DE102014112329A1 - Concentration of virtual tapes for self-encrypting drive facilities - Google Patents

Abstract

An apparatus comprises a memory device and a host device. The storage device may be configured to encrypt and decrypt user data during write and read operations, respectively. The host device is communicatively coupled to the memory device. The host device may be configured to perform the write and read operations by concentrating a first number of virtual bands into a second number of real bands, the second number being less than the first number.

Description

This application is related to U.S. Provisional Application No. 61 / 870,936, filed Aug. 28, 2013, which is hereby incorporated by reference in its entirety.

TECHNICAL FIELD OF THE INVENTION

The invention relates to memory systems in general, and more particularly to a method and / or apparatus for implementing a concentration of virtual tapes for self-encrypting drive devices.

BACKGROUND

Self-encrypting drives (SEDs) typically use hardware to encrypt and decrypt user data during read-write operations. Encryption and decryption are performed using a media encryption key (MEK). The MEK is normally a function of a logical block address (LBA), with an entire LBA space in several LBA areas (referred to as "data bands" or simply "bands"), with a unique MEK for each Band is divided. Due to hardware limitations, the number of tapes an SED can support without serious degradation in performance is limited (16 would be a reasonably high number). Having more active bands than the number of hardware supported LBA areas has a negative impact on performance due to continued key swapping. From a host perspective, in a traditional implementation, user data that the host has access control under a single authentication key (AK) must be contiguously stored in a single LBA area. The only LBA range or band limitations make it difficult for some types of applications (such as virtual machines (VMs)) to take full advantage of the use of SEDs because VMs require many (potentially thousands) bands could allow a more flexible and efficient use of the storage device.

It would be desirable to have a concentration of virtual tapes for self-encrypting drives.

SUMMARY

The invention relates to a device comprising a memory device and a host device. The memory device can be designed to encrypt and decrypt user data during read and write operations, respectively. The host device is communicatively coupled to the memory device. The host device may be configured to perform the writing and reading operations by concentrating from a first number of virtual bands to a second number of real volumes, the second number may be less than the first number.

BRIEF DESCRIPTION OF THE FIGURES

Embodiments of the invention will become apparent from the following detailed description and the appended claims and the drawings, in which:

1 Fig. 10 is a diagram illustrating a system according to an embodiment of the invention;

2 Fig. 12 is a diagram illustrating a host device of a virtual tape concentrator according to an embodiment of the invention;

3 Fig. 12 is a diagram illustrating a storage device of the virtual tape concentrator according to an embodiment of the invention;

4 Fig. 12 is a diagram illustrating a process according to an embodiment of the invention;

5 Fig. 12 is a diagram illustrating a manager of virtual tapes with multiple tapes according to an embodiment of the invention; and

6 FIG. 12 is a diagram showing a host having multiple virtual tape managers with one or more tapes according to an embodiment of the invention. FIG.

DETAILED DESCRIPTION OF THE EMBODIMENTS

Embodiments of the invention include providing virtual band concentration (VBC) for self-encrypting drive devices that include (i) a virtual band manager (VBM) as part of a virtual machine manager (FIG. VMM, virtual machine manager) (ii) can generate media coding keys on a per input / output (I / O) basis, (iii) can support thousands of virtual data volumes with hardware encryption / decryption, (iv) enable virtual machine migrations can (v) enable crypto erase on a per-data-band basis, (vi) can reduce the number of tapes an SED must support while still supporting multiple virtual tapes on a host page (vii) (vii) a first number of virtual tapes may concentrate into a significantly smaller second number of real tapes and / or (viii) may allow authentication data to be provided by a host for each read / write operation.

