PROTECTING DATA IN A STORAGE DEVICE

US 20170372085A1
Filed: 06/28/2016
Published: 12/28/2017
Est. Priority Date: 06/28/2016
Status: Abandoned Application

First Claim

Patent Images

1. In a storage device, a method of protecting data stored on the storage device, the method comprising:

accessing a first data encryption key stored in storage media on the storage device; and

generating a second data encryption key that is used to encrypt and decrypt data stored in the storage media on the storage device using;

the first data encryption key, a first key encryption key obtained from first information received from a host system that is communicatively coupled to the storage device, and second information that is received from a source other than the host system and that is communicatively coupled to the storage device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first data encryption key is stored on a storage device. The first data encryption key, a first key encryption key obtained from first information received from a host system, and second information that is received from a source other than the host system are used to generate a second data encryption key that can be used to encrypt and decrypt data stored on the storage device. The second information may be sent from the source to the storage device only if a condition is satisfied.

Citations

20 Claims

1. In a storage device, a method of protecting data stored on the storage device, the method comprising:
- accessing a first data encryption key stored in storage media on the storage device; and
  
  generating a second data encryption key that is used to encrypt and decrypt data stored in the storage media on the storage device using;
  
  the first data encryption key, a first key encryption key obtained from first information received from a host system that is communicatively coupled to the storage device, and second information that is received from a source other than the host system and that is communicatively coupled to the storage device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the second information is sent from the source to the storage device in response to a condition being satisfied.
  - 3. The method of claim 2, wherein the condition is checked periodically and wherein the method further comprises discarding the second data encryption key unless the condition is satisfied.
  - 4. The method of claim 2, wherein the condition is selected from the group consisting of:
    - indication that a specified physical object is attached to the storage device;
      
      indication that a specified physical object is within a prescribed distance of the storage device;
      
      indication that the storage device is at a specified physical location;
      
      indication that the storage device is within a prescribed distance of a specified physical location; and
      
      indication that the storage device'"'"'s operating environment matches an environmental condition within a specified tolerance.
  - 5. The method of claim 1, wherein the second information comprises a second key encryption key and wherein said generating comprises:
    - unwrapping a wrapped version of the first data encryption key with the first key encryption key to generate an intermediary data encryption key comprising a wrapped version of the second data encryption key; and
      
      unwrapping the intermediary data encryption key using the second key encryption key to generate the second data encryption key.
  - 6. The method of claim 5, further comprising:
    - generating the second data encryption key with a key generator executed by the storage device, wherein the second data encryption key is used to encrypt data written to storage media on the storage device;
      
      wrapping the second data encryption key with the second key encryption key and with the first key encryption key to generate the wrapped version of the first data encryption key; and
      
      storing the wrapped version of the first data encryption key in the storage media on the storage device.
  - 7. The method of claim 1, wherein said generating comprises:
    - unwrapping a wrapped version of the first data encryption key with the first key encryption key to generate an intermediary data encryption key comprising a first share of the second data encryption key, wherein the second information comprises a second share of the second data encryption key; and
      
      combining the first share and the second share to generate the second data encryption key.
  - 8. The method of claim 7, further comprising:
    - generating the second data encryption key with a key generator executed by the storage device, wherein the second data encryption key is used to encrypt data written to storage media on the storage device;
      
      dividing the second data encryption key into the first share and the second share;
      
      storing the second share on the source;
      
      wrapping the first share with the first key encryption key to generate the wrapped version of the first data encryption key; and
      
      storing the wrapped version of the first data encryption key in the storage media on the storage device.
  - 9. The method of claim 1, wherein the second information comprises a third data encryption key and wherein said generating comprises:
    - unwrapping a wrapped version of the first data encryption key with the first key encryption key to generate an intermediary data encryption key; and
      
      combining the intermediary data encryption key and the third data encryption key to generate the second data encryption key.
  - 10. The method of claim 9, further comprising:
    - generating the intermediary data encryption key with a key generator executed by the storage device;
      
      wrapping the intermediary data encryption key with the first key encryption key to generate the wrapped version of the first data encryption key; and
      
      storing the wrapped version of the first data encryption key in the storage media on the storage device.

11. A system, comprising:
- a host comprising;
  
  a processor; and
  
  memory coupled to the processor; and
  
  a storage device coupled to the host;
  
  the storage device configured to access a first data encryption key stored in the storage media and to generate an intermediary data encryption key using the first data encryption key and a first key encryption key that is obtained from first information received from the host; and
  
  the storage device further configured to generate a second data encryption key using the intermediary data encryption key and second information that is received from a source that is communicatively coupled to the storage device and that that bypasses the host when communicating with the storage device, wherein the second data encryption key is used to decrypt data stored in the storage media on the storage device.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11, wherein the second information is sent from the source to the storage device in response to a condition being satisfied, wherein the condition is selected from the group consisting of:
    - indication that a specified physical object is attached to the storage device;
      
      indication that a specified physical object is within a prescribed distance of the storage device;
      
      indication that the storage device is at a specified physical location;
      
      indication that the storage device is within a prescribed distance of a specified physical location; and
      
