Systems and methods are disclosed for providing a trusted database system that leverages a small amount of trusted storage to secure a larger amount of untrusted storage. Data are encrypted and validated to prevent unauthorized modification or access. Encryption and hashing are integrated with a low-level data model in which data and meta-data are secured uniformly. Synergies between data validation and log-structured storage are exploited.

A command to perform a data operation at a memory device is received. The command includes an encryption key tag. A first key table is accessed from local memory. The first key table includes a first set of key entries corresponding to a first set of encryption keys. The first key table is searched to determine whether it includes an entry corresponding to the encryption key tag. Based on determining the first key table does not include an entry corresponding to the tag, a second key table is accessed from RAM. The second key table includes a second set of key entries corresponding to a second set of encryption keys. A key entry corresponding to the encryption key tag is identified from the second key table. The key entry includes an encryption key corresponding to the encryption key tag. The command is processed using the encryption key.

A method includes writing sets of encoded data slices to storage units of a storage network in accordance with error encoding parameters, where for a set of encoded data slices, the error encoding parameters include an error coding number and a decode threshold number, the error coding number indicates a number of encoded data slices that results when a data segment is encoded using an error encoding function and the decode threshold number indicates a minimum number needed to recover the data segment. The method further includes monitoring processing of the writing the sets of encoded data slices to produce write processing performance information. When the write processing performance information compares unfavorably to a desired write performance range, the method further includes adjusting at least one of the error coding number and the decode threshold number to produce adjusted error encoding parameters for writing subsequent encoded data slices.

A peripheral device package for use in a host computing device has a plurality of compute elements and a plurality of resources shared by the plurality of compute elements. A datastructure is stored in a hidden memory of the peripheral device package. The data structure holds metadata about ownership of resources of the peripheral device package by a plurality of user runtime processes of the host computing device which use the compute elements. At least one of the user runtime processes is a secure user runtime process. The peripheral device package has a command processor configured to use the datastructure to enforce isolation of the resources used by the secure user runtime process.

Techniques for cryptographic computing isolation are described. A processor includes circuitry to be coupled to memory configured to store one or more instructions. The circuitry is to execute the one or more instructions to instantiate a first process based on an application. To instantiate the first process is to include creating a context table to be used by the first process, identifying a software component to be invoked during the first process, encrypting the software component using a first cryptographic key, and creating a first entry in the context table. The first entry is to include first context information identifying the encrypted software component and second context information representing the first cryptographic key. In more specific embodiments, third context information representing a first load address of the encrypted software component is stored in the first entry of the context table.

A memory controller and a storage device including the same are disclosed. A memory controller for controlling a nonvolatile memory includes: a security access control module configured to convert biometric authentication data received from a biometric module into security configuration data having a data format according to a security standard protocol and perform, based on the security configuration data, at least one of authority registration and authority authentication of a user authority set for an access control of a secure area of the nonvolatile memory, encrypted user data being stored in the secure area; and a data processing unit configured to, based on an access to the secure area being permitted, encrypt user data received from a host device or decrypt the encrypted user data read from the secure area.

A storage system management application contains control logic configured to enable the storage system management application to fully orchestrate setup of a containerized cloud communication system within embedded operating system, with minimal interaction from an end user. Upon receipt of an instruction to initiate cloud access, the storage system management application enrolls a cloud tethering subsystem and establishes a secure communication channel to the cloud tethering subsystem. The storage system management application also creates a cloud protection environment within the operating system for use by the cloud tethering subsystem, and registers the storage system to the cloud tethering subsystem. The storage system management application also creates external network interfaces on the cloud tethering subsystem and configures one or more private cloud provider endpoints on the cloud tethering subsystem.

An integrated circuit includes a processing circuit, a first memory, and a writing unit. The processing circuit includes a memory space and stores data in the memory space and performs processing. The first memory stores permission information indicating a range permitted to be used in the memory space. The writing unit writes, in response to a request to write data to a specified address in the memory space, the data to the specified address in a case where the permission information indicating a range including the specified address is stored.

A GUID partition table (GPT) based Hidden Data Store (HDS) system includes first computing systems that include networked storage devices and that are coupled to a second computing system through a network. The second computing system include local storage devices that provide a GPT having a GPT entry that identifies local HDS elements that provides an HDS and that are included on the local storage devices, and networked HDS elements that provide the HDS and that are included on the networked storage devices. The second computing system also includes an HDS engine that receives the GPT entry and authorization credentials, determines that the authorization credentials allow access to the HDS and, in response, provides access to the local HDS elements that are included on the local storage devices, and provide access to the networked HDS elements that are included on the networked storage devices.

A method includes authenticating, by a computing device, a first connection between one or more storage units and at least one of the computing device and a first user computing device. The method further includes determining, by the computing device, to add a second connection between the one or more storage units and at least one of the computing device and a second user computing device. The method further includes generating, by the computing device, a secret code and sending the secret code to the one or more storage units via the first connection. The method further includes sending, by the one or more storage units, responses to the secret code to the computing device via the second connection. The method further includes authenticating, by the computing device, the second connection based on the authentication of the first connection and the responses from the one or more storage units.