Cryptographic key management for stored data

US 20080219449A1
Filed: 03/09/2007
Published: 09/11/2008
Est. Priority Date: 03/09/2007
Status: Abandoned Application

First Claim

Patent Images

1. A storage medium, comprising:

a magnetically encoded key identifier for identifying an encryption key, the key identifier comprising;

a device identifier that identifies the origin of the key;

a timestamp; and

a key nonce.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided for performing application-transparent key management in a storage library associated with an encrypting removable storage device. Encryption and decryption is performed by a key manager and the removable storage device, and is transparent to the application. Data is encrypted using keys that are managed by the storage key manager. An administrative interface allows an administrator to specify and manage encryption keys. A key identifier is associated with each key, and the key identifier is written to the tape along with the encrypted data. When reading encrypted data, the removable storage device reads the key identifier from the tape and requests the corresponding encryption key from the key manager. The removable storage device then provides the decrypted data to the application. The encryption key may be exported from the key manager or library in an encrypted XML format. Encrypted tapes can therefore be decrypted in different libraries by exporting the keys from one library to another.

147 Citations

20 Claims

1. A storage medium, comprising:
- a magnetically encoded key identifier for identifying an encryption key, the key identifier comprising;
  
  a device identifier that identifies the origin of the key;
  
  a timestamp; and
  
  a key nonce.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The storage medium of claim 1, wherein the timestamp represents the time at which the encryption key was created.
  - 3. The storage medium of claim 1, wherein the timestamp represents the time at which the encryption key was made available.
  - 4. The storage medium of claim 1, wherein the key nonce is based upon a pseudo-random value.
  - 5. The storage medium of claim 1, wherein the storage medium comprises magnetic tape, magnetic disk, optical storage, or a combination thereof.
  - 6. The storage medium of claim 1, wherein the key nonce is based on random number created by a physical entropy source.
  - 7. The storage medium of claim 1, wherein the key nonce comprises a unique number within the domain of a storage device associated with the key.

8. Apparatus for encoding a key identifier on a magnetic tape, the apparatus comprising:
- logic for causing a device identifier to be magnetically encoded on the tape;
  
  logic for causing a timestamp to be magnetically encoded on the tape; and
  
  logic for causing a key nonce to be magnetically encoded on the tape.

9. Key manager apparatus for providing a decryption key, the apparatus comprising:
- logic for requesting from a storage device a key identifier that identifies a received decryption key;
  
  logic for causing the retrieval of an entry from a table of at least one encryption key, wherein the entry is associated with a key identifier received from the storage device, and the entry specifies the decryption key that corresponds to the encrypted data; and
  
  logic for causing the decryption key to be communicated to the storage device.
- View Dependent Claims (10)
- - 10. A data storage library comprising the apparatus of claim 9.

11. A data storage device operable to decrypt encrypted data stored on a storage device, the storage device comprising:
- logic for detecting the encrypted data and a key identifier associated with the encrypted data stored on the storage device;
  
  logic for causing a request for a decryption key to be communicated to a data storage library, wherein the request includes the key identifier;
  
  logic for causing decryption of the encrypted data block with a received decryption key to produce decrypted data.
- View Dependent Claims (12, 13)
- - 12. The data storage device of claim 11, further comprising:
    - logic for configuring the storage device to use the decryption key to decrypt data associated with the key identifier; and
      
      logic for causing the decrypted data to be communicated to a host.
  - 13. The data storage device of claim 11, wherein the data storage device comprises a magnetic tape drive, a magnetic disk drive, an optical disk drive, or a combination thereof.

14. Key manager apparatus for providing an encryption key, comprising:
- logic for generating an encryption key and an associated key identifier in response to receiving a request for an encryption key; and
  
  logic for causing the encryption key and the associated key identifier to be communicated to the storage device.
- View Dependent Claims (15)
- - 15. A data storage library comprising the apparatus of claim 14.

16. A data storage device operable to encrypt data to be stored on the storage device, the storage device comprising:
- logic for causing a request for an encryption key to be communicated to a data storage library in response to receiving a write data command;
  
  logic for configuring the storage device to encrypt and decrypt data with an encryption key received from the library;
  
  logic for causing encryption of the data with the encryption key; and
  
  logic for writing the data and a key identifier associated with the encryption key to the storage device, wherein the key identifier is received from the library, and the key identifier is stored in association with the data.
- View Dependent Claims (17)
- - 17. The data storage device of claim 16, wherein the data storage device comprises a magnetic tape drive, a magnetic disk drive, an optical disk drive, or a combination thereof.

18. Key export apparatus for generating a tree-structured representation of an encryption key, the apparatus comprising:
- logic for generating at least one key data tree element, wherein the key data tree element includes a key name and an encrypted representation of the encryption key.
- View Dependent Claims (19, 20)
- - 19. The apparatus of claim 18, wherein the tree-structured representation comprises an XML representation.
  - 20. The apparatus of claim 18, wherein the key data tree element includes a key creation date, a key expiration date, a key creation name, address, and authority identifier, a key handle, or a combination thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quantum Corporation (Chi Ko Investment Co., Ltd.)
Original Assignee
Quantum Corporation (Chi Ko Investment Co., Ltd.)
Inventors
Ball, Matthew V., Entzel, Paul G., Hellwege, Stephen A.

Application Number

US11/716,271
Publication Number

US 20080219449A1
Time in Patent Office

Days
Field of Search
US Class Current

380/277
CPC Class Codes

G06F 21/80 in storage media based on m...

Cryptographic key management for stored data

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

147 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Cryptographic key management for stored data

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

147 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others