Cryptographic key management for stored data
First Claim
1. A storage medium, comprising:
- a magnetically encoded key identifier for identifying an encryption key, the key identifier comprising;
a device identifier that identifies the origin of the key;
a timestamp; and
a key nonce.
3 Assignments
0 Petitions
Accused Products
Abstract
A method is provided for performing application-transparent key management in a storage library associated with an encrypting removable storage device. Encryption and decryption is performed by a key manager and the removable storage device, and is transparent to the application. Data is encrypted using keys that are managed by the storage key manager. An administrative interface allows an administrator to specify and manage encryption keys. A key identifier is associated with each key, and the key identifier is written to the tape along with the encrypted data. When reading encrypted data, the removable storage device reads the key identifier from the tape and requests the corresponding encryption key from the key manager. The removable storage device then provides the decrypted data to the application. The encryption key may be exported from the key manager or library in an encrypted XML format. Encrypted tapes can therefore be decrypted in different libraries by exporting the keys from one library to another.
147 Citations
20 Claims
-
1. A storage medium, comprising:
-
a magnetically encoded key identifier for identifying an encryption key, the key identifier comprising; a device identifier that identifies the origin of the key; a timestamp; and a key nonce. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. Apparatus for encoding a key identifier on a magnetic tape, the apparatus comprising:
-
logic for causing a device identifier to be magnetically encoded on the tape; logic for causing a timestamp to be magnetically encoded on the tape; and logic for causing a key nonce to be magnetically encoded on the tape.
-
-
9. Key manager apparatus for providing a decryption key, the apparatus comprising:
-
logic for requesting from a storage device a key identifier that identifies a received decryption key; logic for causing the retrieval of an entry from a table of at least one encryption key, wherein the entry is associated with a key identifier received from the storage device, and the entry specifies the decryption key that corresponds to the encrypted data; and logic for causing the decryption key to be communicated to the storage device. - View Dependent Claims (10)
-
-
11. A data storage device operable to decrypt encrypted data stored on a storage device, the storage device comprising:
-
logic for detecting the encrypted data and a key identifier associated with the encrypted data stored on the storage device; logic for causing a request for a decryption key to be communicated to a data storage library, wherein the request includes the key identifier; logic for causing decryption of the encrypted data block with a received decryption key to produce decrypted data. - View Dependent Claims (12, 13)
-
-
14. Key manager apparatus for providing an encryption key, comprising:
-
logic for generating an encryption key and an associated key identifier in response to receiving a request for an encryption key; and logic for causing the encryption key and the associated key identifier to be communicated to the storage device. - View Dependent Claims (15)
-
-
16. A data storage device operable to encrypt data to be stored on the storage device, the storage device comprising:
-
logic for causing a request for an encryption key to be communicated to a data storage library in response to receiving a write data command; logic for configuring the storage device to encrypt and decrypt data with an encryption key received from the library; logic for causing encryption of the data with the encryption key; and logic for writing the data and a key identifier associated with the encryption key to the storage device, wherein the key identifier is received from the library, and the key identifier is stored in association with the data. - View Dependent Claims (17)
-
-
18. Key export apparatus for generating a tree-structured representation of an encryption key, the apparatus comprising:
logic for generating at least one key data tree element, wherein the key data tree element includes a key name and an encrypted representation of the encryption key. - View Dependent Claims (19, 20)
Specification