System and method for transparent disk encryption

US 8,386,797 B1
Filed: 08/07/2002
Issued: 02/26/2013
Est. Priority Date: 08/07/2002
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a hardware encryption/decryption engine utilizing counter mode (CTR) of advanced encryption standard (AES) based on a block number and a byte-aligned block address of data in a data storage medium passed through a transform function; and

a memory controller, coupled to said encryption/decryption engine, for accessing said data storage medium, said memory controller including one or more registers storing one or more keys generated from random numbers in said memory controller so that said one or more keys cannot be accessed unlocked from outside said memory controller and said hardware encryption/decryption engine, wherein said memory controller receives a password and a request to store said data on said data storage medium, verifies said password and forwards a particular one of said one or more keys stored in said one or more registers to said hardware encryption/decryption engine if said password is verified, causes said data in said main memory to be encrypted by said hardware encryption/decryption engine using said particular key, and transfers said encrypted data to said data storage medium.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data storage system providing transparent encryption. The data storage system has a hardware encryption/decryption engine and a register coupled to the hardware encryption/decryption engine. The register is for securely storing a key for encrypting and decrypting data. The key may not be read from outside the data storage system. More specifically, the key may not be read by the operating system. The user does not have access to the encryption key, but may have a password that is passed to a controller coupled to the encryption/decryption engine. The controller verifies the password and causes data received from main memory to be encrypted by the hardware encryption/decryption engine using the key. The controller also transfers the encrypted data to the data storage device.

Citations

16 Claims

1. A system comprising:
- a hardware encryption/decryption engine utilizing counter mode (CTR) of advanced encryption standard (AES) based on a block number and a byte-aligned block address of data in a data storage medium passed through a transform function; and
  
  a memory controller, coupled to said encryption/decryption engine, for accessing said data storage medium, said memory controller including one or more registers storing one or more keys generated from random numbers in said memory controller so that said one or more keys cannot be accessed unlocked from outside said memory controller and said hardware encryption/decryption engine, wherein said memory controller receives a password and a request to store said data on said data storage medium, verifies said password and forwards a particular one of said one or more keys stored in said one or more registers to said hardware encryption/decryption engine if said password is verified, causes said data in said main memory to be encrypted by said hardware encryption/decryption engine using said particular key, and transfers said encrypted data to said data storage medium.
- View Dependent Claims (2, 3, 4, 5, 6, 16)
- - 2. The system of claim 1, wherein said memory controller further receives a request to read data from said data storage medium and causes said data from said data storage medium to be decrypted by said hardware encryption/decryption engine using said particular key and transferred to said main memory.
  - 3. The system of claim 1, wherein said received request comes from an operating system, and said memory controller performs said causing in a manner transparent to said operating system.
  - 4. The system of claim 1, wherein if the password is not valid said memory controller does not forward said key to said hardware encryption/decryption engine, wherein decryption is not performed.
  - 5. The system of claim 1, further comprising:
    - a network processor coupled to said hardware encryption/decryption engine; and
      
      a storage processor in said memory controller coupled to said hardware encryption/decryption engine, wherein said network processor and said storage processor share said hardware encryption/decryption engine.
  - 6. The system of claim 1, wherein said data storage medium is a hard drive.
  - 16. The system of claim 1, wherein said data includes an operating system of said system.

7. A method comprising:
- generating, in a memory controller for accessing a storage medium, one or more keys from random numbers;
  
  storing, in said memory controller, said one or more keys so that said one or more keys cannot be accessed unencrypted outside said memory controller except for a hardware encryption/decryption engine, wherein said one or more keys are common to a plurality of users;
  
  receiving, in said memory controller, a password that is unique to a given user and a request from a program in a host system to store data on said storage medium;
  
  verifying, in said memory controller, said password;
  
  encrypting, in said hardware encryption/decryption engine utilizing counter mode (CTR) of advanced encryption standard (AES) based on a block number and a byte-aligned block address of said data in said storage medium passed through a transform function and a particular one of said one or more keys stored in said memory controller if said password is verified; and
  
  transferring by hardware said encrypted data to said storage medium.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The method of claim 7, further comprising:
    - receiving, in said memory controller, said password and a request from said program for said data from said storage medium;
      
      verifying, in said memory controller, said password;
      
      decryption, in said hardware encryption/decryption engine, said encrypted data transparent to software using said particular key if said password is verified; and
      
      transferring said decrypted data to said host system.
  - 9. The method of claim 7, further comprising:
    - encrypting a given one of said one or more keys in said hardware encryption/decryption engine with said password;
      
      storing said encrypted key on said storage medium;
      
      in response to receiving said password, retrieving said encrypted key from said storage medium and decrypting said key with said password; and
      
      using said decrypted key, accessing and decrypting said data stored on said storage medium using said hardware encryption/decryption engine.
  - 10. The method of claim 9, wherein said decrypting said key is done in said hardware encryption/decryption engine.
  - 11. The method of claim 7, further comprising:
    - encrypting a given one of said one or more keys with a plurality of user supplied passwords to produce a corresponding plurality of encrypted keys, said plurality of passwords comprising a first password and a second password and said encrypted keys comprising a first encrypted key and a second encrypted key;
      
      storing said plurality of encrypted keys on said storage medium;
      
      in response to receiving said first password, retrieving said first encrypted key and decrypting it with said first password to produce said given key;
      
      using said given key decrypted from said first encrypted key, accessing and decrypting data stored in said storage medium;
      
      in response to receiving said second password, retrieving said second encrypted key and decrypting it with said second password to produce said given key; and
      
      using said given key decrypted from said second encrypted key, accessing and decrypting data stored in said storage medium.
  - 12. The method of claim 7, further comprising:
    - adding a first bit sequence to a given one of said one or more keys;
      
      encrypting said given key in said hardware encryption/decryption engine with a first password to produce a first encrypted key;
      
      adding a second bit sequence to said given key, said first bit sequence and second bit sequence being different from each other; and
      
      encrypting said given key in said hardware encryption/decryption engine with a second password to produce a second encrypted key, wherein said first encrypted key and said second encrypted key are different irrespective of said first password and said second password.
  - 13. The method of claim 12, further comprising:
    - storing said first encrypted key and said second encrypted key on said storage medium.
  - 14. The method of claim 13, further comprising:
    - in response to receiving said first password from said host system, retrieving said first encrypted key and decrypting it with said first password;
      
      discarding said first bit sequence after decrypting said first encrypted key to produce said given key; and
      
      using said given key decrypted from said first encrypted key, decrypting data stored on said storage medium.
  - 15. The method of claim 7, further comprising:
    - receiving a request from said program to encrypt data stored in main memory;
      
      receiving said data in said peripheral component;
      
      using said one or more keys, encrypting said data with said hardware encryption/decryption engine; and
      
      transferring said encrypted data to said main memory, wherein a hardware encryption application program interface (API) is provided to said program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NVIDIA Corporation
Original Assignee
NVIDIA Corporation
Inventors
Danilak, Radoslav
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
WILLIAMS, JEFFERY L

Application Number

US10/214,988
Time in Patent Office

3,856 Days
Field of Search

None
US Class Current

713/189
CPC Class Codes

G06F 21/602 Providing cryptographic fac...

G06F 21/79 in semiconductor storage me...

System and method for transparent disk encryption

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for transparent disk encryption

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links