A method and apparatus for enforcing privacy within one or more memories of a data storage system are disclosed. In one embodiment, sensor data containing personally identifiable information (PII) is provided to a memory. In some embodiments, the memory of disclosed systems and methods may be volatile, non-volatile, or a combination. Within the memory, PII is detected in some embodiments by AI-based computer vision, voice recognition, or natural language processing methods. Detected PII is obfuscated within the memory prior to making the sensor data available to other systems or memories. In some embodiments, once PII has been obfuscated, the original sensor data is overwritten, deleted, or otherwise made unavailable.

A method and apparatus for enforcing privacy within one or more memories of a data storage system are disclosed. In one embodiment, sensor data containing personally identifiable information (PII) is provided to a memory. In some embodiments, the memory of disclosed systems and methods may be volatile, non-volatile, or a combination. Within the memory, PII is detected in some embodiments by AI-based computer vision, voice recognition, or natural language processing methods. Detected PII is obfuscated within the memory prior to making the sensor data available to other systems or memories. In some embodiments, once PII has been obfuscated, the original sensor data is overwritten, deleted, or otherwise made unavailable.

Techniques for secure public exposure of digital data include extracting first digital data comprising one or more batches, each batch comprising a plurality of no more than a number T of packets, each packet containing a plurality of a number n of bits. A random binary matrix A consisting of T rows and n columns is generated. For a first batch, a first random n-bit temporary key is generated. For a packet in the first batch, a first packet vector key is generated based on random non-overlapping pairs of bit positions for both the temporary key and for a first packet-corresponding row of matrix A. An encrypted packet is generated for the packet based on the packet and the first packet vector key. The encrypted packet is exposed publicly.

Techniques for secure public exposure of digital data include extracting first digital data comprising one or more batches, each batch comprising a plurality of no more than a number T of packets, each packet containing a plurality of a number n of bits. A random binary matrix A consisting of T rows and n columns is generated. For a first batch, a first random n-bit temporary key is generated. For a packet in the first batch, a first packet vector key is generated based on random non-overlapping pairs of bit positions for both the temporary key and for a first packet-corresponding row of matrix A. An encrypted packet is generated for the packet based on the packet and the first packet vector key. The encrypted packet is exposed publicly.

A shippable data transfer device includes a data storage medium encased in a chamber surrounded by an anti-tamper casing. The anti-tamper casing includes an anti-tamper layer with identifying elements arranged in a unique or otherwise identifiable pattern. The anti-tamper layer is configured to actively re-arrange, alter, or obscure the identifying elements in response to a breach of the anti-tamper casing.

A shippable data transfer device includes a data storage medium encased in a chamber surrounded by an anti-tamper casing. The anti-tamper casing includes an anti-tamper layer with identifying elements arranged in a unique or otherwise identifiable pattern. The anti-tamper layer is configured to actively re-arrange, alter, or obscure the identifying elements in response to a breach of the anti-tamper casing.

A storage device comprising a memory, a controller, and a host interface operative to connect with a host. The memory containing data locations access to which are controllable by a protection application which is executable on a host. When the host interface operatively coupled to a host data locations in the memory are accessible to an operating system of the host only under permission from the protection application. The controller communicates with the protection application running on the host for allowing the protection application access to data locations in the memory. Upon a host request for access to a data location, the controller determines if permission to access the requested data location is acquired from the protection application. The permission is based on determination of the protection application that the data location does not contain malicious data harmful to the host operating system, to any application and/or to any data on the host.

A storage device comprising a memory, a controller, and a host interface operative to connect with a host. The memory containing data locations access to which are controllable by a protection application which is executable on a host. When the host interface operatively coupled to a host data locations in the memory are accessible to an operating system of the host only under permission from the protection application. The controller communicates with the protection application running on the host for allowing the protection application access to data locations in the memory. Upon a host request for access to a data location, the controller determines if permission to access the requested data location is acquired from the protection application. The permission is based on determination of the protection application that the data location does not contain malicious data harmful to the host operating system, to any application and/or to any data on the host.

A device includes a reset resistant store and a trusted key service. The reset resistant store maintains data across various different device reset or data invalidation operations. The trusted key service maintains, for each of one or more operating systems that run on the device from a boot configuration, an encrypted key associated with the boot configuration. The device also has a master key that is specific to the device. Each of the keys associated with a boot configuration is encrypted using the master key. When booting the device, the boot configuration being run on the device is identified, and the key associated with that boot configuration is obtained (e.g., from the reset resistant store or the encrypted key vault). The master key is used to decrypt the obtained key, and the obtained key is used to decrypt secrets associated with the operating system run from the boot configuration.

Deferred verification of the integrity of data operations over a set of data that is hosted at an untrusted module (UM) is controlled. The controlling includes generating a request for a data operation on the set of data. The request includes an authentication portion. The request is sent to the UM. A response to the request is received from the UM. The response includes cryptographic verification information attesting the integrity of the data operation with respect to prior data operations on the set of data. The response includes results from deferred verification at a trusted module (TM).