When a client requests a data import job, a remote storage service provider provisions a shippable storage device that will be used to transfer client data from the client to the service provider for import. The service provider generates security information for the data import job, provisions the shippable storage device with the security information, and sends the shippable storage device to the client. The service provider also sends client-keys to the client, separate from the shippable storage device (e.g., via a network). The client receives the device, encrypts the client data and keys, transfers the encrypted data and keys onto the device, and ships it back to the service provider. The remote storage service provider authenticates the storage device, decrypts client-generated keys using the client-keys stored at the storage service provider, decrypts the data using the decrypted client-side generated keys, and imports the decrypted data.

When a client requests a data import job, a remote storage service provider provisions a shippable storage device that will be used to transfer client data from the client to the service provider for import. The service provider generates security information for the data import job, provisions the shippable storage device with the security information, and sends the shippable storage device to the client. The service provider also sends client-keys to the client, separate from the shippable storage device (e.g., via a network). The client receives the device, encrypts the client data and keys, transfers the encrypted data and keys onto the device, and ships it back to the service provider. The remote storage service provider authenticates the storage device, decrypts client-generated keys using the client-keys stored at the storage service provider, decrypts the data using the decrypted client-side generated keys, and imports the decrypted data.

Methods and systems for controlling access to secure data use a custodial TRNG disk. Source data is encrypted using first key data from a first TRNG disk to generate encrypted data which is stored at a first location by a first entity. A second TRNG disk has second key data which is stored at a second location by a second entity. A first TRNG disk copy and a second TRNG disk copy are made identical to the first TRNG disk and the second TRNG disk, respectively, and are stored at one or more locations by a custodial entity. The first key data and the second key data are encoded together, and then transmitted to one or more of the first or second entities. The first quantity of encrypted data is decryptable using the encoded first key data and the second key data.

In one embodiment, an apparatus includes: an access control circuit to receive a memory transaction directed to a storage, the memory transaction having a requester ID and a key ID; a first memory to store an access control table, the access control table having a plurality of entries each to store a requester ID and at least one key ID; and a cryptographic circuit coupled to the access control circuit, the cryptographic circuit to perform a cryptographic operation on data associated with the memory transaction based at least in part on the key ID. The apparatus may be implemented as an inline engine coupled between the storage and an accelerator, the inline engine to provide decrypted data to the accelerator, the storage to store encrypted data. Other embodiments are described and claimed.

A disk device includes a volatile memory, a nonvolatile memory, and a controller. The controller is configured to receive, from a host, a key setting request that includes a cryptographic key, a key ID thereof, and tag information of the cryptographic key and generate generation information of the cryptographic key. The controller is also configured to store a first entry including the tag information, the cryptographic key, and the generation information associated with each other in the volatile memory, and store a second entry including the key ID and the generation information associated with each other in the nonvolatile memory.

A disclosed method for managing encryption keys, which may be performed by a key management server, responds to receiving, from a first client, a request to create a new key for a self-encrypting drive (SED) associated with the first client by retrieving unique identifiers of the first client and the SED, generating and storing the new key and a corresponding key identifier (KeyID), and associating the unique identifiers of the SED and first client with the new key. Upon receiving, from a second client, a locate key request that includes the SED identifier, providing the new key, the KeyID, and the first client identifier to the second client. Associating the SED and first client identifiers with the new key may include adding the identifiers as attributes of the KeyID. Embodiments may be implemented in accordance with a key management interoperability protocol (KMIP) standard.

An information handling system may include a processor; an encrypted storage resource, wherein the encrypted storage resource is coupled to the information handling system via a storage controller that does not implement locking and unlocking functionality for the encrypted storage resource; and a management controller configured to: receive a request to unlock the encrypted storage resource; determine an encryption key associated with the encrypted storage resource; and unlock the encrypted storage resource with the received encryption key via a sideband interface coupling the management controller to the encrypted storage resource.

A method includes writing sets of encoded data slices to storage units of a storage network in accordance with error encoding parameters, where for a set of encoded data slices, the error encoding parameters include an error coding number and a decode threshold number, the error coding number indicates a number of encoded data slices that results when a data segment is encoded using an error encoding function and the decode threshold number indicates a minimum number needed to recover the data segment. The method further includes monitoring processing of the writing the sets of encoded data slices to produce write processing performance information. When the write processing performance information compares unfavorably to a desired write performance range, the method further includes adjusting at least one of the error coding number and the decode threshold number to produce adjusted error encoding parameters for writing subsequent encoded data slices.

An integrated circuit, comprising: a volatile memory module configured to store a cryptographic key; a capacitor array for providing power to the volatile memory module; and a power switching logic arranged to connect and disconnect the memory module from the capacitor array, the power switching logic being configured to operate in at least one of a first operating mode and a second operating mode, wherein, when the power switching logic operates in the first operating mode, the power switching logic is configured to disconnect the capacitor array from the volatile memory module in response to detecting a change of state of a break line, and, when the power switching logic operates in the second operating mode, the power switching logic is configured to disconnect the capacitor array from the volatile memory module in response to detecting that a voltage at a connection terminal of the integrated circuit exceeds a threshold.

An integrated circuit, comprising: a volatile memory module configured to store a cryptographic key; a capacitor array for providing power to the volatile memory module; and a power switching logic arranged to connect and disconnect the memory module from the capacitor array, the power switching logic being configured to operate in at least one of a first operating mode and a second operating mode, wherein, when the power switching logic operates in the first operating mode, the power switching logic is configured to disconnect the capacitor array from the volatile memory module in response to detecting a change of state of a break line, and, when the power switching logic operates in the second operating mode, the power switching logic is configured to disconnect the capacitor array from the volatile memory module in response to detecting that a voltage at a connection terminal of the integrated circuit exceeds a threshold.