Method and System for enabling Secure Erase for SW encryption using SED device service
Publication Date: 2016-Aug-22
The IP.com Prior Art Database
Method and system is disclosed for enabling secure erase for software encryption using SED device service.
Page 01 of 2
Method and System for enabling Secure Erase for SW encryption using SED device service Providing data at rest encryption is becoming a mandatory requirement for a storage system.
One of the fundamental requirement from this feature is the ability to provide "secure erase" function. A secure erase
function is a cryptographic quality erasure of the data written to storage. Commonly, SED devices implement secure erase, by encryption key replacement. In a SED device this is a completely secured operation, since the encryption key is always internal to the SED device and is tightly protected by the design of the SED hardware, with no dependency on
an external key or an origin of trust.
However, when implementing software encryption, the situation is different, there is no hardware support for encryption key protection. This means that prior to encryption enrolment with an external key server (e.g. TKLM), the encryption key is unprotected, or obscured at best (for example using a hard coded encryption key). This means that a software encryption solution, cannot on its own provide a truly secured secure erase, leaving data on storage with potential vulnerability.
The disclosed method and system makes use of basic secure erase function of the SED device as an underlining service for software encryption, thus taking advantage of the SED encryption key protection and still utilizing the flexibility and control of a software encryption solution.
The method provides an opti...