System and method for transparent disk encryption
First Claim
1. A system comprising:
- a hardware encryption/decryption engine utilizing counter mode (CTR) of advanced encryption standard (AES) based on a block number and a byte-aligned block address of data in a data storage medium passed through a transform function; and
a memory controller, coupled to said encryption/decryption engine, for accessing said data storage medium, said memory controller including one or more registers storing one or more keys generated from random numbers in said memory controller so that said one or more keys cannot be accessed unlocked from outside said memory controller and said hardware encryption/decryption engine, wherein said memory controller receives a password and a request to store said data on said data storage medium, verifies said password and forwards a particular one of said one or more keys stored in said one or more registers to said hardware encryption/decryption engine if said password is verified, causes said data in said main memory to be encrypted by said hardware encryption/decryption engine using said particular key, and transfers said encrypted data to said data storage medium.
2 Assignments
0 Petitions
Accused Products
Abstract
A data storage system providing transparent encryption. The data storage system has a hardware encryption/decryption engine and a register coupled to the hardware encryption/decryption engine. The register is for securely storing a key for encrypting and decrypting data. The key may not be read from outside the data storage system. More specifically, the key may not be read by the operating system. The user does not have access to the encryption key, but may have a password that is passed to a controller coupled to the encryption/decryption engine. The controller verifies the password and causes data received from main memory to be encrypted by the hardware encryption/decryption engine using the key. The controller also transfers the encrypted data to the data storage device.
-
Citations
16 Claims
-
1. A system comprising:
-
a hardware encryption/decryption engine utilizing counter mode (CTR) of advanced encryption standard (AES) based on a block number and a byte-aligned block address of data in a data storage medium passed through a transform function; and a memory controller, coupled to said encryption/decryption engine, for accessing said data storage medium, said memory controller including one or more registers storing one or more keys generated from random numbers in said memory controller so that said one or more keys cannot be accessed unlocked from outside said memory controller and said hardware encryption/decryption engine, wherein said memory controller receives a password and a request to store said data on said data storage medium, verifies said password and forwards a particular one of said one or more keys stored in said one or more registers to said hardware encryption/decryption engine if said password is verified, causes said data in said main memory to be encrypted by said hardware encryption/decryption engine using said particular key, and transfers said encrypted data to said data storage medium. - View Dependent Claims (2, 3, 4, 5, 6, 16)
-
-
7. A method comprising:
-
generating, in a memory controller for accessing a storage medium, one or more keys from random numbers; storing, in said memory controller, said one or more keys so that said one or more keys cannot be accessed unencrypted outside said memory controller except for a hardware encryption/decryption engine, wherein said one or more keys are common to a plurality of users; receiving, in said memory controller, a password that is unique to a given user and a request from a program in a host system to store data on said storage medium; verifying, in said memory controller, said password; encrypting, in said hardware encryption/decryption engine utilizing counter mode (CTR) of advanced encryption standard (AES) based on a block number and a byte-aligned block address of said data in said storage medium passed through a transform function and a particular one of said one or more keys stored in said memory controller if said password is verified; and transferring by hardware said encrypted data to said storage medium. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
-
Specification