SELECTIVE ENCRYPTION OF DATA STORED ON REMOVABLE MEDIA IN AN AUTOMATED DATA STORAGE LIBRARY

US 20080065903A1
Filed: 09/07/2006
Published: 03/13/2008
Est. Priority Date: 09/07/2006
Status: Active Grant

First Claim

Patent Images

1. A method for encrypting data on a removable media data cartridge in a data storage library, comprising:

establishing one or more cartridge encryption policies;

receiving a request from a host to access a specified data cartridge stored in a storage cell in the library;

transporting the specified data cartridge from the storage cell to a storage drive;

selecting an encryption policy for the specified data cartridge from the one or more cartridge encryption policies;

in response to the selected encryption policy obtaining an encryption key for the specified data cartridge; and

encrypting data on the specified data cartridge in accordance with the obtained encryption key.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an automated data storage library, selective encryption for data stored or to be stored on removable media is provided. One or more encryption policies are established, each policy including a level of encryption one or more encryption keys and the identity of one or more data cartridges. The encryption policies are stored in a policy table and the encryption keys are stored in a secure key server. A host requests access to a specified data cartridge and the cartridge is transported from a storage shelf in the library to a storage drive. Based on the identity of the specified cartridge the corresponding encryption policy is selected from the table and the appropriate encryption key is obtained from the key server. The storage drive encrypts data in accordance with the key and stores the data on the media within the specified data cartridge.

86 Citations

View as Search Results

42 Claims

1. A method for encrypting data on a removable media data cartridge in a data storage library, comprising:
- establishing one or more cartridge encryption policies;
  
  receiving a request from a host to access a specified data cartridge stored in a storage cell in the library;
  
  transporting the specified data cartridge from the storage cell to a storage drive;
  
  selecting an encryption policy for the specified data cartridge from the one or more cartridge encryption policies;
  
  in response to the selected encryption policy obtaining an encryption key for the specified data cartridge; and
  
  encrypting data on the specified data cartridge in accordance with the obtained encryption key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising, prior to selecting an encryption policy for the specified data cartridge, reading a cartridge identifier from the specified data cartridge to confirm the identity of the specified data cartridge.
  - 3. The method of claim 2, further comprising, in response to confirming the identity of the specified cartridge, selecting an encryption policy for the specified data cartridge from the one or more cartridges encryption policies.
  - 4. The method of claim 2, wherein reading a cartridge identifier comprises reading one or more identifiers selected from the group comprising a bar code label affixed to the specified data cartridge, a non-bar code machine readable label affixed to the specified data cartridge, a value stored on media within the specified data cartridge, a value stored within a cartridge memory of the specified data cartridge, and an RFID tag affixed to the specified data cartridge.
  - 5. The method of claim 1, wherein selecting an encryption policy for the specified data cartridge comprises reading the policy from the data cartridge.
  - 6. The method of claim 5, wherein reading the policy comprises reading the policy from a selected one of the group comprising a cartridge label, a cartridge memory a cartridge RFID tag, and a cartridge media.
  - 7. The method of claim 1, further comprising storing the one or more encryption policies in the storage drive, wherein selecting an encryption policy for the specified data cartridge is performed by the storage drive.
  - 8. The method of claim 7, wherein obtaining the selected encryption key comprises transmitting a request for the selected encryption key from the storage drive to a key server.
  - 9. The method of claim 8, further comprising transmitting the request through a library controller as a proxy for the key server.
  - 10. The method of claim 8, further comprising transmitting the request through a host computer as a proxy for the key server.
  - 11. The method of claim 8, further comprising transmitting the selected encryption key to the storage drive.
  - 12. The method of claim 1, further comprising storing the one or more encryption policies in a library controller, wherein selecting an encryption policy for the specified data cartridge is performed by the library controller.
  - 13. The method of claim 12, wherein obtaining the selected encryption key comprises transmitting a request for the selected encryption key from the library controller to a key server.
  - 14. The method of claim 13, further comprising transmitting the selected encryption key to the storage drive.
  - 15. The method of claim 1 further comprising selecting the encryption policy for the specified data cartridge after the specified data cartridge has been transported to a storage drive.

