CN105354503A - Data encryption/decryption method for storage apparatus - Google Patents
Data encryption/decryption method for storage apparatus Download PDFInfo
- Publication number
- CN105354503A CN105354503A CN201510733496.8A CN201510733496A CN105354503A CN 105354503 A CN105354503 A CN 105354503A CN 201510733496 A CN201510733496 A CN 201510733496A CN 105354503 A CN105354503 A CN 105354503A
- Authority
- CN
- China
- Prior art keywords
- encryption
- storage device
- hard disk
- decryption
- write
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/80—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The present invention discloses a data encryption/decryption method for a storage apparatus. The method comprises: providing an encryption/decryption engine, wherein the encryption/decryption engine is hardware; parsing write instruction information according to a write instruction, and passing write data and the write instruction information to the encryption/decryption engine; and combining a hard disc key and the write instruction information via the encryption/decryption engine so as to encrypt the write data and write the encrypted write data into a storage apparatus through a communication port.
Description
Technical field
The present invention relates to field of computer technology, particularly relate to a kind of storage device data encryption/decryption method.
Background technology
About removable storage device (hereinafter referred to as hard disk), data encrypting and deciphering is the common methods of protection secure user data.Existing HD encryption technology is normally carried out in the system memory by software (the Bitlock program of such as Microsoft or the Truecrypt program etc. of increasing income), or is carried out in storage device inside by the controller of storage device.The key of above-mentioned HD encryption technology can expose in the system memory or connect in the bus of storage device, causes security to decline.Therefore how avoiding hard disk key to expose and promote encryption rule cracking difficulty etc., is the art important topic urgently to be resolved hurrily.
Summary of the invention
According to the storage device data encryption/decryption method that one embodiment of the present invention realizes, comprising: provide an encryption and decryption engine, described encryption and decryption engine is hardware; Go out to write command information from write instructions parse, and write data and said write command information are passed to this encryption and decryption engine; And via this encryption and decryption engine, one hard disk key and said write command information are combined, to encrypt said write data, and the said write data after encryption are write a storage device through a PORT COM.
In one embodiment, this storage device data encryption/decryption method also comprises: parse reading command information from reading command, and will take from reading data that this storage device do not decipher and described reading command information is passed to this encryption and decryption engine; And via this encryption and decryption engine by described hard disk key and described reading command information combination, so that the described reading data deciphering that will do not decipher, to respond described reading command.
In a kind of embodiment, said write command information comprises the quantity of logical address indicated by said write instruction and sector, and described reading command information comprises the quantity of logical address indicated by described reading command and sector.This encryption and decryption engine in units of described sector, makes data encrypting and deciphering according to described logical address.
In a kind of embodiment, this storage device data encryption/decryption method also comprises: provide a reliable platform module, and this reliable platform module comprises a hard disk key supply hardware, and described hard disk key is from this hard disk key supply hardware.This encryption and decryption engine can follow an Internet Key Exchange Protocol and this hard disk key supplies hardware communication to obtain described hard disk key, to safeguard hard disk key safety.In another kind of embodiment, this encryption and decryption engine supplies together with hardware enclosure with this hard disk key, effectively avoids hard disk key to be exposed to outside.In another kind of embodiment, this encryption and decryption engine supplies hardware with this hard disk key to make on the same chip, effectively avoids hard disk key to be exposed to outside.
Encryption and decryption engine in said storage unit data encryption/decryption method of the present invention realizes in hardware, and data security promotes greatly.In addition, also consider write/reading command information when data encrypting and deciphering, greatly promote the difficulty be cracked.
Special embodiment below, and coordinate appended diagram, describe content of the present invention in detail.
Accompanying drawing explanation
The chipset 100 that Fig. 1 diagram realizes according to one embodiment of the present invention;
Fig. 2 A diagram XTS-AES data encryption technology;
Fig. 2 B diagram XTS-AES data deciphering technology;
Fig. 3 diagram one reliable platform module 300;
Fig. 4 is the process flow diagram of hard disk Internet Key Exchange Protocol;
Fig. 5 A is the process flow diagram of SATA hard disc write;
Fig. 5 B is the process flow diagram that SATA hard disc reads;
Fig. 6 is the SATA hard disc write process flow diagram adopting NCQDMA;
Fig. 7 is the process flow diagram of USB hard disk write.
