CONFIGURING HOST SETTINGS TO SPECIFY AN ENCRYPTION SETTING AND A KEY LABEL REFERENCING A KEY ENCYRPTION KEY TO USE TO ENCRYPT AN ENCRYPTION KEY PROVIDED TO A STORAGE DRIVE TO USE TO ENCRYPT DATA FROM THE HOST

US 20090067633A1
Filed: 09/11/2007
Published: 03/12/2009
Est. Priority Date: 09/11/2007
Status: Active Grant

First Claim

Patent Images

1. An article of manufacture including code to communicate data to a removable storage medium coupled to a storage drive managing read and write access to the removable storage medium and to perform operations, the operations comprising:

receiving user settings to configure a data class having data attributes with encryption settings;

storing the data class with the received user encryption settings;

receiving a job indicating a data set to store to the removable storage medium;

determining a data class having data class attributes matching data attributes of the data set indicated in the job;

determining from the determined data class whether to encrypt the data; and

transmitting the data set and a command to encrypt the data set to the storage drive in response to determining that the determined data class indicates to encrypt the data, wherein the command to encrypt the data set causes the storage drive to encrypt the data sets written to the removable storage medium with an encryption key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are a method, system, and article of manufacture for configuring host settings to specify encryption and a key label referencing a key encrypting key to use to encrypt an encryption key provided to a storage drive to use to encrypt data from the host. User settings are received to configure a data class having data attributes with encryption settings. The data class is stored with the received user encryption settings. A job is received indicating a data set to store to a removable storage medium. A data class is determined having data class attributes matching data attributes of the data set indicated in the job. A determination is made from the determined data class whether to encrypt the data. The data set and a command to encrypt the data set are transmitted to a storage drive in response to determining that the determined data class indicates to encrypt the data, wherein the command to encrypt the data set causes the storage drive to encrypt the data sets written to the removable storage medium with an encryption key.

Citations

20 Claims

1. An article of manufacture including code to communicate data to a removable storage medium coupled to a storage drive managing read and write access to the removable storage medium and to perform operations, the operations comprising:
- receiving user settings to configure a data class having data attributes with encryption settings;
  
  storing the data class with the received user encryption settings;
  
  receiving a job indicating a data set to store to the removable storage medium;
  
  determining a data class having data class attributes matching data attributes of the data set indicated in the job;
  
  determining from the determined data class whether to encrypt the data; and
  
  transmitting the data set and a command to encrypt the data set to the storage drive in response to determining that the determined data class indicates to encrypt the data, wherein the command to encrypt the data set causes the storage drive to encrypt the data sets written to the removable storage medium with an encryption key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The article of manufacture of claim 1, wherein the data class indicates a key label identifying a key encrypting key, wherein the operations further comprise:
    - transmitting the key label indicated in the data class to the storage drive, wherein the key encrypting key indicated in the data class is used to encrypt the encryption key the storage drive uses to encrypt the data set written to the removable storage medium.
  - 3. The article of manufacture of claim 1, wherein the job further indicates a key label identifying a key encrypting key, wherein the operations further comprise:
    - transmitting the key label indicated in the job to the storage drive, wherein the key encrypting key indicated in the job is used to encrypt the encryption key the storage drive uses to encrypt the data set written to the removable storage medium.
  - 4. The article of manufacture of claim 3, wherein the job indicates whether to encrypt the data, and wherein the command indicating to encrypt the data is transmitted in response to determining that the job indicates to encrypt the data.
  - 5. The article of manufacture of claim 1, wherein the job indicates to encrypt the data and indicates a key label identifying a key encrypting key, wherein the operations further comprise:
    - determining whether the encryption indicated by the job may override the encryption indicated by the data class in response to determining that the job indicates whether to encrypt and the key label,wherein the command to encrypt the data set and the key label specified in the data class is transmitted in response to determining that the data class indicates to encrypt the data and that the encryption indicated by the job cannot override the encryption indicated by the data class; and
      
      wherein the command to encrypt the data set and the key label specified in the job is transmitted in response to determining that the job indicates to encrypt the data and indicates the key label and the encryption indicated in the job is permitted to override the encryption indicated in the data class.
  - 6. The article of manufacture of claim 1, wherein the data class is maintained by an operating system, wherein a utility of the operating system performs the operations of receiving the data set to write to the removable storage medium, determining the data class for the data set and the encryption setting for the data class, and transmitting the data set and command to encrypt to the storage drive.
  - 7. The article of manufacture of claim 1, wherein the operations further comprise:
    - determining that the determined data class indicates no encryption, wherein the data set is transmitted to the storage drive indicating to not encrypt, and wherein the storage drive writes the data set to the removable storage medium unencrypted in response to receiving the indication to not encrypt.
  - 8. The article of manufacture of claim 1, wherein the data class and data set attributes indicate at least one of a:
    - user that created the data set;
      
      a user group that created the data set;
      
      an application that created the data set;
      
      a data type of the data in the data set; and
      
      a target storage specified for the data set, and wherein the storage drive comprises a tape drive and the storage media comprises a tape media.

9. A storage drive in communication with a host system and a key manager and configured to perform read and write operations with respect to a removable storage medium coupled to the storage drive, comprising:
- an interface for coupling to one removable storage medium;
  
  an encryption engine to encrypt and decrypt data written to the coupled removable storage medium;
  
  an Input/Output manager to cause operations, the operations comprising;
  
  receiving a write request from the host system having indicating to encrypt the data and a key label identifying a key encrypting key to use to encrypt an encryption key the storage drive uses to encrypt and decrypt data;
  
  sending a request to the key manager with the key label for an encryption key;
  
  receiving from the key manager the encryption key to use to encrypt the data from the host system;
  
  invoking the encryption engine to use the encryption key to encrypt the data from the host system written to the coupled removable storage medium.
- View Dependent Claims (10)
- - 10. The storage drive of claim 9, wherein the I/O manager operations further comprise:
    - receiving, from the key manager, an encrypted encryption key comprising the encryption key encrypted using a key encrypting key (KEK) referenced by the key label; and
      
      writing the encrypted encryption key to the removable storage medium.

