Migrate Band Master Authentication Pin For Self Encrypting Drives Members of Array

IP.com Prior Art Database Disclosure
IP.com Disclosure Number: IPCOM000208332D
Publication Date: 04-Jul-2011
Find Similar Download

Publishing Venue

The IP.com Prior Art Database


Disclosed is a safe and efficient method to change the credentials required to access a Self Encrypting Drive. The solution allows a customer to change the band master key, as opposed to performing a full re-encryption of the drives.


English (United States)

Document File

3 pages / 25.9 KB

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 36% of the total text.

Page 01 of 3

Migrate Band Master Authentication Pin For Self Encrypting Drives Members of Array

In a Self Encrypting Drive (SED) the band master encryption key controls access to the disk and unwraps the media encryption key, which is used to encrypt each sector of the drive. In the Trusted Computing Group specification, there is support to change the media encryption key, which is referred to as "re-encryption" and would essentially involve reading every sector on the drive, decrypting it, encrypting it with a new media encryption key, and writing it back to disk. Another form of rekey changes the band master encryption key, which merely changes the key used to unlock the drive and unlock the media encryption key. This operation is relatively quick compared to re-encryption, as it requires no reads and writes to the locked customer data band.

In the device adapter, there is a pin table, which contains an encryption Group Key (GK) from which is derived the band master encryption key for each SED. While there are N encryption groups in the system, if an encryption group is configured, there is a GK defined in the pin table with a corresponding index into the table. Each drive contains an encryption group index stored in its metadata. The device adapter uses that encryption group index to determine which GK to use in order to derive the band master encryption key to send a locked SED. For example, if an SED has pin index 19 stored in its metadata, if there is a GK stored in the device adapter's pin table with pin index 19, that GK will be used to derive the band master encryption key sent to the SED to unlock it.

In addition, a Data Key (DK) is stored in encrypted form in a key repository (i.e., a file in an open operating system). At system bring-up time, communication is made with a key server to unencrypt the DK. The DK in clear text form is then used to decrypt the GK, which is also stored in the key repository in encrypted form. Next, the GK is passed to the device adapter along with the pin index, as described above, in order to unlock the self encrypting disks.

The disclosed invention provides a safe and efficient way to change the credentials required to access a Self Encrypting Drive. If a hacker determined the band master key, the solution provides a customer the ability to change it. It is preferable to a re-encryption solution because it does not require reading, decrypting, re-encrypting, and rewriting every sector on the disk.

This disclosure documents an algorithm for an encryption group rekey. The objective is to change the Customer Data Band Credential on every drive in an encryption group. It could also be used to enable encryption on a machine with encryption capable drives previously being run in non encrypting mode (i.e., belonging to encryption group 0). While there may be some attack vectors associated with this support, the security vector could be fought by saying Key Repository Manager or Device Adapter Firmware will n...

First page image
You are not signed in. If you have an IP.com account, your download price may be lower or waived. Click here if you want to sign-in now.
Loading PayPal...
The full document comprises 3 pages and is available as a PDF document as well as a ZIP archive. The cost is $40.00 USD (depending on your billing address, sales tax may apply); payment may be made directly using your credit card or your PayPal account.

If you've already purchased this document, and wish to download it now you may enter the download access code you received in your original email receipt.