TW201830284A - Data storage system, data storage method and data read method - Google Patents

Data storage system, data storage method and data read method Download PDF

Info

Publication number
TW201830284A
TW201830284A TW106104155A TW106104155A TW201830284A TW 201830284 A TW201830284 A TW 201830284A TW 106104155 A TW106104155 A TW 106104155A TW 106104155 A TW106104155 A TW 106104155A TW 201830284 A TW201830284 A TW 201830284A
Authority
TW
Taiwan
Prior art keywords
data
password
host system
logical unit
encrypted
Prior art date
Application number
TW106104155A
Other languages
Chinese (zh)
Inventor
傅子瑜
Original Assignee
宏碁股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 宏碁股份有限公司 filed Critical 宏碁股份有限公司
Priority to TW106104155A priority Critical patent/TW201830284A/en
Publication of TW201830284A publication Critical patent/TW201830284A/en

Links

Abstract

A data storage system, a data storage method and a data read method are provided. The data storage system includes a host system and a memory storage device. The host system transmits an encryption write command which carries a first code and instructs to store data to at least one logical unit according to the first code. The memory storage device encrypts the data by the first code according to the encryption write command and stores encrypted data to at least one physical unit. The host system transmits a decryption read command which carries a second code and instructs to read the data from said logical unit. The memory storage device read the encrypted data from said physical unit and decrypts the encrypted data by the second code according to the decryption read command and then transmits the decrypted data to the host system.

Description

資料儲存系統、資料儲存方法及資料讀取方法Data storage system, data storage method and data reading method

本發明是有關於一種資料儲存技術,且特別是有關於一種資料儲存系統、資料儲存方法及資料讀取方法。The present invention relates to a data storage technology, and more particularly to a data storage system, a data storage method, and a data reading method.

為了防止資料被竊取,某些記憶體儲存裝置提供額外的加密功能。當主機系統欲儲存資料時,主機系統會發送一般寫入指令,而記憶體儲存裝置會根據此一般寫入指令將對應的資料作加密儲存。爾後,當主機系統欲讀取先前儲存的資料時,主機系統會發送一般讀取指令,並且記憶體儲存裝置會根據此一般讀取指令將對應的資料讀取出來並對其解密然後傳送給主機系統。藉此,當記憶體儲存裝置所儲存的資料被竊取時,除非竊盜者知道記憶體儲存裝置的加密金鑰,否則被竊取的資料會呈現亂碼的狀態,而無法被還原為原始資料。In order to prevent data from being stolen, some memory storage devices provide additional encryption. When the host system wants to store data, the host system sends a general write command, and the memory storage device encrypts the corresponding data according to the general write command. Thereafter, when the host system wants to read the previously stored data, the host system sends a general read command, and the memory storage device reads the corresponding data according to the general read command, decrypts it, and transmits it to the host. system. Thereby, when the data stored in the memory storage device is stolen, unless the thief knows the encryption key of the memory storage device, the stolen data may be garbled and cannot be restored to the original data.

然而,提供加密儲存功能的記憶體儲存裝置普遍都是支援全硬碟加密。主機系統無法直接指定使用記憶體儲存裝置提供的加密功能,使用者也無法自行決定哪些資料由記憶體儲存裝置執行加密。However, memory storage devices that provide encrypted storage are generally supported for full hard disk encryption. The host system cannot directly specify the encryption function provided by the memory storage device, and the user cannot decide which data is encrypted by the memory storage device.

有鑑於此,本發明提供一種資料儲存系統、資料儲存方法及資料讀取方法,可由主機系統動態地控制特定的資料由記憶體儲存裝置執行加密儲存。In view of the above, the present invention provides a data storage system, a data storage method, and a data reading method, which can be dynamically controlled by a host system to perform encrypted storage by a memory storage device.