11. A system, comprising:
- a class manager executed to receive user settings to configure a data class having data attributes with encryption settings and store the data class with the received user encryption settings; and
  
  a class selection routine executed to;
  
  receive a job indicating a data set to store to a removable storage medium;
  
  determine a data class having data class attributes matching data attributes of the data set indicated in the job;
  
  determine from the determined data class whether to encrypt the data; and
  
  generate a write command to transmit the data set and a command to encrypt the data set to a storage drive in response to determining that the determined data class indicates to encrypt the data, wherein the command to encrypt the data set causes the storage drive to encrypt the data sets written to the removable storage medium with an encryption key.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11, wherein the job further indicates a key label identifying a key encrypting key, wherein generating the write command further comprises including the key label indicated in the job in the write command sent to the storage drive, wherein the key encrypting key indicated in the job is used to encrypt the encryption key the storage drive uses to encrypt the data set written to the removable storage medium.
  - 13. The system of claim 11, wherein the job indicates to encrypt the data and indicates a key label identifying a key encrypting key, wherein the class selection routine is further executed to:
    - determine whether the encryption indicated by the job may override the encryption indicated by the data class in response to determining that the job indicates whether to encrypt and the key label,wherein the command to encrypt the data set and the key label specified in the data class is transmitted in response to determining that the data class indicates to encrypt the data and that the encryption indicated by the job cannot override the encryption indicated by the data class; and
      
      wherein the command to encrypt the data set and the key label specified in the job is transmitted in response to determining that the job indicates to encrypt the data and indicates the key label and the encryption indicated in the job is permitted to override the encryption indicated in the data class.
  - 14. The system of claim 11, further comprising:
    - an operating system maintaining the data class, and wherein the class selection routine is a utility of the operating system.
  - 15. The system of claim 11, wherein the class selection routine is further executed to:
    - determine that the determined data class indicates no encryption, wherein the data set is transmitted to the storage drive indicating to not encrypt, and wherein the storage drive writes the data set to the removable storage medium unencrypted in response to receiving the indication to not encrypt.

16. A method, comprising:
- receiving user settings to configure a data class having data attributes with encryption settings;
  
  storing the data class with the received user encryption settings;
  
  receiving a job indicating a data set to store to a removable storage medium;
  
  determining a data class having data class attributes matching data attributes of the data set indicated in the job;
  
  determining from the determined data class whether to encrypt the data; and
  
  transmitting the data set and a command to encrypt the data set to a storage drive in response to determining that the determined data class indicates to encrypt the data, wherein the command to encrypt the data set causes the storage drive to encrypt the data sets written to the removable storage medium with an encryption key.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, wherein the job further indicates a key label identifying a key encrypting key, further comprising:
    - transmitting the key label indicated in the job to the storage drive, wherein the key encrypting key indicated in the job is used to encrypt the encryption key the storage drive uses to encrypt the data set written to the removable storage medium.
  - 18. The method of claim 16, wherein the job indicates to encrypt the data and indicates a key label identifying a key encrypting key, further comprising:
    - determining whether the encryption indicated by the job may override the encryption indicated by the data class in response to determining that the job indicates whether to encrypt and the key label,wherein the command to encrypt the data set and the key label specified in the data class is transmitted in response to determining that the data class indicates to encrypt the data and that the encryption indicated by the job cannot override the encryption indicated by the data class; and
      
      wherein the command to encrypt the data set and the key label specified in the job is transmitted in response to determining that the job indicates to encrypt the data and indicates the key label and the encryption indicated in the job is permitted to override the encryption indicated in the data class.
  - 19. The method of claim 16, wherein the data class is maintained by an operating system, wherein a utility of the operating system performs the operations of receiving the data set to write to the removable storage medium, determining the data class for the data set and the encryption setting for the data class, and transmitting the data set and command to encrypt to the storage drive.
  - 20. The method of claim 16, further comprising:
    - determining that the determined data class indicates no encryption, wherein the data set is transmitted to the storage drive indicating to not encrypt, and wherein the storage drive writes the data set to the removable storage medium unencrypted in response to receiving the indication to not encrypt.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Kelly, Michael James, Lewis, Cecilia Carranza, Lynds, Jon Arthur, Rhoten, Wayne Erwin, Dawson, Erika Marianna, Guski, Richard Henry, Sutton, Peter Grimm

Granted Patent

US 8,645,715 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/279
CPC Class Codes

H04L 9/0822 using key encryption key

H04L 9/088 Usage controlling of secret...

CONFIGURING HOST SETTINGS TO SPECIFY AN ENCRYPTION SETTING AND A KEY LABEL REFERENCING A KEY ENCYRPTION KEY TO USE TO ENCRYPT AN ENCRYPTION KEY PROVIDED TO A STORAGE DRIVE TO USE TO ENCRYPT DATA FROM THE HOST

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CONFIGURING HOST SETTINGS TO SPECIFY AN ENCRYPTION SETTING AND A KEY LABEL REFERENCING A KEY ENCYRPTION KEY TO USE TO ENCRYPT AN ENCRYPTION KEY PROVIDED TO A STORAGE DRIVE TO USE TO ENCRYPT DATA FROM THE HOST

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links