Security-enabled storage controller

Abstract

An apparatus and method are described for encrypting and decrypting information stored in a plurality of disk drives located within a large storage system. In various embodiments of the invention, encryption and decryption processes are implemented within a storage controller or controllers in the storage system.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

Reference will be made to embodiments of the invention, examples of which may be illustrated in the accompanying figures. These figures are intended to be illustrative, not limiting. Although the invention is generally described in the context of these embodiments, it should be understood that it is not intended to limit the scope of the invention to these particular embodiments.

FIG. 1 shows a storage system having a general-purpose encryption device implemented within a host system.

FIG. 2 is a diagram of a storage system having an encryption-enabled according to various embodiments of the invention.

FIG. 3 is a block diagram of an encryption-enabled controller according to various embodiments of the invention

FIG. 4 is a flowchart illustrating a method for storing encrypted data on one or more disk drives according to various embodiments of the invention.

FIG. 5 is a flowchart illustrating a method for retrieving stored encrypted data from one or more disk drives according to various embodiments of the invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

An apparatus and method are described for encrypting and decrypting information stored in a plurality of disk drives located within a large storage system. In various embodiments of the invention, encryption and decryption processes are implemented within a storage controller or controllers in the storage system.

In the following description, for purpose of explanation, specific details are set forth in order to provide an understanding of the invention. It will be apparent, however, to one skilled in the art that the invention may be practiced without these details. One skilled in the art will recognize that embodiments of the present invention, some of which are described below, may be incorporated into a number of different systems and devices including storage environments. The embodiments of the present invention may also be present in software, hardware or firmware. Structures and devices shown below in block diagram are illustrative of exemplary embodiments of the invention and are meant to avoid obscuring the invention. Furthermore, connections between components and/or modules within the figures are not intended to be limited to direct connections. Rather, data between these components and modules may be modified, re-formatted or otherwise changed by intermediary components and modules.

Reference in the specification to “one embodiment” or “an embodiment” means that a particular feature, structure, characteristic, or function described in connection with the embodiment is included in at least one embodiment of the invention. The appearances of the phrase “in one embodiment” in various places in the specification are not necessarily all referring to the same embodiment.

A. Overview

FIG. 2 is a diagram of a large storage system having a plurality of disk drives according to various embodiments of the invention. The storage system 200 contains a host system 201, an encryption-enabled controller 202, an expander 203, and a plurality of memory drives 204. In general, the host system 201 provides a central processing unit and other essential operating applications for managing data to be stored or retrieved from the drives 204. The host system 201 also generates various commands relating to writing data to the memory drives 204 and reading data from the memory drives 204. The encryption-enabled controller 202 is an intermediary device between the host system 201 and the drives 204 such that data being stored or retrieved by the system is communicated through the controller 202. The encryption-enabled controller 202 may be a Direct Memory Access (“DMA”) controller or any other controller that controls data access to the drives 204. In various embodiments of the invention, the encryption-enabled controller 202 provides encryption and decryption processes within this data path between the host system 201 and the drives 204.

The encryption-enabled controller 202 communicate with the host system 201 through a peripheral component interface (such as one on a PCI card) to receive data that is to be stored on the memory drives 204. The encryption-enabled controller 202 generates security keys by using various available encryption and decryption processes. The controller 202 also associates these keys with the data and/or location within the drives 204 where the data is to be stored.

In various embodiments of the invention, the security keys may be generated by using a standard encryption process such as Project 1619 (“P1619”) from IEEE, that are implemented fully or in part within the controller, and fully or in part by the host system. The generated encryption keys are subsequently used to encrypt the data before it is sent to the drives by the encryption-enabled controller. In order to access and read the data subsequent to this storage, a decryption process must be performed in which decryption keys are required. As a result, if someone should gain access to the storage drives, they are only able to read data that had not been encrypted.

These security keys may be generated using various techniques and methods within the encryption-enabled controller 202. In various embodiments of the invention, a unique set of security keys are generated for data or block of data and its corresponding storage location. These keys may include different sets of encryption keys including a Host System key particular for that host, Disk Drive keys wherein a specific key is allotted to a specific disk drive and a Block Level key that changes depending upon the various blocks of data accessed within each drive.

