1. Field of the Invention
The present invention relates to encrypting data held by data storage devices.
2. Background Art
Protecting data from unauthorized access is becoming increasingly important. Both the amount and kinds of data generated and requiring protection continue to increase. Moreover, attacks by those not authorized to access the data grow in frequency and sophistication. An emerging need is for the encryption of data held in storage devices, referred to as “at-rest data encryption.”
Encryption is accomplished through the use of encryption keys. Depending upon the encryption process used, possession of one or more keys allows encrypted data to be decrypted. For simplicity, the term encrypt (or its variants) will be used to refer to any aspect of the encryption process, including decrypting. Care must be taken to ensure that such encryption keys are only provided to systems and/or users with the proper authority.
Other than in very simple encryption implementations which may use fixed keys in each storage device, a practical implementation of an encryption data storage system may involve multiple storage devices whose encryption keys are assigned and controlled by a user through some form of key management equipment and process, such as a key management station. For increased security, key management stations are typically physically separate from data storage networks and storage devices. This raises the problem of how to convey keys from the Key Management Station to the encrypting device in a convenient manner that prohibits or reduces the chance of an attacker intercepting and reading the transaction.
One method for conveying keys is to write the keys onto smart cards. This method has several disadvantages, including limited ability to provide on-board encryption processing, limited or no ability to indicate status, and probability of loss or theft due to small size and storage medium.
What is needed are improved techniques for conveying encryption keys and other information between key management equipment and encrypting data storage devices.