System and method for general purpose encryption of data

US 8,930,713 B2
Filed: 03/10/2010
Issued: 01/06/2015
Est. Priority Date: 03/10/2010
Status: Active Grant

First Claim

Patent Images

1. An information handling system, comprising:

a processor;

a memory communicatively coupled to the processor;

a storage resource communicatively coupled to the processor, the storage resource having a sealed encryption key that is unique to the storage resource and associated only with the storage resource;

an encryption accelerator communicatively coupled to the processor, the encryption accelerator configured to;

encrypt and decrypt information in accordance with a plurality of cryptographic functions;

receive an authorized command from the processor to perform an encryption or decryption task upon data associated with an input/output operation from the storage resource, the authorized command is authenticated based on the unique sealed encryption key and includes a designation of a particular one of the plurality of cryptographic functions to be used in connection with the encryption or decryption task, the unique sealed encryption key is read access disabled; and

in response to receiving the authorized command, load the unique sealed encryption key and encrypt or decrypt the data associated with the input/output operation based on the unique sealed encryption key and the particular one of the plurality of cryptographic functions;

a cryptoprocessor communicatively coupled to the processor and the encryption accelerator, the cryptoprocessor configured to unwrap the unique sealed encryption key for use in connection with the encryption or decryption task; and

an encryption status module stored in the memory and configured to;

determine an encryption status of a volume of the storage resource; and

store a variable indicating a portion of the volume that has been encrypted or decrypted and whether the volume is partially encrypted or decrypted.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for reducing problems and disadvantages associated with traditional approaches to encryption and decryption of data are provided. An information handling system may include a processor, a memory communicatively coupled to the processor, and an encryption accelerator communicatively coupled to the processor. The encryption accelerator may be configured to encrypt and decrypt information in accordance with a plurality of cryptographic functions, receive a command from the processor to perform an encryption or decryption task upon data associated with an input/output operation, and in response to receiving the command, encrypt or decrypt the data associated with the input/output operation based on a particular one of the plurality of cryptographic functions.

Citations

13 Claims

1. An information handling system, comprising:
- a processor;
  
  a memory communicatively coupled to the processor;
  
  a storage resource communicatively coupled to the processor, the storage resource having a sealed encryption key that is unique to the storage resource and associated only with the storage resource;
  
  an encryption accelerator communicatively coupled to the processor, the encryption accelerator configured to;
  
  encrypt and decrypt information in accordance with a plurality of cryptographic functions;
  
  receive an authorized command from the processor to perform an encryption or decryption task upon data associated with an input/output operation from the storage resource, the authorized command is authenticated based on the unique sealed encryption key and includes a designation of a particular one of the plurality of cryptographic functions to be used in connection with the encryption or decryption task, the unique sealed encryption key is read access disabled; and
  
  in response to receiving the authorized command, load the unique sealed encryption key and encrypt or decrypt the data associated with the input/output operation based on the unique sealed encryption key and the particular one of the plurality of cryptographic functions;
  
  a cryptoprocessor communicatively coupled to the processor and the encryption accelerator, the cryptoprocessor configured to unwrap the unique sealed encryption key for use in connection with the encryption or decryption task; and
  
  an encryption status module stored in the memory and configured to;
  
  determine an encryption status of a volume of the storage resource; and
  
  store a variable indicating a portion of the volume that has been encrypted or decrypted and whether the volume is partially encrypted or decrypted.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The information handling system according to claim 1, wherein the plurality of cryptographic functions includes at least one of an encryption algorithm, an algorithm mode, a cryptographic hash, and a sign function.
  - 3. The information handling system according to claim 1, wherein the designation of the particular one of the plurality of cryptographic functions to be used in connection with the encryption or decryption task is based on at least one of:
    - a user associated with the information handling system, a port to which the storage resource associated with the input/output operation is coupled, a type of the storage resource associated with the input/output operation, a manufacturer of the storage resource associated with the input/output operation, a model of the storage resource associated with the input/output operation, a serial number of the storage resource associated with the input/output operation, a logical path of the storage resource associated with the input/output operation, and any other characteristic of the storage resource associated with the input/output operation.
  - 4. The information handling system according to claim 1, wherein the cryptoprocessor comprises a Trusted Platform Module.
  - 5. The information handling system according to claim 1, wherein the unique sealed encryption key loaded is based on at least one of:
    - a user associated with the information handling system, a port to which the storage resource associated with the input/output operation is coupled, a type of the storage resource associated with the input/output operation, a manufacturer of the storage resource associated with the input/output operation, a model of the storage resource associated with the input/output operation, a serial number of the storage resource associated with the input/output operation, a logical path of the storage resource associated with the input/output operation, and any other characteristic of the storage resource associated with the input/output operation.