Reference numeral:
100: chipset; 102: storage device master controller;
104: encryption and decryption engine; 106: PORT COM;
108: storage device;
202,204: cryptographic calculation hardware; 206: mould takes advantage of assembly;
208,210: mould adds assembly; 212: cryptographic calculation hardware;
214: decrypt operation hardware; 216: mould takes advantage of assembly;
218,220: mould adds assembly;
300: reliable platform module; 302: reliable platform module software;
304: hard disk key supply hardware;
Aj: constant;
C: ciphertext; Cc: data;
Cmd_Info: write/reading command information;
Data: the reading data of unencrypted write data/deciphering;
Data_Encrypted: the reading data of the write data of encryption/do not decipher;
DEK: hard disk key;
DEK_key1, DEK_key2: two parts key of composition hard disk key DEK;
P: expressly; Pp: data;
S402 ... S406, S502 ... S514, S522 ... S534, S602 ... S620, S702 ... S714: step;
T: mould takes advantage of result.
Embodiment
Below describe and enumerate various embodiments of the present invention.Below describe and introduce key concept of the present invention, and be not intended to limit content of the present invention.Actual invention scope should define according to claim.
The chipset 100 that Fig. 1 diagram realizes according to one embodiment of the present invention.This chipset 100 comprises storage device master controller 102 and an encryption and decryption engine 104.This storage device master controller 102 controls the communication between a PORT COM (communicationport) 106 and a storage device 108.PORT COM 106 can be for example Serial Advanced Technology Attachment (SATA) interface, also can be USB (universal serial bus) (USB) interface.This storage device 108, also known as hard disk, can be mechanical hard disk or solid state hard disc etc.This encryption and decryption engine 104 is hardware, couples this storage device master controller 102, carries out encryption and decryption with the data realized writing or read this storage device 108.Because this encryption and decryption engine 104 is closed in chipset 100 in hardware, data security promotes greatly.In a kind of embodiment, the data encrypting and deciphering that encryption and decryption engine 104 is done does not use chipset 100 space outerpace to make data temporary storage completely.In a kind of embodiment, the chipset 100 be made up of north bridge and south bridge is produced in south bridge this storage device master controller 102 and this encryption and decryption engine 104.In another embodiment, also this encryption and decryption engine 104 can be integrated in this storage device master controller 102 inner, promote the security of encryption and decryption further.As for this storage device master controller 102, it write/reading command comprised from receiving parses write/reading command information Cmd_Info.In one embodiment, write/reading command is here that the DMA being sent to this chipset 100 by the direct memory access of main frame (not shown) (DMA) controller asks.
This encryption and decryption engine 104 also considers write/reading command information Cmd_Info when data encrypting and deciphering, greatly promotes the difficulty be cracked.
This paragraph discussion write instruction.This storage device master controller 102 can go out write command information Cmd_Info from the write instructions parse received, and write data Data and said write command information Cmd_Info is passed to this encryption and decryption engine 104.Hard disk key DEK and said write command information Cmd_Info combines by this encryption and decryption engine 104, to encrypt said write data Data, and this storage device master controller 102 is transferred to write this storage device 108 through this PORT COM 106 the said write data Data_Encrypted after encryption.
This paragraph discusses reading command.This storage device master controller 102 parses reading command information Cmd_Info from the reading command received, and the reading data Data_Encrypted do not deciphered and described reading command information Cmd_Info that take from this storage device 108 are passed to this encryption and decryption engine 104.Described hard disk key DEK and described reading command information Cmd_Info combines by this encryption and decryption engine 104, to be deciphered by the described reading data Data_Encrypted do not deciphered, the reading data Data after deciphering transfers to this storage device master controller 102 to respond described reading command.
DMA asks the data accessed to be transmit in units of the relatively-stationary data block of form, facilitates encryption and decryption engine 104 of the present invention to carry out automatic encryption and decryption operation, participates in without the need to software.Write/the reading command of DMA request comprises its logical address that will access (such as, LBA) and sector (sector) quantity.In a kind of embodiment, encryption and decryption engine 104 is that the sector number in the logical address (such as, LBA) indicated by write/reading command makes data encrypting and deciphering in units of sector; Such as, XTS-AES/SM4 data encrypting and deciphering technology.Write/reading command information Cmd_Info comprises logical address indicated by said write/reading command and number of sectors.
Fig. 2 A diagram XTS-AES data encryption technology.Write command information Cmd_Info comprises the hard disk sector i of write indicated by instruction.Hard disk key DEK is made up of key DEK_key1 and key DEK_key2 two parts.Hard disk sector i, after cryptographic calculation hardware 202 is combined with key DEK_key2, is take advantage of assembly 206 and constant a by mould
jin conjunction with, mould takes advantage of result T to add assembly 208 through mould to write data p (i.e. " expressly " with unencrypted, Fig. 1 is with Data label) combine, mould adds result pp after cryptographic calculation hardware 204 is combined with key DEK_key1, the data cc produced will add assembly 210 by mould and take advantage of result T to be combined with mould, obtain the write data C (i.e. " ciphertext ", Fig. 1 is with Data_Encrypted label) of encryption.Fig. 2 A illustrates for XTS-AES cryptographic algorithm, but the present invention is not limited to this, takes other cryptographic algorithm also to fall into the scope of the present invention for protection.
