Hardware-based full disk encryption

Abstract: A data processing system, circuit arrangement, and method to communicate data over a multi-channel serial communications interface: such as a PCI-express connection (14) using a dedicated encrypted virtual channel from among multiple virtual channels supported by the communications interface (14). Encryption for the dedicated encrypted virtual channel is provided by a hardware encryption circuit (34) that is coupled to the interface, such that encryption may be performed at a relatively low level, and with substantial protection from compromise, particularly along chip boundaries. In one particular application, access control may be provided for a digital data stream using a multi-chip access control scheme that relies on one chip (148) to provide access control over a received digital data stream, with another chip (150) utilized to process the digital data stram once authorized to do so. A secure, multi-channel serial communications interface between the multiple chips re-encrypts a digital data stream that has been decrypted on the access control chip (148) using hardware encryption logic (162) disposed on the access control chip (148), communicates the re-encrypted digital data steam over a dedicated encryption virtual channel supported by the multi-channel serial communications interface, and decrypts the re-encrypted digital data steam using hardware decryption logic (164) disposed on the other chip (150).

Abstract: Due to the sensitive and often personal nature of sensor data that many wireless sensor networks collect, the security of this data must be guaranteed. This is fast becoming an important concern for sensor networks which are finding applications in the military and home health domains. The best and often the only way to secure this data is to encrypt it using a secure encryption algorithm before it is transmitted over the air ways. Due to the constrained nature of the resources, memory and clock speeds, available on sensor nodes however, the cost, both in terms of power consumption and speed of encryption, of a software based encryption procedure can often outweigh the risks of the transmission being intercepted. This paper presents a solution to reduce this cost of employing encryption by taking advantage of a resource already available on many sensor nodes, including the Crossbow MICAz and MoteIV’s TmoteSKY; this resource being the AES encryption module available on the Chipcon CC2420 transceiver chip. The performance of using this method of securing data on a sensor network against using software implementations of some of the most popular cipher algorithms suitable for WSN is then analysed for both hardware platforms.

Abstract: A data security system for protecting data discs and like bulk storage devices. A hardware encryption circuit (21) is incorporated in the disc controller (5) by which a host computer (3) accesses a disc (1). The encryption circuit (21) is activated (27) by a key, consisting of a card (25) and an associated number code, to decode data read from the disc or to encode data written to it. The system may thus be made automatic, without the intrusion of software security programs run by the host computer. Operation of the encryption circuit is wholly transparent to the host computer and no modification of the operating system or system software is necessary. Furthermore, the existing standard interfaces (7,9) of the disc controller with the disc and the computer can continue to be used.

Abstract: Embodiments of the present invention provide a method and system, in a network storage system, for a remote key manager performing cryptographic operations upon a failure of a protected key manager, using a hardware encryption key (key) automatically migrated from the protected key manager. During initialization, the protected and remote key managers authenticate the communication channel (e.g. trustee link) between each other. A new key generated by dedicated hardware of the protected key manager is used by the protected key manager to perform cryptographic operations on data of a storage server. The remote key manager then requests and obtains the new key from the protected key manager across the trustee link. Upon a failure of the protected key manager, the remote key manager performs cryptographic operations on data of the storage server using the migrated key, ensuring accessibility and security of such data.