Fast Secure Erase method using Multi-Key Encryption for Logically-virtualized Data wihtout overwriting whole Physical Tape
Original Publication Date: 2009-Nov-12
Included in the Prior Art Database: 2009-Nov-12
AbstractDisclosed is a scheme for easily erasing of a virtual tape (a partial data set) on encrypted physical tape media. Several encryption keys corresponding to each virtual tape are defined and stored in a partition on the physical tape. Only erasing the key makes it possible that the virtual tape becomes junk data i.e. the virtual tape is erased.
Fast Secure Erase method using Multi -Key Encryption for Logically -virtualized Data wihtout overwriting whole Physical Tape
Disclosed is a scheme for easily erasing of a virtual tape (a partial data set) on encrypted physical tape media. Several encryption keys corresponding to each virtual tape are defined and stored in a partition on the physical tape. Only erasing the key makes it possible that the virtual tape becomes junk data i.e. the virtual tape is erased.
Secure erase for a sequential access media, for example tape media, has been carried out by writing random data over whole of the media. It has been difficult to erase only the given position on the media. For example, a virtual tape server stores several virtual tapes onto a physical tape. In order to erase a virtual tape on the physical tape, all of other data wanted to remain are copied to other physical tape then write random data over whole of the physical tape. However, increase of size of the data and physical tapes by resent technology causes the secure erase becomes serious time-consuming issue.
The tape drive has to prepare two new commands. One is VIRTUAL_TAPEMARK to mark the boundary of virtual tapes on the physical tape. Another is SECURE_VIRTUAL_TAPE_ERASE to delete partial data marked by VIRTUAL_TAPEMARK.The tape drive creates maximum number of new encryption keys when the physical tape is loaded as a scratch tape and writes them in the partition (key area) located at beginning of the physical tape. A virtual tape is written in another partition (data area) with encrypted by the key created on loading. When the tape drive gets SECURE_VIRTUAL_TAPE_ERASE command, the tape drive erase only the corresponding key in the key area. As a result, the virtual tape becomes the data which can not be decrypted because of no corresponding key, i.e. the virtual tape becomes junk data and it can be regarded as erased. On the other hand, the physical tape is looked as a normal tape since encryption key generation, encrypting, and decrypting are automatically done by the tape drive.
The figures below are pattern diagrams of physical tape format. The physical tape is partitioned with two area, key area and data area. The keys and offset indicating where the virtual tape is started for each virtual tape are stored in the key area. Assuming key and offset has 128 bit and 32 bit and 20,000 virtual tape can be written to a physical tape, 512 KB is enough for the key area. The key and the offset are assigned when the tape drive gets VIRTUAL_TAPEMARK command and saved them in key area then the virtual tape is written with encrypted by using the assigned key. For read process, tape drive gets the corresponding key from the key area then read it with decrypted by the key. To erase the virtual tape, tape drive only clears the corresponding key by 0. Since the key...