Fig. 2 B diagram XTS-AES data deciphering technology.Reading command information Cmd_Info comprises the hard disk sector i indicated by reading command.Hard disk key DEK is made up of key DEK_key1 and key DEK_key2 two parts.Hard disk sector i, after cryptographic calculation hardware 212 is combined with key DEK_key2, is take advantage of assembly 216 and constant a by mould
jin conjunction with, mould takes advantage of result T to add assembly 218 and the reading data C do not deciphered (i.e. " ciphertext " through mould, Fig. 1 is with Data_Encrypted label) combine, mould adds result cc after decrypt operation hardware 214 is combined with key DEK_key1, the data pp produced will add assembly 220 by mould and take advantage of result T to be combined with mould, obtain the reading data p (i.e. " expressly ", Fig. 1 is with Data label) of deciphering.Fig. 2 B illustrates for XTS-AES decipherment algorithm, but the present invention is not limited to this, takes other decipherment algorithms also to fall into the scope of the present invention for protection.
It should be noted that, the present invention is to be encrypted writing data Data after hard disk sector i and hard disk cipher key combinations, make in the dma access request being unit with data block (such as sector), there is not phase dependence in the encryption and decryption between data block with data block, technology described by Fig. 2 A, Fig. 2 B makes the same data of different sector number be different encrypted result, is not easily cracked.In addition, because the encryption of different sector number is independent, therefore the non-data decryption of different sector number independently can be taken out and reads and decipher.
In a kind of embodiment, XTS-AES and XTS-SM4 is two kinds of encryption and decryption computing options via a buffer bit set; The hardware structure of XTS-SM4 encryption and decryption computing and Fig. 2 A and Fig. 2 category-B are seemingly.XTS-AES encryption and decryption technology is enable or decapacitation by " efuse " position, to meet policies and regulations.
This paragraph discusses hard disk key DEK.Fig. 3 diagram one reliable platform module (TrustedPlatformModule, TPM) 300, comprising reliable platform module software 302 and hard disk key supply hardware 304.Namely hard disk key supply hardware 304 be connected with encryption and decryption engine 104, for should hard disk key DEK needed for encryption and decryption engine 104.Reliable platform module 300 makes reliable platform module software 302 run by unified Extensible Firmware Interface (UEFI) or operating system (OS), produces hard disk key DEK to operate this hard disk key supply hardware 304.
This paragraph discusses the communication security between hard disk key supply hardware 304 and encryption and decryption engine 104.In a kind of embodiment, encryption and decryption engine 104 follows an Internet Key Exchange Protocol (such as, Diffie-Hellman Internet Key Exchange Protocol) to supply hardware 304 communication with this hard disk key.Fig. 4 is the process flow diagram of hard disk Internet Key Exchange Protocol.Step S402, encryption and decryption engine 104 and hard disk key are supplied hardware 304 and are determined a key exchange key (KeyExchangeKey, KEK).Step S404, hard disk key supply hardware 304 is transferred to this encryption and decryption engine 104 after being encrypted with this key exchange key KEK by hard disk key DEK.Step S406, the key exchange key KEK that encryption and decryption engine 104 utilizes self to calculate decrypts hard disk key DEK.Namely encryption and decryption engine 104 is obtain hard disk key DEK with step shown in flow process safely from hard disk key supply hardware 304.
The communication closure that hard disk key is supplied between hardware 304 and encryption and decryption engine 104 also can realize by hardware structure.In a kind of embodiment, encryption and decryption engine 104 supplies hardware 304 with hard disk key to be packaged together.In a kind of embodiment, encryption and decryption engine 104 supplies hardware 304 with hard disk key to make on the same chip.In a kind of embodiment, the chipset 100 be made up of north bridge and south bridge is produced in south bridge by this storage device master controller 102, this encryption and decryption engine 104 and this hard disk key supply hardware 304.The communication environment more than closed ensures that hard disk key DEK can not be exposed to external bus or interface, hard disk key is supplied between hardware 304 and encryption and decryption engine 104 and allows with expressly (non-encrypted) mode communication.
