The present invention relates to encryption of data stored by processor-based systems. In particular, it relates to encryption of data transmitted from a host computer to a target device such as a storage system, where the encryption is carried out in-line with the data channel and transparently to a user of the host computer.
As ever greater amounts of sensitive data are stored in storage systems that are subject both to physical compromise and to computer-based attacks, it becomes more important that data stored in such locations be secure in the case that physical control over the storage system is lost. Storing the data at an insecure site in an encrypted form allows the storage facility itself to be considered unclassified in certain circumstances, since the data will not be compromised if unauthorized access is gained.
Some current systems provide for essentially real-time encryption and decryption of the data as it is written to and retrieved from the storage system. One way to provide security to sensitive data is to use in-line encryption and decryption of the data, such as encryption of data as it is transmitted over a parallel bus from a host computer to a storage device. Such systems would be generally unsuitable for a serial-channel setting, where the speed of encryption and related processing necessary is very high, especially in systems that use such protocols as the Firewire® (IEEE 1394) standard or Ethernet protocols, such as Gigabit Ethernet.
Encryption of transmitted data is carried out by conventional systems, which inhibits anyone intercepting the transmission from reading the data. However, there are other manners in which a computer user may engage in illicit activities. For instance, data may be transferred out of a secure location by embedding it in particular ways inside control or status headers. In addition, a user outside a secure system may mount an attack on the system by including address pointers or other disallowed data in the headers. Additionally, the pattern of data access may itself be a manner in which a device, such as a storage device, may be targeted to send information to unauthorized observers.
A system is needed whereby transmission of data in a serial channel can be accomplished in-line and in real time, where the data and control information can be treated separately for both encryption purposes and for handling various types of attacks and covert processes embedded in or achieved by the transmitted information.
It would be advantageous to provide such a system which could be used in connection with existing storage systems, without alteration of the storage systems themselves.