A memory device management system includes a first key acquisition unit that acquires a first key, a second key generation unit that generates a second key in accordance with a configuration of a memory device that is a management target, an equality determination unit that determines an equality between a value of the first key and a value of the second key, and a data erasure processing unit that erases data stored in the memory device in a case of a determination that the value of the first key and the value of the second key are different.

A storage device generates and stores a key stream and a value stream by extracting from data a plurality of keys and a plurality of values respectively corresponding to the plurality of keys. The storage device includes a controller and a non-volatile memory. The controller receives from a host information about an invalid key included in the key stream together with a compaction command, and performs a compaction operation on the key stream in response to the compaction command. The non-volatile memory stores the key stream and the value stream. The controller merges the key stream with another key stream based on the information about the invalid key in the compaction operation.

The present disclosure includes systems and methods for securing data direct I/O (DDIO) for a secure accelerator interface, in accordance with various embodiments. Historically, DDIO has enabled performance advantages that have outweighed its security risks. DDIO circuitry may be configured to secure DDIO data by using encryption circuitry that is manufactured for use in communications with main memory along the direct memory access (DMA) path. DDIO circuitry may be configured to secure DDIO data by using DDIO encryption circuitry manufactured for use by or manufactured within the DDIO circuitry. Enabling encryption and decryption in the DDIO path by the DDIO circuitry has the potential to close a security gap in modem data central processor units (CPUs).

In one embodiment, the method includes receiving, at a storage device, a request. The request includes a request message authentication code and write protect information. The write protect information includes at least one of start address information and length information. The start address information indicates a logical block address at which a memory area in a non-volatile memory of the storage device starts, and the length information indicates a length of the memory area. The method also includes generating, at the storage device, a message authentication code based on (1) at least one of the start address information and the length information, and (2) a key stored at the storage device; authenticating, at the storage device, the request based on the generated message authentication code and the request message authentication code; and processing, at the storage device, the request based on a result of the authenticating.

Systems and methods for providing object versioning in a storage system may support the logical deletion of stored objects. In response to a delete operation specifying both a user key and a version identifier, the storage system may permanently delete the specified version of an object having the specified key. In response to a delete operation specifying a user key, but not a version identifier, the storage system may create a delete marker object that does not contain object data, and may generate a new version identifier for the delete marker. The delete marker may be stored as the latest object version of the user key, and may be addressable in the storage system using a composite key comprising the user key and the new version identifier. Subsequent attempts to retrieve the user key without specifying a version identifier may return an error, although the object was not actually deleted.

A storage device including: a bridge board to receive a first command; an authenticator to receive user information; and a memory device to receive the first command from the bridge board, the memory device includes a memory controller which determines a status of the memory device, provides status information including the determined status of the memory device to the bridge board, determines the status of the memory device as an unlocked status or a locked status, the bridge board includes a transceiver which communicates with the host through an interface, a register which stores interface information, and a bridge board controller which generates a first response to the first command in a format corresponding to the interface using the interface information, and provides the first response to a host, the first response includes a status bit which inhibits or allows a write operation with respect to the memory device.

The present disclosure includes systems and methods for securing data direct I/O (DDIO) for a secure accelerator interface, in accordance with various embodiments. Historically, DDIO has enabled performance advantages that have outweighed its security risks. DDIO circuitry may be configured to secure DDIO data by using encryption circuitry that is manufactured for use in communications with main memory along the direct memory access (DMA) path. DDIO circuitry may be configured to secure DDIO data by using DDIO encryption circuitry manufactured for use by or manufactured within the DDIO circuitry. Enabling encryption and decryption in the DDIO path by the DDIO circuitry has the potential to close a security gap in modern data central processor units (CPUs).

Memory regions may be protected based on occurrence of an event in a computing device. Subsystems of the computing device may store information in a memory controller identifying memory regions to be erased upon occurrence of an event, such as a system or subsystem crash. The memory controller may control erasing the memory regions in response to an indication associated with the event. A memory dump may be performed after the memory regions have been erased.

A method of protecting confidentiality of air-gapped logs comprises: generating, during a first log processing cycle, a data processor key and a drive encryption key, wherein the data processor key and the drive encryption key are unique to a log drive mounted to at least one computer processor; wrapping the drive encryption key with the computer processor key; storing the drive encryption key wrapped by the computer processor key in a database, where the database is mapped to data uniquely identifying the log drive; wrapping the drive encryption key with a default key that is known to at least one originator device; wiping the log drive; and writing the drive encryption key wrapped by the default key to the log drive. Some methods described also include a method of processing logs by an originator. Systems and computer program products are also provided.

Methods, systems, and devices for authenticated reading of memory system data are described. In some examples, a host system and a memory system may exchange keys used to grant the host system access to one or more protected regions of the memory system. The keys may be symmetric or asymmetric. In some cases, the host system may transmit a read command to access data stored at a protected region of the memory system, along with a signature generated using the key associated with the protected region. The memory system may verify the signature to determine whether the host is authorized to access the protected region, and may transmit the requested data to the host system. In some examples, the memory system may sign the returned data, so that the host system may verify the source of the data.