In various embodiments, a method and / or apparatus is provided for dynamically generating unique media encryption keys (MEKs) for a plurality of data bands. The term "data tapes" (or simply "tapes") generally refers to a range of logical block addresses (LBAs). An entire LBA space is divided into several LBA areas (bands). Each volume is assigned a unique MEK. The MEKs are based on authentication information dynamically provided by a host (e.g., as part of a "metadata" associated with a user authentication process). Dynamic generation of the MEKs generally refers to a process of generating a new key for each I / O operation. Dynamic generation of MEKs is commonly referred to as "on the fly". In various embodiments, the use of an authentication key (AK) across multiple bands is allowed to simulate a non-contiguous logical block address (LBA) space band for host data that must be managed with a single authentication key , The key material (e.g., authentication data) is supplied by the host (e.g., a VM player or VM manager VMM, etc.) for each read / write operation, providing a secure method of enabling thousands (or more) of tapes.

With reference to 1 becomes a representation of a system 100 shown a scheme of concentrating virtual bands implemented according to an embodiment of the invention. In various embodiments, the system 100 be implemented as a self-encrypting storage system. In some embodiments, the system includes 100 a block 101 , a block 103 and a block 105 , The block 101 includes a memory controller implementing a band manager and an encryption / decryption circuit according to an embodiment of the invention. The block 103 implements a storage medium. In some embodiments, the block comprises 103 a non-volatile memory (NVM) medium (eg, a magnetic memory, a FLASH memory, etc.). However, other types of media (eg, volatile memory with or without battery support) may be implemented to meet the design criteria of a particular application. However, in the case of a volatile memory, security (and data) would be lost in the event of a power failure. The block 105 includes a host implementing a virtual memory manager (VMM) according to an embodiment of the invention. The blocks 101 and 103 are operatively coupled to a storage device (SD) 102 train. The SD 102 and the host 105 are designed to be communicatively coupled with each other.

The control device 101 may be configured to control one or more individual memory channels. In some embodiments, the controller may 101 implement multiple instances of memory channel controllers to control a plurality of memory channels. The control device 101 has a media interface that is adapted to the controller 101 with the storage medium 103 to pair. In non-volatile memory (NVM) embodiments, the storage medium 103 one or more non-volatile memory devices 107 include. The non-volatile memory devices 107 have, in some embodiments, one or more non-volatile storage destinations (eg, chip (s), disk platter, etc.) 109 , In accordance with a kind of a particular one of the non-volatile memory devices 107 is a plurality of non-volatile storage destinations 109 in the particular one of the non-volatile memory devices 107 optionally and / or selectively accessible or accessible in parallel. The non-volatile memory devices 107 are generally representative of one type of memory device capable of being connected to the controller 101 communicatively couple or couple. However, in many embodiments, any type of memory device is usable, such as magnetic memory, optical memory, single level cell (SLC) flash memory (SLC), multi-level cell (MLC), and more level-cell) NAND flash memory, a TLC (triple-level cell) NAND flash memory, a NOR flash memory, an electrically programmable read only memory (EPROM, electrically programmable read -only memory), a static random access memory Static random access memory (SRAM), dynamic random access memory (DRAM), magneto-resistive random-access memory (MRAM), ferromagnetic memory (eg FeRAM, F-RAM, FRAM , etc.), a phase change memory (eg PRAM, PCRAM, etc., phase-change memory), a racetrack memory (or domain wall memory (DWM)), a resistive random access memory (RRAM or ReRAM, resistive random access memory) or any other type of memory device or storage medium.

In some embodiments, the controller is 101 and the non-volatile storage medium 103 implemented in separate integrated circuits (or devices). When the controller 101 and the non-volatile storage medium 103 implemented as separate integrated circuits (or devices), the media interface is the controller 101 generally configured to manage a plurality of data input / output (I / O) pins and a plurality of control I / O pins. The data I / O pins and the control I / O pins may be adapted to the controller 101 containing means with the external, the non-volatile storage medium 103 training facilities. In various embodiments, the controller is 101 implemented as an embedded controller. In various embodiments, the controller implement 101 and the NVM medium 103 a solid state hybrid hard disk drive (SSHD), a hard disk drive (HDD, hard disk drive), or a solid state drive disk (SSD, solid-state drive / disk ).