In a kind of embodiment, the hard disk key DEK of this encryption and decryption engine 104 to this hard disk key supply hardware 304 requires it is confirm that just supplying hardware 304 by this hard disk key after identification condition that user sets meets accepts at this hard disk key supply hardware 304.Password, smart card (smartcard), fingerprint, remote authentication (remoteattestation), user identity (useridentity), system state (systemstatus) all can be used as the identification condition set by user.The reliable platform module software 302 that identification condition can be operated by UEFI or OS pattern sets.
In a kind of embodiment, reliable platform module 300 also utilizes key migration (keymigration) technology to make encrypted backup to hard disk key DEK.
Chipset 100 is below discussed especially and how encryption and decryption is done to the storage device 108 of Serial Advanced Technology Attachment (SATA).SATA hard disc (corresponding 108) can be mechanical hard disk (HDD) or solid state hard disc (SDD).Chipset 100 can design part HD encryption SATA hard disc 108 being made to whole hard disk encryption or specific logic address (such as, LBA), and this can be set via Basic Input or Output System (BIOS) (BIOS) by chipset 100.Encryption and decryption engine 104 can adopt the cryptographic algorithm such as XTS-AES or XTS-SM4, with logical address (e.g., LBA) for adjustment (tweak, the hard disk sector i of corresponding 2A figure, 2B figure).Hard disk sector size (sectorsize) is such as 512 bytes or 4K byte.
Fig. 5 A is the process flow diagram of SATA hard disc write.Step S502, the write instruction (as WRITEDMAEXT) received resolved by SATA controller (corresponding 102), obtain the write command information Cmd_Info comprising logical address (as LBA) and number of sectors (sectorcount), and provide it to encryption and decryption engine 104 and make CIPHERING REQUEST.Step S504, encryption and decryption engine 104 asks for hard disk key DEK to hard disk key supply hardware 304.Step S506, hard disk key supply hardware 304 confirms that user pre-defines after condition meets, supply hard disk key DEK.Step S508, SATA controller 102 receives to activate and allows (such as, the activation that direct memory access defines allows DMAActivateFrameInformationStructure, DMAActivateFIS) after, unencrypted is write data Data and be transmitted to encryption and decryption engine 104 (such as, forward in units of data block DATAFIS, one DATAFIS can comprise multiple sector, a DMA instruction can comprise multiple DATAFIS and write), namely, encryption and decryption engine 104 receives unencrypted write data Data (such as from SATA controller 102, receive in units of data block DATAFIS).Step S510, unencrypted is write data Data encryption based on hard disk key DEK and write command information Cmd_Info by encryption and decryption engine 104, and the write data Data_Encrypted after encryption is transmitted to SATA controller 102; Encryption and decryption engine 104 can continue encryption next record DATAFIS, until no longer receive data from SATA controller 102.Write data Data_Encrypted after encryption is write SATA hard disc 108 by step S512, SATA controller 102.Step S514, follow-up hard disk situation (Status transmission) passes upper layer software (applications) by SATA controller 102 back without encryption and decryption engine 104.In one embodiment, SATA controller 102 and encryption and decryption engine 104 can circulate and perform step S508 to S514, until complete the encryption of all DATAFIS indicated by this write instruction.
Fig. 5 B is the process flow diagram that SATA hard disc reads.Step S522, the reading command received resolved by SATA controller 102, obtain the reading command information Cmd_Info comprising logical address (as LBA) and number of sectors (sectorcount), and provide it to encryption and decryption engine 104 and make decoding request.Step S524, encryption and decryption engine 104 asks for hard disk key DEK to hard disk key supply hardware 304.Step S526, hard disk key supply hardware 304 confirms that user pre-defines after condition meets, supply hard disk key DEK.Step S528, the reading data Data_Encrypted do not deciphered of SATA hard disc 108 is transmitted to encryption and decryption engine 104 (such as by SATA controller 102, forward in units of described data block DATAFIS), namely, encryption and decryption engine 104 receives the reading data Data_Encrypted (such as, receiving in units of data block DATAFIS) do not deciphered from SATA controller 102.Step S530, the reading data Data_Encrypted do not deciphered deciphers based on hard disk key DEK and reading command information Cmd_Info by encryption and decryption engine 104, and the reading data Data of deciphering is transmitted to SATA controller 102; Encryption and decryption engine 104 can continue deciphering next record DATAFIS, until no longer receive data from SATA controller 102.Step S532, SATA controller 102 passes the reading data Data of deciphering back upper layer software (applications).Step S534, follow-up hard disk situation (Status transmission) passes upper layer software (applications) by SATA controller 102 back without encryption and decryption engine 104.In one embodiment, SATA controller 102 and encryption and decryption engine 104 can circulate and perform step S528 to S534, until complete the deciphering of all DATAFIS indicated by this reading command.