B. Encryption-Enabled Controller

FIG. 3 is a block diagram of an encryption-enabled controller 202 that may be preloaded with the encryption processes to encrypt data prior to storage according to various embodiments of the invention. Data from a host system may be received through a PCI interface 310 that couples the encryption-enabled controller 202 to the host system. The encryption-enabled controller 202 comprises a PCI controller 301 that controls both a physical layer and link layer at the PCI interface 310.

A system interface processor subsystem 302 is located in the control path between the PCI controller 301 and the SAS controller(s) 305, which are connected to the actual drives 203 or expanders 204. The system interface processor subsystem 302 may also be coupled to an optional external memory device 306, such as an NVSRAM, FLASH, SRAM etc., that stores information related to the management of the controller 202 and processing of control data received from the PCI controller 301. The external optional memory 306 may be accessed by the system interface processor subsystem 302 for buffering any sort of data related to its processing function. The system interface processor subsystem 302 processes the control data from the host system and manages the encryption of data and association of storage locations with the encrypted data.

An encryption block module 303 is positioned in the data path between the PCI Controller 301 and the SAS Controller(s) 305. The encryption block module 303 may also be coupled to an optional storage device, either on-chip or off-chip, on which security keys and other information may be stored. The encryption block module 303 is also communicatively coupled to the system interface processor subsystem 302. As previously described, the encryption block module 303 provides the encryption and decryption of the encrypted data that is stored in the disk drives and may additionally generate, all or in part as previously described, the keys used for the encryption and decryption. In various embodiments of the invention, a look-up table is generated that stores these keys, data storage addresses, etc. to enable this decryption process to properly occur. In one embodiment, the look-up table comprises columns or rows that include encryption keys and data storage locations within the disk drives. The encryption block module 303 may employ various types of encryption and decryption processes to perform these functions including the use of AES to encode data prior to storage and decode data upon retrieval.

The SAS controller modules 305 are connected to the disk drives according to the Serial Attached SCSI (“SAS”) standard. It is important to note that other embodiments of the invention may use other protocols, standards or methods to connect with the disk drives.

According to various embodiments of the invention, a high speed PCI controller interface 310 is employed that allows for data rates up to 10 GB/sec. As the number of drives associated with the controller 202 expands, this high speed interface will be able to process data at sufficient rates to avoid bottlenecks. If the number of drives becomes too large, then the controller 202 may create a bottleneck. In such a scenario, some of these drives may be associated with a previously installed, less-burdened controller or a new controller with data encryption may be installed within the system and associated with some of these drives.

One skilled in the art will recognize that locating encryption and decryption blocks within a storage controller provides more efficient scalability within an encryption-enabled storage system. In addition, the likelihood of data bottlenecks within the storage system is significantly reduced because of the ability to manage the encryption and decryption processes across a plurality of storage controllers within the system.

C. Method of Encrypting/Decrypting Data

FIG. 4 shows a flowchart illustrating a method, independent of structure, for encrypting and storing data within a multi-disk storage system according to various embodiments of the invention. Data is received 401 at a storage controller from a host system via an interface, such as an interface on a PCI card. A plurality of encryption keys is generated 402 and each key is associated with particular data and one or more storage locations of the particular data. These keys may be generated using numerous types of methods including those defined by the P1619 standard.

The encryption keys are subsequently used to encrypt 403 the data so that it is unreadable without performing a decryption process. These keys and storage location(s) of the data are then stored locally on the controller card or on external memory that is coupled to controller card. After the data has been encrypted, it is stored 404 on one or more drives within the storage system.

In an alternative embodiment of the invention, the controller card is able to select whether data should be encrypted or not. For example, if particular data is deemed valuable or otherwise important, then it is encrypted by the controller. However, if the data is not considered important, then the controller may store that data without previously encrypting it. This selective encryption procedure may increase the amount of data that the controller can process because certain data does not require the encryption processes.

FIG. 5 is a flowchart illustrating a method, independent of structure, for retrieving the stored encrypted data according to various embodiments of the invention. The method may be initiated by receiving a command from a host system and accessing 501 a drive(s) having encrypted data stored therein. The previously generated keys, stored for example within a look-up table, are identified using the location of the data or other association means. In one embodiment, a set of decryption keys, associated with the storage location of the particular block of encrypted data, are identified 502 by the controller.