The control device 101 also has a command interface configured to receive commands and responses to the host 105 to send. In embodiments implementing a plurality of non-volatile memory devices, the controller includes 101 at least one NVM control processor that manages the non-volatile memory devices through proprietary processes, and a host processor that manages the host interface according to other processes. The NVM control processor (s) and the host processor communicate via predefined interfaces. The host processor communicates host commands to the NVM control processor which processes the instructions according to predetermined communication interfaces (or protocols). The control device 101 also includes a band manager (BM, band manager) 110 and an encryption / decryption (E / D, encryption / decrypytion) block or circuit 112 which is adapted to implement a virtual band concentration scheme according to an embodiment of the invention. The band manager 110 includes a keystore (KS, key storage) 114 from the storage device 102 used key material (KM, key material) stores. In some embodiments, the key memory may 114 also virtual key material (VKM, virtual key material) that is hosted by the host 105 is used to save.

The host 105 includes a block 120 with a virtual machine manager (VMM). The VMM 120 is designed to implement a virtual band concentration scheme according to an embodiment of the invention. The VMM 120 includes one or more virtual tape managers (VBMs) 122 , In some embodiments, the VMM leaves 120 a separate VBM 122 -Instance for every real band run. Every VBM 122 includes a virtual key storage (VKS) 124 storing the virtual key material (VKM). Every VBM 122 concentrates a plurality of virtual tapes (VB) into a real band 130 for storage in the SD 102 , The majority of each VBM 122 received virtual tapes are from a number of virtual machines (VMs) residing on the host 105 run and the every VBM 122 over the VMM 120 assigned. A single VBM 122 can manage one or more real bands. Every VBM 122 authenticates itself to the storage device 102 by using a corresponding authentication key (AK, authentication key) 104 provides.

With reference to 2 will be a representation of the host 105 which illustrates a host portion of a virtual tape concentrator according to an embodiment of the invention. Embodiments of the invention are described below using a generic security paradigm that may be used in multiple security protocols, including, but not limited to, TCG Enterprise SSC, TCG Opal, and ATA Security. In various embodiments, self-encrypting drives (SEDs) operate on logical block address (LBA) arrays (or data bands). For example, in the 2 and 3 a band 130 shown to have an LBA range from LBA1.1 to LBA1.2. In various embodiments, the host may 105 run a certain type of security application (AP) that resides in the storage device (SD) 102 using an authentication key (AK, authentication key) 104 self-authenticated.

In a conventional SED, the number of bands is limited because data rates are often maintained by looking up LBA areas in hardware and hardware tables are limited in size. Therefore, conventional SEDs rarely support more than 16 LBA areas without any impact on performance. Because this number is quite sufficient for most applications (eg TCG Opal 2.0 only asks for 8 bands), this creates difficulties for the very popular virtual machine (VM) environment.

In some embodiments, a single computer may host multiple so-called virtual machines (VMs), each of which may require a certain range of LBAs for appropriate operations (eg 2 shows three virtual machines, VMs 311 . 312 and 313 that on the host 105 to run). From the perspective of every virtual machine 311 to 313 (eg, VM-x, where x = 1, 2, ...), each VM-x could use the LBAs from 0 to LBA_MAX (x), where x is the number of VM's. The LBAs used by the VMs are called "virtual LBAs" (VLBAs) in order to extract them from the real LBAs of the memory device 102 are known to be distinguished. The VM Manager (VMM) 120 It is the responsibility of the VLBAs on the real LBAs that make up the storage device 102 can understand.

Because the VMs are being created and deleted all the time, providing a contiguous real LBA range for each VM is not always possible. Instead, a set of bands is arbitrarily allocated, "sliced" out of the real LBA space of the storage device 102 , Thus, and as in the example of 2 shown, two virtual tapes (VBs) 320 and 321 virtual machine VM-1 on the only real LBA tape 130 displayed. In general, the number of real bands is smaller than the number of virtual bands, and in many cases, the number of real bands may be significantly smaller than the number of virtual bands. For example, between 10 and 20 real bands would be considered as a reasonably high number of real tapes, while the number of virtual tapes needed by a particular application could be in the hundreds, thousands or even larger numbers. Thus, the number of real data bands and the real number of virtual data bands could differ, for example by one or more orders of magnitude. Every VM 311 - 313 , which acts almost as an individual host, can itself at the storage device 102 with the help of the VBM 122 that authenticates the translation between the virtual LBAs and the real LBAs and vice versa. An implementation of the VBM 122 is compliant with the same security standards as the BM implementation 110 the storage device 102 especially with regard to VKS maintenance and access.