6. A method for encryption and decryption of data, comprising:
- receiving an authorized command by an encryption accelerator to perform an encryption or decryption task upon data associated with an input/output operation from a storage resource, the storage resource having a sealed encryption key that is unique to the storage resource and associated only with the storage resource;
  
  unwrapping the unique sealed encryption key by a cryptoprocessor communicatively coupled to the encryption accelerator;
  
  authenticating the authorized command based on the unique sealed encryption key, the unique sealed encryption key is read access disabled, the authorized command designating a particular one of a plurality of cryptographic functions stored on the encryption accelerator;
  
  in response to receiving the authorized command, loading the unique sealed encryption key;
  
  encrypting or decrypting the data associated with the input/output operation based on the unique sealed encryption key and the particular one of the plurality of cryptographic functions;
  
  determining an encryption status of a volume of the storage resource; and
  
  storing a variable indicating a portion of the volume that has been encrypted or decrypted and whether the volume is partially encrypted or decrypted.
- View Dependent Claims (7, 8, 9)
- - 7. The method according to claim 6, wherein the plurality of cryptographic functions includes at least one of an encryption algorithm, an algorithm mode, a cryptographic hash, and a sign function.
  - 8. The method according to claim 6, wherein the designation of the particular one of the plurality of cryptographic functions to be used in connection with the encryption or decryption task is based on at least one of:
    - a user associated with an information handling system, a port to which the storage resource associated with the input/output operation is coupled, a type of the storage resource associated with the input/output operation, a manufacturer of the storage resource associated with the input/output operation, a model of the storage resource associated with the input/output operation, a serial number of the storage resource associated with the input/output operation, a logical path of the storage resource associated with the input/output operation, and a file type of the data to be encrypted or decrypted.
  - 9. The method according to claim 6, wherein the unique sealed encryption key loaded is based on at least one of:
    - a user associated with the information handling system, a port to which the storage resource associated with the input/output operation is coupled, a type of the storage resource associated with the input/output operation, a manufacturer of the storage resource associated with the input/output operation, a model of the storage resource associated with the input/output operation, a serial number of the storage resource associated with the input/output operation, a logical path of the storage resource associated with the input/output operation, and a file type of the data to be encrypted or decrypted.

10. An encryption accelerator, comprising:
- a non-transitory computer-readable medium; and
  
  computer-executable instructions stored on the non-transitory computer-readable medium, the instructions readable by the encryption accelerator, the instructions, when read and executed, for causing the encryption accelerator to;
  
  encrypt and decrypt information in accordance with a plurality of cryptographic functions;
  
  receive an authorized command from a processor to perform an encryption or decryption task upon data associated with an input/output operation from a storage resource, the storage resource having a sealed encryption key that is unique to the storage resource and associated only with the storage resource, the authorized command authenticated based on the unique sealed encryption key, the unique sealed encryption key is read access disabled;
  
  receive a designation of a particular one of the plurality of cryptographic functions to be used in connection with the encryption or decryption task; and
  
  in response to receiving the authorized command, load the unique sealed encryption key and encrypt or decrypt the data associated with the input/output operation based on the unique sealed encryption key and a particular one of the plurality of cryptographic functions; and
  
  determine an encryption status of a volume of the storage resource and store a variable indicating a portion of the volume that has been encrypted or decrypted and whether the volume is partially encrypted or decrypted.
- View Dependent Claims (11, 12, 13)
- - 11. The encryption accelerator according to claim 10, wherein the instructions for causing the encryption accelerator to encrypt and decrypt information in accordance with the plurality of cryptographic functions includes at least one of an encryption algorithm, an algorithm mode, a cryptographic hash, and a sign function.
  - 12. The encryption accelerator according to claim 10, wherein the designation of the particular one of the plurality of cryptographic functions to be used in connection with the encryption or decryption task is based on at least one of:
    - a user associated with an information handling system, a port to which the storage resource associated with the input/output operation is coupled, a type of the storage resource associated with the input/output operation, a manufacturer of the storage resource associated with the input/output operation, a model of the storage resource associated with the input/output operation, a serial number of the storage resource associated with the input/output operation, a logical path of the storage resource associated with the input/output operation, and a file type of the data to be encrypted or decrypted.
  - 13. The encryption accelerator according to claim 10, wherein the unique sealed encryption key loaded is based on at least one of:
    - a user associated with an information handling system, a port to which the storage resource associated with the input/output operation is coupled, a type of the storage resource associated with the input/output operation, a manufacturer of the storage resource associated with the input/output operation, a model of the storage resource associated with the input/output operation, a serial number of the storage resource associated with the input/output operation, a logical path of the storage resource associated with the input/output operation, and a file type of the data to be encrypted or decrypted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dell Products LP (Dell Technologies Inc.)
Original Assignee
Dell Products LP (Dell Technologies Inc.)
Inventors
Stufflebeam, Kenneth W. Jr., Kopp, Michele
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
CHANG, KENNETH W

Application Number

US12/721,334
Publication Number

US 20110225431A1
Time in Patent Office

1,763 Days
Field of Search

713/190
US Class Current

713/190
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/575   Secure boot

G06F 21/62   Protecting access to data v...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 21/71   to assure secure computing ...

G06F 21/72   in cryptographic circuits

G06F 2212/1052   Security improvement

H04L 9/14   using a plurality of keys o...

System and method for general purpose encryption of data

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for general purpose encryption of data

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links