Use of device driver to function as a proxy between an encryption capable tape drive and a key manager

US 7,882,354 B2
Filed: 09/07/2006
Issued: 02/01/2011
Est. Priority Date: 09/07/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A storage system comprising:

a host;

a storage device coupled to the host, the storage device interacting with storage media to store and retrieve information from the storage media, the storage device comprisingan encryption module, the encryption module enabling encryption and decryption of data stored on storage media; and

,a device driver executing on the host, the device driver checking for encryption related information from the storage device, the encryption related information being generated in response to a command issued by the host, when encryption related information is present, the device driver facilitating encryption independent of whether the host is encryption enable;

a key manager, the key manager serving keys to the storage device via the device driver; and

,a proxy, the proxy establishing a communication path between the storage device and the key manager to facilitate serving keys to the storage device, wherein the encryption related information comprises a status indication issued by the storage device indicating that an encryption operation is needed to be performed before the command can be executed by the storage device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A tape system is provided with an encryption capable tape drive and an encryption enabled tape drive device driver for the encryption capable tape drive. The encryption enabled tape drive device driver functions as a proxy which connects the encryption capable tape drive to a key manager which serves keys to the tape drive. When the encryption capable device driver causes a command to be sent to the drive, the tape drive is configured to respond with a message that is intended for a key manager such as an External Key Manager (EKM). The encryption capable device driver recognizes that this is a message intended for the EKM and forwards that message to the EKM (e.g., via an Internet Protocol (IP) connection). The EKM then responds to the key request by issuing a new key (for a new cartridge which is to be written from beginning of tape (BOT)) or an existing key (for a cartridge which needs to be read). The device driver connects all EKM responses to the encryption capable tape drive and the EKM from which the encryption capable tape drive obtains its keys.

17 Citations

View as Search Results

18 Claims

1. A storage system comprising:
- a host;
  
  a storage device coupled to the host, the storage device interacting with storage media to store and retrieve information from the storage media, the storage device comprisingan encryption module, the encryption module enabling encryption and decryption of data stored on storage media; and
  
  ,a device driver executing on the host, the device driver checking for encryption related information from the storage device, the encryption related information being generated in response to a command issued by the host, when encryption related information is present, the device driver facilitating encryption independent of whether the host is encryption enable;
  
  a key manager, the key manager serving keys to the storage device via the device driver; and
  
  ,a proxy, the proxy establishing a communication path between the storage device and the key manager to facilitate serving keys to the storage device, wherein the encryption related information comprises a status indication issued by the storage device indicating that an encryption operation is needed to be performed before the command can be executed by the storage device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The storage system of claim 1 wherein:
    - the keys are served to the storage device via a push method.
  - 3. The storage system of claim 1 wherein:
    - the keys are served to the storage device via a pull method.
  - 4. The storage system of claim 1 wherein:
    - the command is issued by an application executing on the host.
  - 5. The storage system of claim 4 wherein:
    - the application comprises a backup program that transfers data to and from the storage device.
  - 6. The storage system of claim 1 wherein:
    - the storage device comprises a tape drive.

7. A storage device for interacting with storage media to store and retrieve information from the storage media comprising:
- an encryption module, the encryption module enabling encryption and decryption of data stored on storage media; and
  
  ,a controller coupled to the encryption module, the controller interacting with the encryption module to enable storage and retrieval of information to and from the storage media; and
  
  whereinthe storage device receives information from and transmits information to a device driver, the device driver checking for encryption related information from the storage device, the encryption related information being generated by the storage device in response to a command issued by the host, when encryption related information is present, the device driver facilitating encryption independent of whether the host is encryption enabled; and
  
  whereinthe device driver interacts with a key manager, the key manager serving keys to the storage device via the device driver; and
  
  ,the device driver interacts with a proxy, the proxy establishing a communication path between the storage device and the key manager to facilitate serving keys to the storage device, wherein the encryption related information comprises a status indication issued by the storage device indicating that an encryption operation is needed to be performed before the command can be executed by the storage device.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The storage device of claim 7 wherein:
    - the keys are served to the storage device via a push method.
  - 9. The storage device of claim 7 wherein:
    - the keys are served to the storage device via a pull method.
  - 10. The storage device of claim 7 wherein:
    - the command is issued by an application executing on the host.
  - 11. The storage device of claim 10 wherein:
    - the application comprises a backup program that transfers data to and from the storage device.
  - 12. The storage device of claim 7 wherein:
    - the storage device comprises a tape drive.

13. A method for facilitating encryption between an encryption enabled storage device and a host, the method comprising:
- issuing a command to the storage device;
  
  intercepting encryption related information generated by the storage device in response to the command;
  
  determining whether the encryption related information indicates that an encryption operation is needed to be performed before the command can be executed by the encryption enabled storage device;
  
  performing an encryption operation independent of whether the host is encryption enabled when the encryption related information indicates that the encryption operation is needed; and
  
  ,executing the command after the encryption operation has completed execution; and
  
  ,establishing a communication path between the encryption enabled storage device and the key manager via a proxy to facilitate serving keys to the storage device; and
  
  whereinthe intercepting is performed by an encryption enabled device driver; and
  
  ,the device driver communicates with a key manager, the key manager serving keys to the encryption enabled storage device via the device driver, wherein the encryption related information comprises a status indication issued by the storage device.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method of claim 13 wherein:
    - the keys are served to the encryption enabled storage device via a push method.
  - 15. The method of claim 13 wherein:
    - the keys are served to the encryption enabled storage device via a pull method.
  - 16. The method of claim 13 wherein:
    - the command is issued by an application executing on the host.
  - 17. The method of claim 16 wherein:
    - the application comprises a backup program that transfers data to and from the encryption enabled storage device.
  - 18. The method of claim 13 wherein:
    - the storage device comprises a tape drive.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Jaquette, Glen A., Greco, Paul M.
Primary Examiner(s)
Simitoski; Michael J

Application Number

US11/470,731
Publication Number

US 20080065898A1
Time in Patent Office

1,608 Days
Field of Search

380/278, 707/204, 711/4, 713/193, 713/165
US Class Current

713/165
CPC Class Codes

G06F 21/6281   at program execution time, ...

G06F 21/80   in storage media based on m...

G06F 3/0623   in relation to content

G06F 3/0646   Horizontal data movement in...

G06F 3/0682   Tape device

Use of device driver to function as a proxy between an encryption capable tape drive and a key manager

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Use of device driver to function as a proxy between an encryption capable tape drive and a key manager

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links