The VBM 122 authenticates the VMs 311 - 313 and provides the authentication key (AK) 104 and a security protocol (eg TCG or any other) termination for the storage device (SD) 102 ready. On the side of the host, the VBM 122 be designed to support any number of virtual tapes (VBs). On the side of the memory device, the VBM 122 support only some real data tapes into which the VBM 122 Consolidate or concentrate multiple virtual tapes, as described below. In some embodiments, the VBM is 122 designed only one storage device side (real) data tape 130 to support, as in the 2 is shown.

In some embodiments, the VBM stores 122 Resist the memory with virtual keys (VKS, virtual key storage) 124 as such, for example in a separate flash device or EEPROM. The VKS 124 stores virtual key material (VKM) for each virtual tape (for example, virtual key material is VKM 1.1 381 and VKM1.2 382 in 2 for VB1.1 and VB1.2, respectively). In other embodiments, the storage device 102 a so-called opaque or opaque key memory (OKS, opaque key storage) 362 (in 3 shown) ready to store the virtual key material. The OKS 362 is called "opaque" because the SD 102 has no knowledge of the virtual tapes, and therefore does not know that the OKS 362 contains any key material. What the SD 102 concerns, is the OKS 362 just another data block.

Storing the virtual key material in the SD 102 arranged OKS 362 facilitates VM migration from one host to another. As long as the VMM credentials (eg the AK 104 ), the VMM 120 the corresponding VKS 124 using the content 389 from the OKS 362 restore to another host. The SD 102 is in terms of the nature of the OKS 362 stored information forgetful. If the VBM 122 any of the virtual key material (eg VKM1.1 381 , VKM1.2 382 , etc.) changed, the entire OKS 362 described again and the old copy is overwritten with zeros or deleted (eg the SD 102 provide this type of service on a host request).

With reference to 3 is an illustration of the memory device 102 shown the one Section of a storage device of a virtual tape concentrator according to an embodiment of the invention illustrated. In various embodiments, the SD leaves 102 the Band Manager (BM) application 110 storing the key store (KS, key storage) 114 contains, run. It is important to keep in mind that if the KS 114 is overwritten, all older copies of the KS 114 cleaned or set to zero or deleted (eg, the cleaning procedure depends on the type of storage medium 103 and may include, but is not limited to degaussing (degaussing) the magnetic media, erasing the flash device, etc.). In some embodiments, the KS includes 114 a sample or an execution of key material (KM, key material) 361 for every real data band. A single version of key material 361 (KM1) for the band 130 is in 3 shown.

A media encryption key (MEK) 341 for each real data band is generated by "wrapping" the AK 104 with the corresponding KM. An example of generating a media encryption key MEK1 by repacking AK 104 and key material KM1 is in 3 shown. The repacking process is by a multiplier 351 illustrated. Repackaging is used here in a very generic sense. In some embodiments, the KM 361 only the corresponding MEK, encrypted with the AK 104 (eg the AK 104 used as a key encryption key (KEK), therefore the "repackaging" 351 equivalent to a coding process). Encryption / decryption may include, but is not limited to, certain versions of AES or XTS. In some embodiments, the repackaging may include, but is not limited to, performing an XOR between the AK 104 and the key material 361 (eg KM1 in 3 ). However, any process that involves the randomness of the key material 361 not be reduced, implemented accordingly to meet the design criteria of a particular application. In multi-band embodiments, corresponding MEKs (eg, MEK1, MEK2, ..., MEKn) are generated for each of n bands by repackaging the AK 104 with the corresponding key material 361 (eg KM1, KM2, ..., KMn, KM = key material).