SATA transmission also can be used for the DMA technology of native instruction sequence (NativeCommandQueue, NCQ).
Fig. 6 is the SATA hard disc write process flow diagram adopting NCQDMA.Step S602, the write instruction (as WRITEFPDMAQUEUED) received resolved by SATA controller 102, obtain its label (TAG, the multiple write instruction or the multiple reading command that make to follow NCQ are distinguished) and comprise logical address (as LBA), write command information Cmd_Info with number of sectors and size (sectorcountandsize).Step S604, after SATA hard disc 108 receives NCQ instruction, can send status information (RegisterD2HFIS) to main frame, to allow also to receive next NCQ instruction.SATA hard disc 108 also may switch and processes the higher or previously received NCQ instruction of other right of priority.Step S606, SATA hard disc 108, before processing the instruction identified with label (TAG), sends DMA to main frame and sets (DMASetupFIS) and active information (DMAACTIVEFIS).Step S608, SATA controller 102 parses label from DMA set information, finds out corresponding dma buffer (DMAbuffer) and write command information Cmd_Info, and provides it to encryption and decryption engine 104 and make CIPHERING REQUEST.Step S610, encryption and decryption engine 104 asks for hard disk key DEK to hard disk key supply hardware 304.Step S612, hard disk key supply hardware 304 confirms that user pre-defines after condition meets, supply hard disk key DEK.Step S614, unencrypted is write data Data and is transmitted to encryption and decryption engine 104 (such as by SATA controller 102, forward in units of data block DATAFIS, one DATAFIS can comprise multiple sector, a DMA instruction can comprise multiple DATAFIS and write), that is, encryption and decryption engine 104 receives unencrypted write data Data (such as, receiving in units of data block DATAFIS) from SATA controller 102.Step S616, unencrypted is write data Data based on hard disk key DEK and write command information Cmd_Info and is encrypted to the write data Data_Encrypted after encryption by encryption and decryption engine 104, and is transmitted to SATA controller 102; Encryption and decryption engine 104 can continue encryption next record data, until no longer receive data from SATA controller 102.Write data Data_Encrypted after encryption is write SATA hard disc 108 by step S618, SATA controller 102.Step S620, SATA hard disc 108 sends a lastest imformation (SETDeviceBitsFIS) to main frame, upgrade the value of buffer (SActiveregister) and state (Status) in main frame, this lastest imformation is through SATA controller 102, sends back upper layer software (applications) without encryption and decryption engine 104.It is also obtain safely hard disk key DEK with same concept that the SATA hard disc of NCQDMA reads flow process, and is enclosed in encryption and decryption engine 104 and completes SATA controller 102 and read data Data_Encrypted from not deciphering of obtaining of SATA hard disc 108.In one embodiment, SATA controller 102 and encryption and decryption engine 104 can circulate and perform step S614 and S620, until complete the encryption of all DATAFIS indicated by this write instruction.
Chipset 100 is below discussed especially and how encryption and decryption is done to the storage device 108 of USB (universal serial bus) (USB) communication.Chipset 100 can design makes whole hard disk encryption or specific logic address (such as to USB hard disk (corresponding 108), LBA) the part HD encryption of scope, this can be set via Basic Input or Output System (BIOS) (BIOS) by chipset 100.Chipset 100 also can the encryption of or decapacitation its storage device that connect enable for specific USB PORT COM through Basic Input or Output System (BIOS) (BIOS).Substandard transmission of data blocks (the Bulk-OnlyTransport of USB2.0 is adopted between USB controller (in corresponding diagram 1 102) control USB PORT COM (in corresponding diagram 1 106) and USB hard disk 108, BOT) agreement or the substandard USB (universal serial bus) of USB3.0 connect the usb protocol that small computer system interface (USBAttachedSCSI, UAS) agreement etc. transmits data in units of data block.
Fig. 7 is the process flow diagram of USB hard disk write.Step S702, the write instruction (as write (10)) received resolved by USB controller 102, obtain the write command information Cmd_Info comprising logical address (as LBA) and number of sectors (sectorcount), and provide it to encryption and decryption engine 104 and make CIPHERING REQUEST.Step S704, encryption and decryption engine 104 asks for hard disk key DEK to hard disk key supply hardware 304.Step S706, hard disk key supply hardware 304 confirms that user pre-defines after condition meets, supply hard disk key DEK.Unencrypted is write data Data (such as, with packet (datapackage) for unit) and is transmitted to encryption and decryption engine 104 by step S708, USB controller 102.Step S710, unencrypted is write data Data encryption based on hard disk key DEK and write command information Cmd_Info by encryption and decryption engine 104, and the write data Data_Encrypted after encryption is transmitted to USB controller 102; Encryption and decryption engine 104 can continue encryption next record write data, until no longer receive data from USB controller 102.Write data Data_Encrypted after encryption is write USB hard disk 108 by step S712, USB controller 102.Step S714, follow-up hard disk situation (Status transmission) passes upper layer software (applications) by USB controller 102 back without encryption and decryption engine 104.USB hard disk read flow process be also obtain safely hard disk key DEK with same concept, and be enclosed in encryption and decryption engine 104 complete USB controller 102 from USB hard disk 108 obtain do not decipher read data Data_Encrypted.In one embodiment, USB controller 102 and encryption and decryption engine 104 can circulate and perform step S708 and S714, until complete the encryption of all packets (datapackage) indicated by this write instruction.
