage device of claim 11 wherein:
    - the keys are served to the storage device via a pull method.
  - 15. The storage device of claim 10 wherein:
    - the command is issued by an application executing on the host.
  - 16. The storage device of claim 15 wherein:
    - the application comprises a backup program that transfers data to and from the storage device.
  - 17. The storage device of claim 10 wherein:
    - the storage device comprises a tape drive.
  - 18. The storage device of claim 10 wherein:
    - the encryption related information comprises a status indication issued by the storage device indicating that an encryption operation is needed to be performed before the command can be executed by the storage device.

19. A device driver for executing on a host and communicating with a storage device, the device driver comprising:
- a command initiation portion, the command initiation portion intercepting a command issued by the host to the storage device;
  
  an encryption portion, the encryption portion checking for encryption related information from the storage device, the encryption related information being generated by the storage device in response to a command issued by the host, when encryption related information is present, the device driver facilitating encryption independent of whether the host is encryption enabled; and
  
  ,a command execution portion, command execution portion executing the command after an encryption operation has completed execution.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The device driver of claim 19 wherein:
    - the device driver communicates with a key manager, the key manager serving keys to the storage device via the device driver.
  - 21. The device driver of claim 20 further comprising:
    - a proxy, the proxy establishing a communication path between the storage device and the key manager to facilitate serving keys to the storage device.
  - 22. The device driver of claim 20 wherein:
    - the keys are served to the storage device via a push method.
  - 23. The device driver of claim 20 wherein:
    - the keys are served to the storage device via a pull method.
  - 24. The device driver of claim 20 wherein:
    - the command is issued by an application executing on the host.
  - 25. The device driver of claim 24 wherein:
    - the application comprises a backup program that transfers data to and from the storage device.
  - 26. The device driver of claim 19 wherein:
    - the storage device comprises a tape drive.
  - 27. The device driver of claim 19 wherein:
    - the encryption related information comprises a status indication issued by the storage device indicating that an encryption operation is needed to be performed before the command can be executed by the storage device.

28. A method for facilitating encryption between an encryption enabled storage device and a host:
- issuing a command to the storage device;
  
  intercepting encryption related information generated by the storage device in response to the command;
  
  determining whether the encryption related information indicates that an encryption operation is needed to be performed before the command can be executed by the encryption enabled storage device;
  
  performing an encryption operation independent of whether the host is encryption enabled when the encryption related information indicates that the encryption operation is needed; and
  
  ,executing the command after the encryption operation has completed execution.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36)
- - 29. The method of claim 28 wherein:
    - the intercepting is performed by an encryption enabled device driver; and
      
      ,the device driver communicates with a key manager, the key manager serving keys to the encryption enabled storage device via the device driver.
  - 30. The method of claim 29 further comprising:
    - establishing a communication path between the encryption enabled storage device and the key manager via a proxy to facilitate serving keys to the storage device.
  - 31. The method of claim 29 wherein:
    - the keys are served to the encryption enabled storage device via a push method.
  - 32. The method of claim 29 wherein:
    - the keys are served to the encryption enabled storage device via a pull method.
  - 33. The method of claim 29 wherein:
    - the command is issued by an application executing on the host.
  - 34. The method of claim 33 wherein:
    - the application comprises a backup program that transfers data to and from the encryption enabled storage device.
  - 35. The method of claim 28 wherein:
    - the storage device comprises a tape drive.
  - 36. The method of claim 28 wherein:
    - the encryption related information comprises a status indication issued by the encryption enabled storage device.

37. A storage system comprising:
- a host;
  
  a storage device coupled to the host, the storage device interacting with storage media to store and retrieve information from the storage media; and
  
  ,a module coupled to the storage device;
  
  a device driver executing on the host, the device driver checking for special status information from the storage device, the special status information being generated in response to a command issued by the host, when the special status information is present, the device driver facilitating communication independent of whether the host is enabled to communicate with the module.
- View Dependent Claims (38, 39, 40, 41, 42, 43)
- - 38. The storage system of claim 37 wherein the module comprises:
    - a key manager, the key manager serving keys to the storage device via the device driver.
  - 39. The storage system of claim 38 further comprising:
    - a proxy, the proxy establishing a communication path between the storage device and the key manager to facilitate serving keys to the storage device.
  - 40. The storage system of claim 37 wherein:
    - the command is issued by an application executing on the host.
  - 41. The storage system of claim 40 wherein:
    - the application comprises a backup program that transfers data to and from the storage device.
  - 42. The storage system of claim 37 wherein:
    - the storage device comprises a tape drive.
  - 43. The storage system of claim 40 wherein:
    - the encryption related information comprises a status indication issued by the storage device indicating that an encryption operation is needed to be performed before the command can be executed by the storage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Jaquette, Glen A., Greco, Paul M.

Granted Patent

US 7,882,354 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/185
CPC Class Codes

G06F 21/6281   at program execution time, ...

G06F 21/80   in storage media based on m...

G06F 3/0623   in relation to content

G06F 3/0646   Horizontal data movement in...

G06F 3/0682   Tape device

Use of Device Driver to Function as a Proxy Between an Encryption Capable Tape Drive and a Key Manager

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

42 Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Use of Device Driver to Function as a Proxy Between an Encryption Capable Tape Drive and a Key Manager

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links