16. A method for encrypting data on removable media in a data storage library, comprising:
- creating an encryption policy table;
  
  entering one or more encryption policies into the table;
  
  associating one or more data cartridges with each encryption policy entered, each data cartridge having a cartridge identifier;
  
  receiving a request from a host to access a specified data cartridge;
  
  transporting the specified data cartridge from the storage cell to a storage drive;
  
  selecting the encryption policy from the encryption table with which the specified data cartridge is associated;
  
  in response to the selected encryption policy, obtaining an encryption key for the specified data cartridge; and
  
  encrypting data on the specified data cartridge in accordance with the obtained encryption key.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The method of claim 16, wherein associating one or more data cartridges with each encryption policy entered comprises associating a plurality of data cartridges by designating their corresponding cartridge identifiers.
  - 18. The method of claim 16, wherein associating one or more data cartridges with each encryption policy entered comprises associating a plurality of data cartridges by designating one or more ranges of corresponding cartridge identifiers.
  - 19. The method of claim 16, further comprising storing the table with the cartridge.
  - 20. The method of claim 19, wherein storing the table with the cartridge comprises storing the table in a selected one of the group comprising a cartridge label, a cartridge memory, a cartridge REID tag and a cartridge media.
  - 21. The method of claim 16, further comprising establishing a default policy for one or more storage drives in the library.
  - 22. The method of claim 16 further comprising establishing a default policy for all storage drives in the library.

23. A data storage system, comprising:
- a plurality of storage shelves for storing data cartridges within a library housing unit, a data storage cartridge including data storage medium;
  
  a data storage drive operable to write data to and/or read data from the data storage medium;
  
  a library controller coupled to receive data access requests from a host computer;
  
  a robot accessor for transporting data storage cartridges between the storage shelves and the data storage drive under the direction of the library controller;
  
  a key server, coupled to the library controller, on which one or more encryption keys are stored;
  
  an encryption policy table in which are stored one or more encryption policies and, for each encryption policy, the identity of one or more data cartridges associated with the encryption policy; and
  
  a library-drive interface through which the data storage drive may transmit a request for an encryption key to the library controller and through which the library controller, after obtaining the requested encryption key from the key server, may transmit the requested encryption key to the data storage drive.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. The data storage system of claim 23, wherein:
    - the request for the encryption key comprisesthe library controller operable as a proxy for the key server.
  - 25. The data storage system of claim 23, wherein the storage drive is further operable to encrypt data to be stored on a selected data cartridge in accordance with the requested encryption key.
  - 26. The data storage system of claim 23, wherein the key server comprises the library controller.
  - 27. The data storage system of claim 23, wherein the key server comprises a dedicated server.
  - 28. The data storage system of claim 23, further comprising a memory device in the library controller in which the encryption policy table is stored.
  - 29. The data storage system of claim 23, wherein the policy table is stored with the data storage cartridge.
  - 30. The data storage system of claim 23, further comprising a memory device in the storage drive in which the encryption policy table is stored.

31. A controller associated with a data storage library, comprising:
- a user interface through which to receive a user input of one or more encryption policies and one or more cartridge identifiers to be associated with each encryption policy, each cartridge identifier representing a data cartridge or a range of data cartridges;
  
  a library-drive interface through which to transmit the encryption policies and associated cartridge identifiers to a storage drive in the library;
  
  a host interface through which to receive a request from a host to access a specified data cartridge stored in a storage cell in the library;
  
  an accessor interface through which to control a robotic accessor to transport the specified data cartridge to a storage drive;
  
  the library-drive interface further operable to receive a request from the storage drive for an encryption key in response to the storage drive matching the specified data cartridge with a corresponding encryption policy;
  
  means for obtaining the requested encryption key; and
  
  the library-drive interface further operable to transmit the encryption key to the storage drive, whereupon the storage drive may encrypt data being written to the specified data cartridge.
- View Dependent Claims (32, 33, 34)
- - 32. The library controller of claim 31, further comprising an interface coupled to a key server from which the encryption key is obtained.
  - 33. The library controller of claim 32, whereby the library controller serves as a proxy for the key server.
  - 34. The library controller of claim 31, further comprising an integrated key server from which the encryption key is obtained.

