Browse Prior Art Database

Adding Dynamically Selectable Data Encryption to a Disk Subsystem

IP.com Disclosure Number: IPCOM000120076D
Original Publication Date: 1991-Mar-01
Included in the Prior Art Database: 2005-Apr-02
Document File: 3 page(s) / 103K

Publishing Venue

IBM

Related People

Bealkowski, R: AUTHOR [+2]

Abstract

This article describes a method and hardware enablement to provide as part of a disk controller the ability in hardware to encrypt/decrypt data based on a provided key.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 52% of the total text.

Adding Dynamically Selectable Data Encryption to a Disk Subsystem

      This article describes a method and hardware enablement
to provide as part of a disk controller the ability in hardware to
encrypt/decrypt data based on a provided key.

      Data stored on media, such as fixed disks or diskettes, is
normally in a standard, readable form.  A portion of the information
stored on computer systems can be sensitive and confidential.  This
confidential data is vulnerable since it can be easily read once it
is obtained.  A method to protect this information and render it
useless in the event that it is misappropriated is required.

      One method to protect information stored on a computer system
is to physically protect the entire computer system unit.  This
method is effective, but thefts can occur. Encrypting the stored data
is an effective means of protecting the information and is
independent of physical security.  However, encryption through
software methods alone is often time-consuming and cumbersome.

      For encryption to be an attractive and useable method of
protecting the stored data on a computer system, it must be very easy
to use and preferably transparent to the user. The primary means of
storing data on computers, such as personal workstations, is on a
fixed disk.  To protect the information stored on the fixed disk, a
hardware-assisted encryption mechanism will be added to a disk
subsystem.

      The encryption subsystem design must support the ability to
load a key, enable the subsystem, and disable the subsystem.  There
is no need to require that the entire disk be encrypted.  It is
possible that only certain, sensitive files be encrypted and that the
rest of the files, such as standard system utilities, not be
encrypted.  One way to achieve this is to extend the file-system
portion of an operating system to recognize "encrypted" as a file
attribute.

      Hardware logic can be added to a disk controller to selectively
perform encryption on data.  A functional block diagram of a disk
controller with an encryption subsystem added is shown in Fig. 1.  To
support encryption/decryption, a router and an...