In one embodiment, the storage device master controller 102 disclosed by the present invention and encryption and decryption engine 104 realize in a console controller, is installed on host side.
Although the present invention discloses as above with preferred embodiment; but it is also not used to limit the present invention, any those who are familiar with this art, without departing from the spirit and scope of the present invention; when doing a little change and retouching, therefore protection scope of the present invention is when being as the criterion of defining depending on claim.
Claims (19)
1. a storage device data encryption/decryption method, is characterized in that, comprising:
There is provided an encryption and decryption engine, described encryption and decryption engine is hardware;
Go out to write command information from write instructions parse, and write data and said write command information are passed to this encryption and decryption engine; And
Via this encryption and decryption engine, one hard disk key and said write command information are combined, to encrypt said write data, and the said write data after encryption are write a storage device through a PORT COM.
2. storage device data encryption/decryption method according to claim 1, is characterized in that, also comprise:
Parse reading command information from reading command, and will reading data that this storage device do not decipher be taken from and described reading command information is passed to this encryption and decryption engine; And
Via this encryption and decryption engine by described hard disk key and described reading command information combination, so that the described reading data deciphering that will do not decipher, to respond described reading command.
3. storage device data encryption/decryption method according to claim 2, is characterized in that:
Said write command information comprises the quantity of logical address indicated by said write instruction and sector; And
Described reading command information comprises the quantity of logical address indicated by described reading command and sector.
4. storage device data encryption/decryption method according to claim 3, is characterized in that:
This encryption and decryption engine in units of described sector, makes data encrypting and deciphering according to described logical address.
5. storage device data encryption/decryption method according to claim 1, is characterized in that, also comprise:
There is provided a reliable platform module, this reliable platform module comprises a hard disk key supply hardware, and described hard disk key is from this hard disk key supply hardware.
6. storage device data encryption/decryption method according to claim 5, is characterized in that:
This reliable platform module is by unified Extensible Firmware Interface or this hard disk key of Operational System Control supply hardware.
7. storage device data encryption/decryption method according to claim 5, is characterized in that:
This encryption and decryption engine follows an Internet Key Exchange Protocol and this hard disk key supplies hardware communication to obtain described hard disk key.
8. storage device data encryption/decryption method according to claim 5, is characterized in that:
This encryption and decryption engine supplies together with hardware enclosure with this hard disk key or makes on the same chip.
9. storage device data encryption/decryption method according to claim 5, is characterized in that:
The hard disk key of this encryption and decryption engine to this hard disk key supply hardware requires it is confirm that just supplying hardware by this hard disk key after the identification condition of user's setting meets accepts at this hard disk key supply hardware.
10. storage device data encryption/decryption method according to claim 5, is characterized in that:
Described hard disk key makes encrypted backup by this reliable platform module.
11. storage device data encryption/decryption methods according to claim 1, is characterized in that, also comprise:
Through this storage device of Basic Input or Output System (BIOS) setting local refinement, the write data of encipher only specific logic address.
12. storage device data encryption/decryption methods according to claim 1, is characterized in that, also comprise:
Determining to receive after activation that direct memory access defines allows, just give this encryption and decryption engine by said write data retransmission,
Wherein, this PORT COM is a serial high technical attachment unit interface.
13. storage device data encryption/decryption methods according to claim 1, is characterized in that, also comprise:
Go out a label from said write instructions parse, described label makes the multiple write instructions following native instruction sequence be distinguished; And
The write command information of correspondence is passed to this encryption and decryption engine by the label indicated by this storage device;
Wherein, said write command information also comprises the sector size indicated by said write instruction.
14. storage device data encryption/decryption methods according to claim 1, is characterized in that, also comprise:
The encryption of this storage device that this PORT COM that is enable through Basic Input or Output System (BIOS) or decapacitation employing USB (universal serial bus) connects.