35. A data storage drive within a data storage library, comprising:
- a user interface through which to receive a user input of one or more encryption policies and one or more cartridge identifiers to be associated with each encryption policy, each cartridge identifier representing a data cartridge stored in the library;
  
  means for obtaining a cartridge identifier of a data cartridge loaded into the storage drive;
  
  means for matching the identifier with an associated encryption policy; and
  
  a library-drive interface operable to;
  
  transmit a request to a key server for an encryption key in response to matching the cartridge identifier with a corresponding encryption policy;
  
  to receive the requested encryption key; and
  
  an encryption module to encrypt data being written to the loaded data cartridge.
- View Dependent Claims (36, 37)
- - 36. The storage drive of claim 35, wherein the means for obtaining a cartridge identifier comprises means for reading one or more identifiers selected from the group comprising a bar code label affixed to the loaded data cartridge, a non-bar code machine readable label affixed to the loaded data cartridge, a value stored on media within the loaded data cartridge, a value stored within a cartridge memory of the loaded data cartridge, and an RFID tag affixed to the loaded data cartridge.
  - 37. The storage drive of claim 35, further comprising a memory for storing the one or more encryption policies, wherein selecting an encryption policy for the specified data cartridge is performed by the storage drive.

38. A computer program product of a computer readable medium usable with a programmable computer, the computer program product having computer-readable code embodied therein for encrypting data on removable media in a data storage library, the computer-readable code comprising instructions for:
- creating an encryption policy table;
  
  entering one or more encryption policies into the table;
  
  associating one or more data cartridges with each encryption policy entered, each data cartridge having a cartridge identifier;
  
  receiving a request from a host to access a specified data cartridge;
  
  transporting the specified data cartridge from the storage cell to a storage drive;
  
  selecting the encryption policy from the encryption table with which the specified data cartridge is associated;
  
  in response to the selected encryption policy, obtaining an encryption key for the specified data cartridge; and
  
  encrypting data on the specified data cartridge in accordance with the obtained encryption key.
- View Dependent Claims (39, 40, 41, 42)
- - 39. The computer program product of claim 38, wherein the instructions for associating one or more data cartridges with each encryption policy entered comprise instructions for associating a plurality of data cartridges by designating their corresponding cartridge identifiers.
  - 40. The computer program product of claim 38, wherein the instructions for associating one or more data cartridges with each encryption policy entered comprise instructions for associating a plurality of data cartridges by designating one or more ranges of corresponding cartridge identifiers.
  - 41. The computer program product of claim 38, wherein the computer-readable code further comprises instructions for storing the table with the cartridge.
  - 42. The computer program product of claim 41, wherein the instructions for storing the table with the cartridge comprise instructions for storing the table in one of the group comprising a cartridge label, a cartridge memory, a cartridge RFID tag and a cartridge media.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Goodman, Brian Gerard, Jesionowski, Leonard George, Fisher, James Arthur

Granted Patent

US 8,230,235 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/193
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/805   using a security table for ...

G06F 2221/2121   Chip on media, e.g. a disk ...

SELECTIVE ENCRYPTION OF DATA STORED ON REMOVABLE MEDIA IN AN AUTOMATED DATA STORAGE LIBRARY

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

86 Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

SELECTIVE ENCRYPTION OF DATA STORED ON REMOVABLE MEDIA IN AN AUTOMATED DATA STORAGE LIBRARY

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links