External encryption and recovery management with hardware encrypted storage devices
First Claim
1. One or more computer-readable storage media comprising computer-executable instructions for storing and retrieving keys from a hardware encrypting storage device, the computer-executable instructions directed to steps comprising:
- creating at least a first partition and a second partition on the hardware encrypting storage device;
instructing the hardware encrypting storage device to implement at least a first encryption band corresponding to the second partition, the first encryption band covering all storage units associated with the second partition, the first encryption band being associated with a first key;
storing an encrypted key associated with the first key within a first set of one or more storage units associated with the first partition, the first partition corresponding to at least a global band, the global band being associated with no key;
monitoring a partition table comprising information regarding the at least the first partition and the second partition to detect a change of the second partition; and
instructing the hardware encrypting storage device to change the first encryption band if the second partition is changed, the instructed change of the first encryption band corresponding to the change of the second partition.
2 Assignments
0 Petitions
Accused Products
Abstract
Hardware encrypting storage devices can provide for hardware encryption of data being written to the storage media of such storage devices, and hardware decryption of data being read from that storage media. To utilize existing key management resources, which can be more flexible and accommodating, mechanisms for storing keys protected by the existing resources, but not the hardware encryption of the storage device, can be developed. Dedicated partitions that do not have corresponding encryption bands can be utilized to store keys in a non-hardware-encrypted manner. Likewise, partitions can be defined larger than their associated encryption bands, leaving room near the beginning and end for non-hardware encrypted storage. Or a separate bit can be used to individually specify which data should be hardware encrypted. Additionally automated processes can maintain synchronization between a partition table of the computing device and a band table of the hardware encrypting storage device.
30 Citations
19 Claims
-
1. One or more computer-readable storage media comprising computer-executable instructions for storing and retrieving keys from a hardware encrypting storage device, the computer-executable instructions directed to steps comprising:
-
creating at least a first partition and a second partition on the hardware encrypting storage device; instructing the hardware encrypting storage device to implement at least a first encryption band corresponding to the second partition, the first encryption band covering all storage units associated with the second partition, the first encryption band being associated with a first key; storing an encrypted key associated with the first key within a first set of one or more storage units associated with the first partition, the first partition corresponding to at least a global band, the global band being associated with no key; monitoring a partition table comprising information regarding the at least the first partition and the second partition to detect a change of the second partition; and instructing the hardware encrypting storage device to change the first encryption band if the second partition is changed, the instructed change of the first encryption band corresponding to the change of the second partition. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. One or more computer-readable storage media comprising computer-executable instructions for storing and retrieving keys from a hardware encrypting storage device, the computer-executable instructions directed to steps comprising:
-
creating at least one partition on the hardware encrypting storage device, the at least one partition encompassing all storage units from a first storage unit to a second storage unit; instructing the hardware encrypting storage device to implement at least one encryption band associated with a key and corresponding to the at least one partition, the at least one encryption band encompassing all storage units from a third storage unit to a fourth storage unit, wherein the third and fourth storage units are between the first and second storage units such that storage units between the first and third storage units are part of the at least one partition, but are not part of the at least one encryption band corresponding to the at least one partition and such that storage units between the fourth and second storage units are also part of the at least one partition, but are also not part of the at least one encryption band corresponding to the at least one partition; providing, to other computer-executable instructions, access to only a portion of the at least one partition, the portion encompassing all storage units from the third storage unit to the fourth storage unit; and storing an encrypted key associated with the key either in a first key storage area between the first storage unit and the third storage unit or in a second key storage area between the fourth storage unit and the second storage unit, wherein both the first key storage area and the second key storage area correspond to at least a global band, the global band being associated with no key. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A hardware encrypting storage device comprising:
-
one or more storage media comprising storage units; and one or more cryptographic processors for performing steps comprising; receiving provided information to be stored in one or more storage units of the one or more storage media, together with a first encryption flag indicating whether the provided information is to be stored in an encrypted or unencrypted manner; storing the provided information, unencrypted in the one or more storage units if the first encryption flag received with the provided information indicated that the provided information was to be stored in the unencrypted manner, even if at least some of the one or more storage units are pan of a first encryption band specifying that information stored in storage units encompassed by the first encryption band is to be encrypted by the one or more cryptographic processors prior to storage on the storage media; receiving a request for specified information to be read from one or more storage units of the one or more storage media, together with a second encryption flag indicating whether the spec information, as read from the one or more storage units, is to be decrypted or not decrypted; and providing the specified information, as read from the one or more storage units, and not decrypt if the second encryption flag received with the request indicated that the specified information was to be provided not decrypted, even if at least some of the one or more storage units are part of a second encryption band specifying that information read from storage units encompassed by the second encryption band is to be decrypted one or more cryptographic processors prior to provision. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification