Incremental encryption of stored information
First Claim
Patent Images
1. An apparatus comprising:
- a host interface coupled to a host device accepting read commands;
a storage device interface coupled to a storage device configured to store information;
an encryption apparatus configured to encrypt information;
a decryption apparatus configured to decrypt information received by said storage device interface before being delivered to said host interface;
a key storage circuit storing one or more keys;
a memory device storing a block status table containing a plurality of entries based on the location of data on said storage device, wherein at least one entry in said block status table is in one of a first state, a second state and a third state;
wherein said first state is indicative of an Encrypted (E) state, said second state is indicative of an Unencrypted—
Don'"'"'t Encrypt (DE) state or an Unencrypted—
Encrypt on Write (EOW) state, and said third state is indicative of an Unencrypted—
Encrypt on Read or Write (EORW) state;
a circuit configured to conditionally decrypt data based on information stored in said block status table, wherein data is decrypted if said entry is in said first state, and data is not decrypted if said entry is in said second state or in said third state; and
a circuit configured to conditionally encrypt data based on information stored in said block status table, wherein data received from said storage device interface is first encrypted and then returned to said storage device interface if said entry is in said third state;
wherein if said entry in said block status table is in said third state, said entry is automatically updated from said third state to said first state when a read command is received to reflect a dynamic change in data stored on said storage device from an unencrypted state to an encrypted state, and wherein if said entry in said block status table is in said first state or said second state, said entry is not updated.
0 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus are utilized to incrementally encrypt stored information, and can be applied to an existing medium storing unencrypted information. Information can be conditionally encrypted and/or decrypted as necessary and a separate storage area can be used to record whether a given block of information is stored encrypted or unencrypted. An embodiment of the present invention can be used as a retrofit device in a mechanism to encrypt information without causing undue interruption of normal operations. A variety of mechanisms and policies can also be used to manage, set and eliminate encryption keys.
-
Citations
8 Claims
-
1. An apparatus comprising:
-
a host interface coupled to a host device accepting read commands; a storage device interface coupled to a storage device configured to store information; an encryption apparatus configured to encrypt information; a decryption apparatus configured to decrypt information received by said storage device interface before being delivered to said host interface; a key storage circuit storing one or more keys; a memory device storing a block status table containing a plurality of entries based on the location of data on said storage device, wherein at least one entry in said block status table is in one of a first state, a second state and a third state; wherein said first state is indicative of an Encrypted (E) state, said second state is indicative of an Unencrypted—
Don'"'"'t Encrypt (DE) state or an Unencrypted—
Encrypt on Write (EOW) state, and said third state is indicative of an Unencrypted—
Encrypt on Read or Write (EORW) state;a circuit configured to conditionally decrypt data based on information stored in said block status table, wherein data is decrypted if said entry is in said first state, and data is not decrypted if said entry is in said second state or in said third state; and a circuit configured to conditionally encrypt data based on information stored in said block status table, wherein data received from said storage device interface is first encrypted and then returned to said storage device interface if said entry is in said third state; wherein if said entry in said block status table is in said third state, said entry is automatically updated from said third state to said first state when a read command is received to reflect a dynamic change in data stored on said storage device from an unencrypted state to an encrypted state, and wherein if said entry in said block status table is in said first state or said second state, said entry is not updated. - View Dependent Claims (2, 3, 4)
-
-
5. An apparatus comprising:
-
a host interface coupled to a host device accepting write commands; a storage device interface coupled to a storage device configured to store information; an encryption apparatus configured to encrypt information received by said host interface before being delivered to said storage device interface; a key storage circuit storing one or more keys; a memory device storing a block status table containing a plurality of entries based on the location of data on said storage device, wherein at least one entry in said block status table is in a first state, a second state or a third state; wherein said first state is indicative of an Encrypted (E) state, said second state is indicative of an Unencrypted—
Don'"'"'t Encrypt (DE) state, and said third state is indicative of an Unencrypted—
Encrypt on Write (EOW) state or an Unencrypted—
Encrypt on Read or Write (EORW) state;a circuit configured to conditionally encrypt data based on information stored in said block status table, wherein data received from said host interface is first encrypted and then delivered to said storage device interface if said entry is in said first state or said third state, and data received from said host interface is not encrypted and delivered unencrypted to said storage device interface if said entry is in said second state; wherein if said entry in said block status table is in said third state, said entry is automatically updated from said third state to said first state when a write command is received to reflect a dynamic change in data stored on said storage device from an unencrypted state to an encrypted state, and wherein if said entry in said block status table is in said first state or said second state, said entry is not updated. - View Dependent Claims (6, 7, 8)
-
Specification