In various embodiments, the encryption / decryption (ED, encryptor / decryptor) device is 112 implemented as a hardware (HW) module. The ED 112 maintains a table in which the boundaries of each band (eg LBA1.1-LBA1.2 for the in 3 shown band 130 ) are defined. The MEK 341 for each band is through the repacking process 351 calculated based on the AK 104 and corresponding key material 361 , and then into the ED 112 loaded. In these embodiments, if read / write data requests 311 from the host 105 arrive, the ED 112 a lookup operation to classify the LBAs of the requests on a data tape and the associated MEK 341 (eg MEK1 for the real band 130 ). In a conventional SED, read data would be decrypted with the selected MEK while write data would be encrypted with the selected MEK. In embodiments having a concentration of virtual bands, the selected MEK becomes 341 not used to encrypt / decrypt data, but instead the selected MEK 341 used to create a current MEK (eg MEK1.1 344 , MEK1.2 345 , MEK1.3 347 , MEK3.2 349 etc.) for encrypting / decrypting each I / O request by the wrapping operations 342 - 348 is used to calculate. The repacking operations 342 - 348 can be done in a similar way as the repacking process 351 (described below).

In various embodiments, the MEK 341 not to the host 105 is sent and (as a good practice) not in open form in memory 103 saved. Instead, only key material is KM 361 saved and the authentication key (AK) 104 is needed to the MEK 341 recover. Provided that the SD 102 is configured correctly, is reading or writing data from / to the medium 103 not for anyone who does not know the correct credentials possible.

In some embodiments, crypto erase is allowed by each individual band. For example, if a user uses the KM 361 or the VKM 381 . 382 for a particular band changes and all old copies of the KM 361 or the VKM 381 . 382 (even encrypted executions) are cleaned according to the specific cleaning rules of the medium (eg magnetic media deaerating, erasing flash, etc.), the data in the particular tape can no longer be read by anyone, including anyone who knows the proper credentials , A so-called "Crypto_Erase" function provides a fast, reliable and accurate method of removing data and allowing safe reuse of the storage device.

In embodiments with a concentration of virtual bands, the VBM authenticates 122 yourself using the AK 104 even with the SD band manager (BM) 110 , After authentication, the VBM loads 122 the corresponding VKS 124 either from another facility or from the OKS 362. Each of the VMs 311 - 313 will have to authenticate itself using a corresponding authentication key (eg VM-1 311 authenticates itself using AK1 304 , VM-3 313 authenticates itself using AK3 305 , etc.). Corresponding virtual MEKs (VMEKs) 384 . 386 . 387 . 388 are generated for each virtual band (VB) by repackaging the corresponding authentication key AKx with the corresponding virtual key material (eg VKM1.1 381 , VKM1.2 382 , etc.). The corresponding VMEK will handle any I / O request that comes to the SD 102 is sent, attached. The ED 112 repackages the VMEK attached to each I / O request with the MEK 341 for the data tape (eg MEK1 will be used in the 2 and 3 shown data band 130 whereby individual MEKs (eg, MEK1.1, MEK1.2, MEK3.1, MEK3.2, etc.) are generated for the particular data operations.

In embodiments with the NVM Express (NVME) host protocol, a vendor-specific read / write could be defined by providing a special SGL (Scatter-Gather-List). The SGL contains the VMEK information for each I / O operation. In the SATA protocol, the host could simply append the VMEK to a write command, either by expanding the number of sectors in a write and indicating where the key is provided, or transmitting larger sectors (eg, 520 byte sectors) and Inserting the key material into the larger sectors themselves. Reading is more difficult to fit into the existing SATA (ACS) protocol. In one example, a vendor-specific command may be defined that allows the VMEK to be transferred with the LBA to be read. In another example, the host may transfer a table of MEK to a buffer resident in the storage device and use the reserved bits (7 in total) to index the table for the storage device to quickly look up the VMEK during a transfer. This embodiment allows the use of existing SATA HW automation in the controllers.

