A. Technical Field
This invention relates generally to data security in computer systems, and more particularly, to the encryption of data stored in mass storage devices.
B. Background of the Invention
Computer data may be stored in various types of memory devices such as mass storage devices, personal computers, and other personal storage devices like personal digital assistants (“PDAs”) and compact flash memory devices. The security of this data stored on these devices is a concern due to the increasing frequency of data hacking and other theft of computer equipments and the data thereon. For example, large storage systems often contain very valuable information but may also have numerous points of entry that may potentially allow an unauthorized individual to hack into the system and access this information. Additionally, people are increasingly maintaining personal information on their computers, PDAs and other mobile devices. If these devices are lost or stolen, this information may be easily retrieved and used unless it is sufficiently protected.
In light of these issues, protecting this data that is stored in these different types of devices is becoming increasingly important. There are various approaches currently being considered and implemented that attempt to improve the security of data stored on these devices. One such approach is storing the data in an encrypted format within these different storage devices so that the encrypted data may only be read by first recovering the original data through one or more decryption procedures.
Encryption chips, blocks and other devices may use a number of different encryption techniques to encrypt data stored on drives. For example, Data Encryption Standard (“DES”) was commonly used within the industry for multiple encryption needs including communications, but has been replaced by the advent of Internet Protocol Security (“IPSec”). IPsec is a standard for securing Internet Protocol (“IP”) communications by encrypting and/or authenticating the IP packets within a data stream. IPSec incorporates a number of the previous encryption standards including DES and Advanced Encryption Standard (“AES”), and includes random number generators or key exchange algorithms that improve data security. These encryption chips supporting IPsec for communications encryption needs, may provide more services than would be required for protecting data at rest such as specified by a standard such as IEEE Project 1619. Project 1619 incorporates the use of the AES standard.
Storage drive providers are starting to provide data encryption processes that operate on their drives by encrypting data at one or more disk drives. In particular, disk drive manufacturers are performing encryption techniques within the drives that is storing the particular data. This approach significantly improves the security of data but also present shortcomings in encrypting data across large storage systems having interoperable drives, such as a Redundant Array of Independent Disks (“RAID”) storage system. The complexity, scalability and interaction between the disks within these systems make efficient data encryption at the disks very difficult and inefficient. Another technique that is currently being implemented is encrypting data at a host system within a mass storage system.
FIG. 1 illustrates an exemplary layout of a mass storage system 100 that stores data on a plurality of disk drives 105. The system 100 has a host 101, a plurality of controllers 103 and expanders 104 that interface with the plurality drives 105. A general-purpose encryption device 102 is also shown in the host system 101. The data is received at the host system 101 and encrypted through the encryption device 102 before it is sent to the main drives or memories 105. There may also be a number of expanders connected to the drives 105 through which the data travels IN or OUT of the mass storage system 100.
The cost of the general-purpose encryption device 102 varies depending on the rate at which data is encrypted. For example, if the encryption device 102 encrypts data at a low speed of about 1 GB/sec, then it is relatively inexpensive. However, if the encryption device 102 encrypts data at a high speed of about 10 GB/sec, then it is moderately expensive. Currently, there are very few encryption devices that are able to operate at 40 GB/sec, and they are extremely expensive.
Positioning general-purpose encryption chips within the host system 100 or between the host system 100 and the controllers 103 may create a bottleneck within the storage system because of bandwidth mismatches. For instance, an encryption chip operating at a rate of 10 GB/sec may efficiently operate within a system of a few drives. However, as the number of drives within the system increase, then the bandwidth demands on the encryption chip increases which may effectively overburden its processing power. As a result, the performance of the system may significantly decline as data is waiting to be encrypted or decrypted at the general purpose encryption chip. In addition, the use of a general-purpose encryption chip may also present power issues as it is the exclusive location in which data is being encrypted and decrypted.