Browse Prior Art Database

Method and System for enabling Secure Erase for SW encryption using SED device service

IP.com Disclosure Number: IPCOM000247320D
Publication Date: 2016-Aug-22
Document File: 2 page(s) / 35K

Publishing Venue

The IP.com Prior Art Database

Abstract

Method and system is disclosed for enabling secure erase for software encryption using SED device service.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 59% of the total text.

Page 01 of 2

Method and System for enabling Secure Erase for SW encryption using SED device service Providing data at rest encryption is becoming a mandatory requirement for a storage system.

One of the fundamental requirement from this feature is the ability to provide "secure erase" function. A secure erase

function is a cryptographic quality erasure of the data written to storage. Commonly, SED devices implement secure erase, by encryption key replacement. In a SED device this is a completely secured operation, since the encryption key is always internal to the SED device and is tightly protected by the design of the SED hardware, with no dependency on

an external key or an origin of trust.

However, when implementing software encryption, the situation is different, there is no hardware support for encryption key protection. This means that prior to encryption enrolment with an external key server (e.g. TKLM), the encryption key is unprotected, or obscured at best (for example using a hard coded encryption key). This means that a software encryption solution, cannot on its own provide a truly secured secure erase, leaving data on storage with potential vulnerability.

The disclosed method and system makes use of basic secure erase function of the SED device as an underlining service for software encryption, thus taking advantage of the SED encryption key protection and still utilizing the flexibility and control of a software encryption solution.

The method provides an opti...