Systems and methods for storage pruning can enable users to delete, edit, or copy backed up data that matches a pattern. Storage pruning can enable fine-grain deletion or copying of these files from backups stored in secondary storage devices. Systems and methods can also enable editing of metadata associated with backups so that when the backups are restored or browsed, the logical edits to the metadata can then be performed physically on the data to create a custom restore or a custom view. A user may perform operations such as renaming, deleting, modifying flags, and modifying retention policies on backed up items. Although the underlying data in the backup may not change, the view of the backup data when the user browses the backup data can appear to include the user's changes. A restore of the data can cause those changes to be performed on the backup data.

According to one embodiment, when data is to be written to a first physical storage location that is designated by a first physical address, a memory system encrypts the data with the first physical address and a first encryption key, and writes the encrypted data to the first physical storage location. When the encrypted data is to be copied to a second physical storage location, the memory system decrypts the encrypted data with the first physical address and the first encryption key, and re-encrypts the decrypted data with a second encryption key and a copy destination physical address indicative of the second physical storage location.

Technologies for switching network traffic include a network switch. The network switch includes one or more processors and communication circuitry coupled to the one or more processors. The communication circuitry is capable of switching network traffic of multiple link layer protocols. Additionally, the network switch includes one or more memory devices storing instructions that, when executed, cause the network switch to receive, with the communication circuitry through an optical connection, network traffic to be forwarded, and determine a link layer protocol of the received network traffic. The instructions additionally cause the network switch to forward the network traffic as a function of the determined link layer protocol. Other embodiments are also described and claimed.

This disclosure describes system on a chip (SOC) communications that prevent direct memory access (DMA) attacks. An example SoC includes an encryption engine and a security processor. The encryption engine is configured to encrypt raw input data using a cipher key to form an encrypted payload. The security processor is configured to select the cipher key from a key store holding a plurality of cipher keys based on a channel ID describing a {source subsystem, destination subsystem} tuple for the encrypted payload, to form an encryption header that includes the channel ID, to encapsulate the encrypted payload with the encryption header that includes the channel ID to form a crypto packet, and to transmit the crypto packet to a destination SoC that is external to the SoC.

A system and method for distributing data over a plurality of remote storage nodes. Data are split into segments and each segment is encoded into a number of codeword chunks. None of the codeword chunks contains any of the segments. Each codeword chunk is packaged with at least one encoding parameter and identifier, and metadata are generated for at least one file and for related segments of the at least one file. The metadata contains information to reconstruct from the segments, and information for reconstructing from corresponding packages. Further, metadata are encoded into package(s), and correspond to a respective security level and a protection against storage node failure. A plurality of packages are assigned to remote storage nodes to optimize workload distribution. Each package is transmitted to at least one respective storage node as a function iteratively accessing and retrieving the packages of metadata and file data.

A cache memory can maintain multiple cache lines and each cache line can include a data field, an encryption status attribute, and an encryption key attribute. The encryption status attribute can indicate whether the data field in the corresponding cache line includes encrypted or unencrypted data and the encryption key attribute can include an encryption key identifier for the corresponding cache line. In an example, a cryptographic controller can access keys from a key table to selectively encrypt or unencrypt cache data. Infrequently accessed cache data can be maintained as encrypted data, and more frequently accessed cache data can be maintained as unencrypted data. In some examples, different cache lines in the same cache memory can be maintained as encrypted or unencrypted data, and different cache lines can use respective different encryption keys.

An electronic device is provided. The electronic device operates in a normal mode or a low power mode and includes a first non-volatile memory (NVM), a second NVM configured to store first security data generated in the low power mode, and a security processor configured to access the first NVM to store the first security data in the first NVM in the normal mode.

Various examples are directed to systems and methods for securing a data storage device. A storage controller may receive a read request directed to the data storage device. The read request may comprise address data indicating a first address of a first storage location at the data storage device. The storage controller may request from the data storage device a first encrypted data unit stored at the first memory element and a first encrypted set of parity bits, such as Error Correction Code (ECC) bits, associated with the first storage location. An encryption system may decrypt the first encrypted set of parity bits to generate a first set of parity bits based at least in part on an a first location parity key for the first address.

A nonvolatile memory system is disclosed. The nonvolatile memory system includes a host device and a storage device connected to the host device through a physical cable including a power line and a data line. The storage device includes: a nonvolatile memory; a link controller configured to temporarily deactivate the data line while supplying power from the host device through the power line; and a memory controller including a user verification circuit configured to authenticate a user of the storage device and change a state of the memory controller according to a verification result, a relink trigger circuit configured to control the link controller based on the state change of the memory controller, and a data processing circuit configured to encrypt and decrypt data.

A system includes a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification; a security device, configured for cryptographic processing, coupled to receive incoming data from each of the plurality of input ports, wherein the incoming data includes first data having a first classification level; a key manager configured to select and tag-identified first set of keys from a plurality of key sets, each of the key sets corresponding to one of the different levels of security classification, wherein the first set of keys is used by the security device to encrypt the first data; and a common encrypted data storage, coupled to receive the encrypted first data from the security device for storage.