15. storage device data encryption/decryption methods according to claim 14, is characterized in that, also comprise:
Control to adopt transmission of data blocks agreement between this PORT COM and this storage device.
16. storage device data encryption/decryption methods according to claim 14, is characterized in that, also comprise:
Control between this PORT COM and this storage device, to adopt USB (universal serial bus) to connect Small Computer Systems interface protocol.
17. storage device data encryption/decryption methods according to claim 1, is characterized in that, this encryption and decryption engine is produced in a south bridge.
18. storage device data encryption/decryption methods according to claim 5, is characterized in that, this encryption and decryption engine and this hard disk key supply hardware are produced in a south bridge.
19. storage device data encryption/decryption methods according to claim 1, is characterized in that, this write instruction is the direct memory access request from a main frame.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510733496.8A CN105354503B (en) | 2015-11-02 | 2015-11-02 | Data encryption and decryption method for storage device |
| TW104140050A TWI564748B (en) | 2015-11-02 | 2015-12-01 | Disk encryption and decryption method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510733496.8A CN105354503B (en) | 2015-11-02 | 2015-11-02 | Data encryption and decryption method for storage device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105354503A true CN105354503A (en) | 2016-02-24 |
| CN105354503B CN105354503B (en) | 2020-11-17 |
Family
ID=55330474
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510733496.8A Active CN105354503B (en) | 2015-11-02 | 2015-11-02 | Data encryption and decryption method for storage device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN105354503B (en) |
| TW (1) | TWI564748B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107766735A (en) * | 2016-08-17 | 2018-03-06 | 西安莫贝克半导体科技有限公司 | A kind of invisible encryption storage method |
| CN107888373A (en) * | 2016-09-29 | 2018-04-06 | 北京忆芯科技有限公司 | XTS AES encryptions circuit, decryption circuit and its method |
| CN108920964A (en) * | 2018-06-21 | 2018-11-30 | 深圳忆联信息系统有限公司 | Reconfigurable hardware encipher-decipher method, system, computer equipment and storage medium |
| CN109672521A (en) * | 2018-12-26 | 2019-04-23 | 贵州华芯通半导体技术有限公司 | Safe storage system and method based on encription algorithms approved by the State Password Administration Committee Office engine implementation |
| WO2020019334A1 (en) * | 2018-07-27 | 2020-01-30 | 威刚科技股份有限公司 | Hard disk having encrypting and decrypting function, and application system for same |
| CN113051533A (en) * | 2021-03-29 | 2021-06-29 | 郑州中科集成电路与信息系统产业创新研究院 | Safety management method of terminal equipment |
| CN113127896A (en) * | 2021-03-29 | 2021-07-16 | 深圳市安存数据技术有限公司 | Data processing method and device based on independent encryption chip |
| CN115994115A (en) * | 2023-03-22 | 2023-04-21 | 成都登临科技有限公司 | Chip control method, chip set and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1924835A (en) * | 2006-09-01 | 2007-03-07 | 西安交通大学 | Dynamic key based hardware data enciphering method and device thereof |
| CN101082883A (en) * | 2006-05-31 | 2007-12-05 | 朴显泽 | Storage apparatus having multiple layer encrypting protection |
| CN101582109A (en) * | 2009-06-10 | 2009-11-18 | 成都市华为赛门铁克科技有限公司 | Data encryption method and device, data decryption method and device and solid state disk |
| CN103886234A (en) * | 2014-02-27 | 2014-06-25 | 浙江诸暨奇创电子科技有限公司 | Safety computer based on encrypted hard disk and data safety control method of safety computer |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101288065B (en) * | 2005-03-28 | 2010-09-08 | 德塔勒哥若公司 | Non-invasive encryption for relational database management systems |
| KR101601790B1 (en) * | 2009-09-22 | 2016-03-21 | 삼성전자주식회사 | Storage system including cryptography key selection device and selection method for cryptography key |
| KR101612518B1 (en) * | 2009-11-26 | 2016-04-15 | 삼성전자주식회사 | Endecryptor enabling parallel processing and en/decryption method thereof |
-
2015
- 2015-11-02 CN CN201510733496.8A patent/CN105354503B/en active Active
- 2015-12-01 TW TW104140050A patent/TWI564748B/en active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101082883A (en) * | 2006-05-31 | 2007-12-05 | 朴显泽 | Storage apparatus having multiple layer encrypting protection |
| CN1924835A (en) * | 2006-09-01 | 2007-03-07 | 西安交通大学 | Dynamic key based hardware data enciphering method and device thereof |