Using the decryption keys, the stored data is read from the drives and decrypted 503 on the controller. In various embodiments of the invention, this decryption process may occur in other locations because the encrypted data and decryption keys may be transmitted from the controller to another processing device. Once the data has been decrypted, it may be transmitted 504 to various computer devices to enable processing, storage, visualization or other processing of the decrypted data.

While the present invention has been described with reference to certain exemplary embodiments, those skilled in the art will recognize that various modifications may be provided. Accordingly, the scope of the invention is to be limited only by the following claims.

Claims

1. A security-enabled storage controller apparatus comprising: a first interface on which data and control information is received from a host system;a system interface processor sub-system, coupled to receive control information from the first interface, that processes the control information to determine a storage location within at least one disk drive for the data;an encryption block module, coupled to receive the data from the first interface and coupled to the system interface processor sub-system, that generates a plurality of security keys and encrypts the data using at least one of the security keys;a storage device, coupled to the encryption block module, that stores the security keys and the storage location; anda plurality of drive controller modules, coupled to the system interface processor sub-system, the encryption block module, and the at least one disk drive, that transmits at least some of the control information and encrypted data to the at least one disk drive for storage.

2. The controller apparatus of claim 1 wherein the plurality of drive controller modules comprise at least one Serial Attached SCSI controller.

3. The controller apparatus of claim 1 wherein the first interface is a peripheral component interconnect interface.

4. The controller apparatus of claim 3 further comprising a PCI controller coupled to the first interface, the system interface processor sub-system and the encryption block module, that provides link layer and physical layer functionality.

5. The controller apparatus of claim 1 wherein the storage device comprises a memory key storage device, located in the controller apparatus and coupled to the encryption block module.

6. The controller apparatus of claim 1 further comprising a second interface, coupled to an external memory and the system interface processor sub-system, that stores information related to the operation and management of the controller apparatus.

7. The controller apparatus of claim 1 wherein the plurality of drive controller modules interface with a plurality of expanders.

8. The controller apparatus of claim 1 further comprising a decryption block module, coupled to the storage device, that retrieves at least one of the security keys and decrypts data retrieved from the at least one disk drive.

9. The controller apparatus of claim 1 wherein the encryption block module encrypts data in accordance with P1619 protocols.

10. A security-enabled storage system comprising: a host system having a central processing unit that generates read and write commands associated with data;a plurality of storage controllers, coupled to the host system and having at least one encryption block module, that process write commands and encrypts data associated therewith;a plurality of expanders that are coupled to the plurality of storage controllers; anda plurality of disk drives, coupled to the plurality of storage controllers, that store data encrypted by the plurality of storage controllers.

11. The security-enabled storage system of claim 10 wherein the plurality of storage controllers, the plurality of expanders and the plurality of disk drives communicate on Serially Attached SCSI connections.

12. The security-enabled storage system of claim 10 further comprising a memory device, coupled to the plurality of storage controllers, that store security keys and data related to the operation of the plurality of storage controllers.

13. The security-enabled storage system of claim 10 wherein the plurality of storage controllers generate security keys and associate the security keys with at least one storage location within the plurality of disk drives.

14. The security-enabled storage system of claim 13 wherein the security keys are generated in accordance with P1619 protocols.

15. The security-enabled storage system of claim 13 wherein the security keys are stored within a look-up table located on at least one of the plurality of storage controllers.

16. A method for securely storing information on a disk drive, the method comprising: receiving control information and data associated therewith at a storage controller;processing the control information at the storage controller;generating a plurality of encryption keys and a plurality of decryption keys at the storage controller;encrypting the data using the encryption keys;associating the plurality of decryption keys with at least one storage location on at least one disk drive;storing the decryption keys and the at least one storage location within the storage controller; andstoring the data at the at least one storage location on the at least one disk drive.

17. The method of claim 16 wherein the storage controller is located on a PCI card that is inserted within a storage system and interfaces with a host system.

18. The method of claim 16 wherein the data is encrypted in accordance with P1619 protocols.

19. The method of claim 16 further comprising the steps of: retrieving the encrypted data from the at least one storage location to the storage controller;associating the decryption keys with the at least one storage location;decrypting the encrypted data at the storage controller using at least some of the decryption keys; andtransmitting the decrypted data from the storage controller to a host system processor.

20. The method of claim 19 wherein the encrypted data is decrypted at the storage controller in accordance with P1619 protocols.