Removable circuit for unlocking self-encrypting data storage devices

US 9,768,952 B1
Filed: 09/22/2015
Issued: 09/19/2017
Est. Priority Date: 09/22/2015
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a circuit configured to;

connect to be removable from a first server via physical and electrical connections to the first server without physically modifying the first server, and disconnect from the first server without physically modifying the first server;

transmit, from the first server to a second server, a request for an encryption key corresponding to data storage device (“

DSD”

) coupled to the first server;

determine a unique identifier corresponding to the DSD;

provide the unique identifier corresponding to the DSD to the second server; and

receive the encryption key from the second server and provide the encryption key to the DSD to unlock the DSD;

unlock the DSD with the encryption key;

determine if there is an unregistered DSD coupled to the first server, an unregistered DSD is a DSD that does not have a corresponding encryption key stored in the second server;

obtain a unique identifier from the unregistered DSD;

provide the unique identifier and a request for an encryption key to the second server;

receive the encryption key from the second server; and

lock the unregistered DSD with the encryption key to register the unregistered DSD.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data storage devices (“DSDs”) can be cryptographically locked, and may be unlocked with encryption keys. One or more encryption keys may be stored remotely in a key server, and may be retrieved by a removable circuit that can be coupled to a server, such as a data server, email server, file system server, other server, or other system. The removable circuit can determine which of the DSDs are locked, and may transmit a request to the key server for encryption keys corresponding to the locked DSDs. The removable circuit can unlock the locked DSDs with the encryption keys provided by the key server.

Citations

16 Claims

1. An apparatus comprising:
- a circuit configured to;
  
  connect to be removable from a first server via physical and electrical connections to the first server without physically modifying the first server, and disconnect from the first server without physically modifying the first server;
  
  transmit, from the first server to a second server, a request for an encryption key corresponding to data storage device (“
  
  DSD”
  
  ) coupled to the first server;
  
  determine a unique identifier corresponding to the DSD;
  
  provide the unique identifier corresponding to the DSD to the second server; and
  
  receive the encryption key from the second server and provide the encryption key to the DSD to unlock the DSD;
  
  unlock the DSD with the encryption key;
  
  determine if there is an unregistered DSD coupled to the first server, an unregistered DSD is a DSD that does not have a corresponding encryption key stored in the second server;
  
  obtain a unique identifier from the unregistered DSD;
  
  provide the unique identifier and a request for an encryption key to the second server;
  
  receive the encryption key from the second server; and
  
  lock the unregistered DSD with the encryption key to register the unregistered DSD.
- View Dependent Claims (2, 3, 4)
- - 2. The apparatus of claim 1 further comprising:
    - the circuit configured to;
      
      provide an error indicator when the DSD is not unlocked.
  - 3. The apparatus of claim 1 further comprising:
    - the circuit configured to;
      
      determine if there is a registered DSD to be unregistered coupled to the first server;
      
      obtain a unique identifier from the registered DSD to be unregistered;
      
      provide the unique identifier and a request for an encryption key to the second server;
      
      receive the encryption key from the second server;
      
      unlock the registered DSD to be unregistered with the encryption key to unregister the DSD;
      
      erase the unregistered DSD; and
      
      transmit a command to the second server to remove the unique identifier and the encryption key from the second server.
  - 4. The apparatus of claim 1 further comprising:
    - the circuit configured to;
      
      determine if there is a DSD registration to modify corresponding to a DSD coupled to the first server;
      
      obtain a unique identifier from the DSD;
      
      provide the unique identifier and a request for an encryption key to the second server;
      
      receive the encryption key from the second server;
      
      unlock the DSD with the encryption key;
      
      provide the unique identifier and a request for another encryption key to the second server;
      
      receive the another encryption key from the second server; and
      
      lock the DSD with the another encryption key.

5. A system comprising:
- a management device configured to be connectable and removable from a first server via physical and electrical connections to the first server without physically modifying the first server, and disconnect from the first server without physically modifying the first server, the management device including;
  
  an interface circuit;
  
  a memory including executable instructions that, when executed by a processor, cause the processor to;
  
  perform an unlock process including;
  
  determine a unique identifier corresponding to a data storage device (“
  
  DSD”
  
