The current method of doing hardware tape encryption, and in the future, disk data encryption, requires that the entire volume be encrypted. This limitation poses a few problems since in many cases users will not require the entire data on a tape volume to be encrypted.
One of these problems is, when trying to recover complete systems where the tape device or the disk device needs to be IPL'd (Initial Program Load) or booted, the current procedure will require a non-encrypted tape or disk media device to be IPL'd or booted first to get enough of the operating system up and running to be able to interact with the key management system.
One drawback of the prior art is the requirement of having both an encrypted and non-encrypted tape volume. It is desirable to have even operating system data (such as supervisor passwords) to be encrypted. Additionally, media devices in servers today cannot IPL or boot an encrypted bootstrap program.
Another problem that this leads to is the fact that the users are required to purchase and manage more storage media devices, since the users don't have the ability to store both encrypted and non-encrypted data on the same storage device. One solution to this problem is just encrypting all data.
A drawback of this solution is that both encryption and decryption take time and may affect performance. It is desirable to only encrypt data that needs to be encrypted and not an entire volume each time.
U.S. Pat. No. 5,993,498 issued Aug. 3, 1999 to Schneck et al. for SYSTEM FOR CONTROLLING ACCESS AND DISTRIBUTION OF DIGITAL PROPERTY discloses a system for controlling access to data in which portions of the data are protected. FIGS. 20(b) and 21(b) show packaged data structures having non-secure regions 120, 122, 124 and an encrypted ancillary information region 126.
U.S. Pat. No. 6,336,187 B1 issued Jan. 1, 2002 to Kern et al. for STORAGE SYSTEM WITH DATA-DEPENDENT SECURITY discloses a host-independent storage facility that provides data-dependent security by storing a storage key in association with a storage region. In response to an application allocation command, the host issues a set-access-key command that identifies the protection type, the storage region to be protected, and the reference key to be used by the controller for gaining access to the associated region. Table 1 shows a storage use map that includes storage access region, reference access key, and operation parameter (write, read/write, no security). Allocated storage regions include disk sectors, disk tracks, disk “extents”, volumes, address ranges, blocks, tape tracks, files, datasets, etc. (col. 7/23-29).
U.S. Pat. No. 6,658,526 B2 issued Dec. 2, 2003 to Nguyen et al. for NETWORK ATTACHED VIRTUAL DATA STORAGE SUBSYSTEMS discloses a network attached virtual data storage subsystem in which the networked storage manager (NSM) manages the allocation, configuration and security; the NSM controls file access or volume access as well as implementing data encryption/decryption within the control blocks.
US Patent Application Publication US 2002/0111133 A1 published Aug. 15, 2002by Wittkotter for DATA PROCESSING APPLIANCE discloses a key management system for a data file system in which each file of a volume data file has an individual key. Access to a selected file requires both the file key and the volume key.
US Patent Application Publication US 2003/0070083 A1 published Apr. 10, 2003 by Nessler for METHOD AND DEVICE FOR ENCRYPTION/DECRYPTION OF DATA ON MASS STORAGE DEVICE discloses a hard disk device that is divided into several independent isolated storage areas. A master boot record (MBR) is stored in one of the independent isolated storage areas; each of the remaining areas stores encrypted data where each area uses a different, independent key.
US Patent Application Publication US 2006/0272027 A1 published Nov. 30, 2006 by Noble for SECURE ACCESS TO SEGMENT OF DATA STORAGE DEVICE AND ANALYZER discloses a data storage device that can include both a secure portion and an insecure portion. The storage device is partitioned into at least two partitions. The insecure portion may be traditionally partitioned and store encrypted data as desired (Par. 33). There can be multiple secure portions and multiple insecure portions of the data storage device (pars. 41 and 44).
Deltacrypt OneClick Encryption Software, published on Tucows Inc. (Jul. 3, 2003), www.archive.org/details/tucows—241817_Deltacrypt_OneClick_Encryption_Software describes a file encryption program with RSA protected keys. The user is able to encrypt any file format without volume restrictions.