      indication that the storage device'"'"'s operating environment matches an environmental condition within a specified tolerance.
  - 13. The system of claim 11, wherein the second information comprises a second key encryption key and the intermediary data encryption key comprises a wrapped version of the second data encryption key, wherein the storage device is configured to unwrap the intermediary data encryption key using the second key encryption key to generate the second data encryption key;
    - wherein the storage device is further configured to generate the second data encryption key, to wrap the second data encryption key with the second key encryption key to generate the intermediary data encryption key, and to wrap the intermediary data encryption key with the first key encryption key to generate a wrapped version of the first data encryption key, wherein the wrapped version of the first data encryption key is unwrapped with the first key encryption key to generate the intermediary data encryption key.
  - 14. The system of claim 11, wherein the intermediary data encryption key comprises a first share of the second data encryption key and the second information comprises a second share of the second data encryption key, wherein the storage device is further configured to combine the first share and the second share to generate the second data encryption key;
    - wherein the storage device is further configured to generate the second data encryption key, to divide the second data encryption key into the first share and the second share, and to wrap the first share with the first key encryption key to generate a wrapped version of the first data encryption key, wherein the wrapped version of the first data encryption key is unwrapped with the first key encryption key to generate the intermediary data encryption key.
  - 15. The system of claim 11, wherein the second information comprises a third data encryption key, wherein the storage device is further configured to combine the intermediary data encryption key and the third data encryption key to generate the second data encryption key;
    - wherein the storage device is further configured to generate the second data encryption key and to wrap the second data encryption key with the first key encryption key to generate a wrapped version of the first data encryption key, wherein the wrapped version of the first data encryption key is unwrapped with the first key encryption key to generate the intermediary data encryption key.

16. A storage device, comprising:
- a first module;
  
  a second module coupled to the first module; and
  
  storage media coupled to the first module;
  
  the first module operable for accessing a first data encryption key stored in the storage media and for generating an intermediary data encryption key using the first data encryption key and a first key encryption key that is obtained from first information received from a host system that is communicatively coupled to the storage device; and
  
  the second module operable for generating a second data encryption key using the intermediary data encryption key and second information that is received from a source that is communicatively coupled to the storage device and that bypasses the host system when communicating with the storage device, wherein the second data encryption key is used to decrypt data stored in the storage media on the storage device.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The storage device of claim 16, wherein the second information is sent from the source to the storage device in response to a condition being satisfied, and wherein the condition is selected from the group consisting of:
    - indication that a specified physical object is attached to the storage device;
      
      indication that a specified physical object is within a prescribed distance of the storage device;
      
      indication that the storage device is at a specified physical location;
      
      indication that the storage device is within a prescribed distance of a specified physical location; and
      
      indication that the storage device'"'"'s operating environment matches an environmental condition within a specified tolerance.
  - 18. The storage device of claim 16, wherein the second information comprises a second key encryption key and wherein the intermediary data encryption key comprises a wrapped version of the second data encryption key, wherein the second module is operable for unwrapping the intermediary data encryption key using the second key encryption key to recover the second data encryption key;
    - wherein the storage device further comprises a third module coupled to the second module and operable for generating the second data encryption key, wherein the second module is further operable for wrapping the second data encryption key with the second key encryption key to generate the intermediary data encryption key and wherein the first module is further operable for wrapping the intermediary data encryption key with the first key encryption key to generate a wrapped version of the first data encryption key, wherein the wrapped version of the first data encryption key is unwrapped with the first key encryption key to generate the intermediary data encryption key.
  - 19. The storage device of claim 16, wherein the second information comprises a first share of the second data encryption key and wherein the intermediary data encryption key comprises a second share of the second data encryption key, wherein the second module is further operable for combining the first share and the second share to recover the second data encryption key;
    - wherein the storage device further comprises a third module coupled to the second module and operable for generating the second data encryption key, wherein the second module is further operable for dividing the second data encryption key into the first share and the second share, and wherein the first module is further operable for wrapping the second share with the first key encryption key to generate a wrapped version of wrapped first data encryption key, wherein the wrapped version of the first data encryption key is unwrapped with the first key encryption key to generate the intermediary data encryption key.
  - 20. The storage device of claim 16, wherein the second information comprises a third data encryption key, wherein the second module is further operable for combining the intermediary data encryption key and the third data encryption key to generate the second data encryption key;
    - wherein the storage device further comprises a third module coupled to the second module and operable for generating the second data encryption key, wherein the first module is further operable for wrapping the intermediary data encryption key with the first key encryption key to generate a wrapped version of the first data encryption key, wherein the wrapped version of the first data encryption key is unwrapped with the first key encryption key to generate the intermediary data encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Western Digital Technologies Incorporated (Western Digital Corporation)
Original Assignee
HGST Netherlands B.V. (Western Digital Corporation)
Inventors
HOWE, Collin, McCAMBRIDGE, Colin, GEML, Adam

Application Number

US15/195,371
Publication Number

US 20170372085A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/62   Protecting access to data v...

G06F 21/6218   to a system of files or obj...

G06F 21/78   to assure secure storage of...

H04L 9/0861   Generation of secret inform...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/0897   involving additional device...

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

PROTECTING DATA IN A STORAGE DEVICE

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PROTECTING DATA IN A STORAGE DEVICE

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links