  ) coupled to the first server via the interface circuit;
  
  transmit to a second server the unique identifier corresponding to the DSD and a request for an encryption key corresponding to the unique identifier;
  
  receive the encryption key from the second server and provide the encryption key to the DSD to unlock the DSD;
  
  unlock the DSD with the encryption key;
  
  perform a registration process including;
  
  determine if there is an unregistered DSD coupled to the first server, an unregistered DSD is a DSD that does not have a corresponding encryption key stored in the second server;
  
  obtain a unique identifier from the unregistered DSD;
  
  provide the unique identifier and a request for an encryption key to the second server;
  
  receive the encryption key from the second server; and
  
  lock the unregistered DSD with the encryption key.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
- - 6. The system of claim 5 further comprising:
    - the memory includes instructions that, when executed by the processor, cause the processor to load a storage driver into a server memory of the first server to allow the processor to access instructions in the memory.
  - 7. The system of claim 5 further comprising:
    - the memory includes a list of DSDs, where the DSDs are coupled to the first server and instructions that, when executed by the processor, cause the processor to request encryption keys from the second server corresponding to the DSDs on the list.
  - 8. The system of claim 5 further comprising:
    - the memory includes instructions that, when executed by the processor, cause the processor to determine if the DSD has been unlocked; and
      
      provide an error indicator when the DSD has not been unlocked.
  - 9. The system of claim 5 further comprising:
    - the memory includes instructions that, when executed by the processor, cause the processor to establish a secure communication channel between the management device and the second server.
  - 10. The system of claim 5 further comprising:
    - the first server includes a unified extensible firmware interface (“
      
      UEFI”
      
      ) basic input/output system (“
      
      BIOS”
      
      ); and
      
      the management device is coupled to the UEFI BIOS.
  - 11. The system of claim 10 further comprising:
    - the first server includes the processor;
      
      the processor configured to process instructions in the UEFI BIOS, causing the processor to;
      
      load a storage driver from the management device into a server memory of the first server to allow the processor to access instructions in the memory;
      
      process the instructions in the memory to;
      
      determine the unique identifier corresponding to the DSD coupled to the first server;
      
      transmit the request to the second server for the encryption key corresponding to the unique identifier; and
      
      provide the encryption key to the DSD to unlock the DSD.
  - 12. The system of claim 5 further comprising:
    - the management device is configured to be connected and removed from the first server while the first server is powered on.
  - 13. The system of claim 5 further comprising:
    - the management device is located outside of the first server; and
      
      the management device is physically connected and disconnected from the first server via an external interface without physically modifying the first server.

14. A method comprising:
- determining an unique identifier corresponding to a data storage device (“
  
  DSD”
  
  ) coupled to a first server;
  
  transmitting from a circuit to a second server the unique identifier corresponding to the DSD and a request for an encryption key corresponding to the unique identifier, where the circuit is configured to be connectable and removable from the first server via physical and electrical connections to the first server without physically modifying the first server, and disconnect from the first server without physically modifying the first server;
  
  receiving the encryption key from the second server;
  
  providing the encryption key to the DSD to unlock the DSD;
  
  unlocking the DSD with the encryption key;
  
  determining if there is an unregistered DSD coupled to the first server, an unregistered DSD is a DSD that does not have a corresponding encryption key stored in the second server;
  
  obtaining a unique identifier for the unregistered DSD;
  
  providing the unique identifier and a request for an encryption key to the second server;
  
  receiving the encryption key from the second server; and
  
  locking the unregistered DSD with the encryption key to register the unregistered DSD.
- View Dependent Claims (15, 16)
- - 15. The method of claim 14 further comprising:
    - powering on the first server; and
      
      determining if a unified extensible firmware interface (“
      
      UEFI”
      
      ) basic input/output system (“
      
      BIOS”
      
      ) in the first server includes function calls to unlock the DSD.
  - 16. The method of claim 15 further comprising:
    - when the UEFI BIOS includes function calls to unlock the DSD;
      
      loading a storage driver corresponding to a management circuit into a memory of the first server;
      
      initiating a secure connection with the second server;
      
      requesting the encryption key from the second server;
      
      unlocking the DSD with the encryption key; and
      
      providing an error indicator when the DSD does not unlock.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Seagate Technology LLC (Seagate Technology Holdings Plc)
Original Assignee
Seagate Technology LLC (Seagate Technology Holdings Plc)
Inventors
Allo, Christopher, Biswas, Saheb
Primary Examiner(s)
Le, Chau
Assistant Examiner(s)
CHAUDHRY, MUHAMMAD U

Application Number

US14/862,128
Time in Patent Office

728 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/575   Secure boot

G06F 21/80   in storage media based on m...

H04L 9/083   involving central third par...

Removable circuit for unlocking self-encrypting data storage devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Removable circuit for unlocking self-encrypting data storage devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links