With reference to 4 an illustration is shown that illustrates an exemplary process 400 illustrated according to an embodiment of the invention. In some embodiments, the process (or method) may be 400 a step (or state) 402 , a step (or state 404 ), a step (or state) 406 , a step (or state) 408 , a step (or state) 410 and a step (or state) 412 include. In step 402 Authenticates the Virtual Tape Manager (VBM) 122 yourself in the host 105 even with the band manager (BM) 110 in the storage device 102 using the authentication key (AK) 104 , In step 404 invites the VBM 122 the virtual key memory (VKS) 124 either from another institution or from the opaque keystore (OKS) 362 in the storage device 102 , In step 406 each virtual machine (VMx) authenticates itself using a corresponding authentication key (AKx). In step 408 Virtual Media Encryption Keys (VMEKs) are generated for each virtual volume (VB) by repackaging the corresponding authentication key AKx with the corresponding virtual key material (eg VKMx) from the VKS 124 , In step 410 Any I / O request will be sent to the storage device 102 sent the appropriate VMEK attached. In step 412 repackages the encryption / decryption hardware 112 in the storage device 102 the VMEK attached to each I / O request with the Media Encoding Key (MEK) stored in the storage device 102 has been generated for the corresponding data band, whereby an individual MEK is generated for the particular data operation.

With reference to 5 an illustration is shown showing a system 500 illustrating a virtual band manager with multiple real bands according to an embodiment of the invention. The system 500 comprises a memory device 502 with a storage medium 503 and a host 505 , The storage device 502 also includes a Band Manager (BM) 510 and an encryption / decryption (E / D, encryption / decryption) block (or circuit) 512 designed to provide a scheme for concentrating virtual tapes according to an embodiment of the invention (discussed above in connection with FIGS 2 and 3 described). The encryption / decryption (E / D) block 512 is designed to be a number of real bands 130-1 to 130-N to process or act. The band manager 510 includes a keystore (KS, key storage) 514 , the key material (eg KM1 561 to KMN 562 ) stores. The key material is from the storage device 502 in connection with the encryption / decryption of the real tapes 130-1 to 130-N used (eg, using appropriate media encoding keys generated by repacking operations 551 to 552 be generated). The repacking operations 551 - 552 can be similar to the repacking operations 351 . 383 and 385 related to the above 2 and 3 have been described.

The host 505 comprises a virtual machine manager (VMM) adapted to implement a virtual band concentration scheme according to an embodiment of the invention. The VMM includes a Virtual Tape Manager (VBM) 522 , The VBM 522 is designed to be the majority of real tapes 130-1 to 130-N to manage. The VBM 522 can be designed to be similar to the VBM 122 from the 2 to work. The VBM 522 concentrates a plurality of virtual tapes (VB) into the real tapes 130-1 to 130-N for storage in the SD 502 , The majority of the VBM 522 received virtual tapes can be from a number of on the host 505 running virtual machines (VMs) come.

With reference to 6 an illustration is shown showing a system 600 illustrating implementing a host with multiple virtual tape managers according to an embodiment of the invention. The system 600 comprises a memory device 602 with a storage medium 603 and a host 605 , The storage device 602 also includes a Band Manager (BM) 610 and an encryption / decryption (E / D) block (or circuit) 612 which is adapted to a virtual band concentration scheme according to an embodiment of the invention (as discussed above in connection with FIGS 2 and 3 described). The encryption / decryption (E / D) block 612 is designed to be a number of real bands 130-1 to 130-N to process. The band manager 610 includes a keystore (KS) 614 , the key material (eg KM1 661 to KMN 662 ) stores. The key material is from the storage device 602 in connection with the encryption or decryption of the real tapes 130-1 to 130-N used (eg, using appropriate media encryption keys generated by the repacking operations 651 - 652 have been generated). The repacking operations 651 - 652 can be similar to the repacking operations 351 . 383 and 385 (the above related to the 2 and 3 have been described).