| CN101582109A (en) * | 2009-06-10 | 2009-11-18 | 成都市华为赛门铁克科技有限公司 | Data encryption method and device, data decryption method and device and solid state disk |
| CN103886234A (en) * | 2014-02-27 | 2014-06-25 | 浙江诸暨奇创电子科技有限公司 | Safety computer based on encrypted hard disk and data safety control method of safety computer |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107766735A (en) * | 2016-08-17 | 2018-03-06 | 西安莫贝克半导体科技有限公司 | A kind of invisible encryption storage method |
| CN107888373A (en) * | 2016-09-29 | 2018-04-06 | 北京忆芯科技有限公司 | XTS AES encryptions circuit, decryption circuit and its method |
| CN108920964A (en) * | 2018-06-21 | 2018-11-30 | 深圳忆联信息系统有限公司 | Reconfigurable hardware encipher-decipher method, system, computer equipment and storage medium |
| WO2020019334A1 (en) * | 2018-07-27 | 2020-01-30 | 威刚科技股份有限公司 | Hard disk having encrypting and decrypting function, and application system for same |
| CN109672521A (en) * | 2018-12-26 | 2019-04-23 | 贵州华芯通半导体技术有限公司 | Safe storage system and method based on encription algorithms approved by the State Password Administration Committee Office engine implementation |
| CN109672521B (en) * | 2018-12-26 | 2022-11-29 | 贵州华芯通半导体技术有限公司 | Security storage system and method based on national encryption engine |
| CN113051533A (en) * | 2021-03-29 | 2021-06-29 | 郑州中科集成电路与信息系统产业创新研究院 | Safety management method of terminal equipment |
| CN113127896A (en) * | 2021-03-29 | 2021-07-16 | 深圳市安存数据技术有限公司 | Data processing method and device based on independent encryption chip |
| CN113127896B (en) * | 2021-03-29 | 2022-02-22 | 深圳市安存数据技术有限公司 | Data processing method and device based on independent encryption chip |
| CN115994115A (en) * | 2023-03-22 | 2023-04-21 | 成都登临科技有限公司 | Chip control method, chip set and electronic equipment |
| CN115994115B (en) * | 2023-03-22 | 2023-10-20 | 成都登临科技有限公司 | Chip control method, chip set and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| TWI564748B (en) | 2017-01-01 |
| TW201717099A (en) | 2017-05-16 |
| CN105354503B (en) | 2020-11-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105243344A (en) | Chipset with hard disk encryption function and host computer controller | |
| CN109844751B (en) | Method and processor for providing information isolation | |
| CN105354503A (en) | Data encryption/decryption method for storage apparatus | |
| US9529735B2 (en) | Secure data encryption in shared storage using namespaces | |
| TWI492088B (en) | System, method and computer readable medium for controlling a solid-state disk | |
| US10503934B2 (en) | Secure subsystem | |
| US10810138B2 (en) | Enhanced storage encryption with total memory encryption (TME) and multi-key total memory encryption (MKTME) | |
| KR100678927B1 (en) | Method and portable storage device for allocating secure area in insecure area | |
| CN100437618C (en) | Portable information safety device | |
| US9071581B2 (en) | Secure storage with SCSI storage devices | |
| JP6622275B2 (en) | Mobile data storage device with access control function | |
| CN111475871A (en) | Memory system | |
| CN111881490A (en) | Shared data protection method for NVME storage equipment fused with external encryption chip | |
| US20150227755A1 (en) | Encryption and decryption methods of a mobile storage on a file-by-file basis | |
| TWI789291B (en) | Module and method for authenticating data transfer between a storage device and a host device | |
| CN107967432A (en) | A kind of safe storage device, system and method | |
| US20220123932A1 (en) | Data storage device encryption | |
| CN103930894A (en) | Storage device reader having security function and security method using same | |
| CN114064525A (en) | Memory system, control method of memory system, and information processing system | |
| KR20100133184A (en) | Solid state drive device | |
| US12001690B2 (en) | Memory system having controller connectable to network via interface and storage system having memory systems having controllers connectable to network via respective interface | |
| US20230344623A1 (en) | Memory system | |
| US20140208125A1 (en) | Encryption and decryption device for portable storage device and encryption and decryption method thereof | |
| US20230004311A1 (en) | Memory system and storage system | |
| US20150127956A1 (en) | Stored device with partitions |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: Room 301, 2537 Jinke Road, Zhangjiang High Tech Park, Pudong New Area, Shanghai 201203 Patentee after: Shanghai Zhaoxin Semiconductor Co.,Ltd. Address before: Room 301, 2537 Jinke Road, Zhangjiang High Tech Park, Pudong New Area, Shanghai 201203 Patentee before: VIA ALLIANCE SEMICONDUCTOR Co.,Ltd. |