The host 605 comprises a virtual machine manager (VMM) adapted to implement a virtual band concentration scheme according to an embodiment of the invention. The VMM includes a plurality of Virtual Band Managers (VBMs) 622-1 to 622-N , The VBM 622-1 to 622-N are designed to be the majority of real tapes 130-1 to 130-N to manage. The VBMs 622-1 to 622-N can be designed to be similar to the VBM 122 from the 2 to work. The VBM 622-1 to 622-N concentrate a plurality of virtual tapes (VB) into the real tapes 130-1 to 130-N for storage in the SD 602 , The majority of the VBMs 622-1 to 622-N received virtual tapes can be from a number of on the host 605 running virtual machines (VM) come.

Each of the VBMs 622-1 to 622-N can be a number of virtual tapes in one or more of the real tapes 130-1 to 130-N focus. Each of the VBMs 622-1 to 622-N authenticates itself with a corresponding authentication key AK1 to AKN. The band manager 610 the storage device 602 Generates the appropriate media encoding keys for the tapes 130-1 to 130-N by repacking the corresponding authentication key AK1 to AKN and the corresponding key material KM1 661 to KMN 662 ,

The terms "may" and "general", when used herein in conjunction with "verbs" and verbs, are intended to communicate the intent that the description is exemplary and is believed to be wide enough to encompass both the specific examples presented in the disclosure and alternative examples that might be derived based on the disclosure. The terms "may" and "general" as used herein should not be construed as necessarily implying the desirability or possibility of omitting a corresponding element. The term "significantly smaller" is generally intended to communicate the intention that the compared elements may, for example, differ by one or more orders of magnitude.

While the invention has been particularly shown and described with reference to the embodiments thereof, it will be understood by those skilled in the art that various changes in form and detail may be made without departing from the scope of the invention.

Claims (15)

An apparatus comprising: a storage device configured to encrypt and decrypt user data during writes and reads, respectively; and a host device configured to communicatively couple to the memory device, wherein the host device is further configured to combine the writing and reading operations by concentrating a first number of virtual bands into one second number of real bands, the second number being smaller than the first number. The apparatus of claim 1, wherein the host device comprises a virtual machine manager configured to map the first number of virtual bands to the second number of real bands. The method of claim 2, wherein the virtual machine manager comprises one or more virtual tape managers configured to map the first number of the virtual bands to the second number of the real bands. The apparatus of claim 3, wherein each of the one or more virtual tape managers is configured to map a number of the virtual tapes to one or more of the second number of real tapes. The apparatus according to one of claims 1 to 4, wherein the storage means comprises a tape manager adapted to store key material. The apparatus of claim 5, wherein the tape manager comprises an opaque or opaque keystore. The apparatus of any one of claims 1 to 6, wherein the storage means comprises an encryption and decryption module. The device of claim 7, wherein the encryption and decryption module is implemented in hardware. The apparatus of any one of claims 1 to 8, wherein each virtual band is still fully protected from a security perspective with unique authentication and encryption keys. The apparatus of any one of claims 1 to 9, wherein the second number is significantly less than the first number. A method of concentrating a number of virtual tapes into a real tape for storage in a self-encrypting storage device, the method comprising: Associating one or more portions of a virtual logical block address range of each of the number of virtual bands with portions of a logical block address range of the real band; Generating a corresponding virtual media encryption key for each of the number of virtual bands based on a virtual machine authentication key and virtual key material stored in a host device on which the virtual machine is running; and Associating the corresponding virtual media encryption key for a particular one of the number of virtual bands with input / output requests, including portions of the logical block address range of the real band associated with the determined one of the number of virtual bands. The method of claim 11, further comprising: Generating a first real-volume media encoding key based on an authentication key of the host device and key material stored in the self-encrypting storage device; and Generating a number of second media encoding keys for the input / output requests, including portions of the logical block address range of the real band associated with the one of the number of virtual bands based on the first media encoding key and each of the corresponding ones, the input / Associated with output requests, virtual media encryption keys. The method of claim 12, further comprising: Encrypting data associated with write I / O requests using the second media encryption keys prior to writing the data to a storage medium; and Decrypting data associated with read input / output requests using the second media encryption keys after reading the data from the storage medium. The method of one of claims 11 to 13, wherein a first number of virtual bands is concentrated into a second number of real bands, the second number being less than the first number. The method of claim 14, wherein the second number is significantly less than the first number.

Images