本發明的一實施例提供一種資料儲存系統,其包括主機系統與記憶體儲存裝置。所述記憶體儲存裝置經由連接介面耦接至所述主機系統,其中所述主機系統用以發送加密寫入指令,其帶有第一密碼並且指示依據所述第一密碼將資料儲存於至少一邏輯單元,其中所述至少一邏輯單元映射至所述記憶體儲存裝置的至少一實體單元,其中所述記憶體儲存裝置用以根據所述加密寫入指令使用所述第一密碼加密所述資料並將加密資料儲存至所述至少一實體單元,其中所述主機系統更用以發送解密讀取指令,其帶有第二密碼並且指示根據所述第二密碼從所述至少一邏輯單元讀取所述第一資料,其中所述記憶體儲存裝置更用以根據所述解密讀取指令從所述至少一實體單元讀取所述加密資料並使用所述第二密碼解密所述加密資料並將一解密資料傳送給所述主機系統。An embodiment of the invention provides a data storage system including a host system and a memory storage device. The memory storage device is coupled to the host system via a connection interface, wherein the host system is configured to send an encrypted write command with a first password and to indicate that the data is stored in the at least one according to the first password a logic unit, wherein the at least one logic unit is mapped to at least one physical unit of the memory storage device, wherein the memory storage device is configured to encrypt the data using the first password according to the encrypted write command And storing the encrypted data to the at least one physical unit, wherein the host system is further configured to send a decrypted read command with a second password and indicating to read from the at least one logical unit according to the second password The first data, wherein the memory storage device is further configured to read the encrypted data from the at least one physical unit according to the decrypted read instruction and decrypt the encrypted data using the second password and A decrypted data is transmitted to the host system.

本發明的另一實施例提供一種資料儲存方法,其用於主機系統,所述資料儲存方法包括:發送加密寫入指令,其帶有第一密碼並且指示依據所述第一密碼將資料儲存於至少一邏輯單元,其中所述至少一邏輯單元映射至記憶體儲存裝置的至少一實體單元,且所述第一密碼用於在所述記憶體儲存裝置中加密所述資料;以及在檔案系統中將所述至少一邏輯單元標記為硬體加密狀態。Another embodiment of the present invention provides a data storage method for a host system, the data storage method comprising: transmitting an encrypted write command with a first password and indicating that the data is stored according to the first password At least one logical unit, wherein the at least one logical unit is mapped to at least one physical unit of the memory storage device, and the first password is used to encrypt the data in the memory storage device; and in the file system The at least one logical unit is marked as a hardware encrypted state.

本發明的另一實施例提供一種資料讀取方法,其用於主機系統,所述資料讀取方法包括:判斷至少一邏輯單元是否在檔案系統中被標記為硬體加密狀態,其中所述至少一邏輯單元映射至記憶體儲存裝置的至少一實體單元;以及若所述至少一邏輯單元被標記為所述硬體加密狀態,發送解密讀取指令,其帶有第二密碼並且指示根據所述第二密碼從所述至少一邏輯單元讀取資料,其中所述第二密碼用於在所述記憶體儲存裝置中解密所述資料。Another embodiment of the present invention provides a data reading method for a host system, the data reading method comprising: determining whether at least one logical unit is marked as a hardware encrypted state in a file system, wherein the at least one a logical unit mapped to at least one physical unit of the memory storage device; and if the at least one logical unit is marked as the hardware encrypted state, transmitting a decrypted read command with a second password and indicating The second password reads data from the at least one logical unit, wherein the second password is used to decrypt the material in the memory storage device.

基於上述,本發明透過訂定特定的加密寫入指令與解密讀取指令,可讓主機系統告知特定的資料需要由記憶體儲存裝置進行加密儲存,並且在讀取資料時可以順利地從記憶體儲存裝置讀取解密後的資料。藉此,可提高對於資料的保護效率與操作彈性。Based on the above, the present invention allows the host system to notify that the specific data needs to be encrypted and stored by the memory storage device by setting a specific encrypted write command and the decrypted read command, and can smoothly from the memory when reading the data. The storage device reads the decrypted data. Thereby, the protection efficiency and operational flexibility of the data can be improved.

為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。The above described features and advantages of the invention will be apparent from the following description.

圖1是根據本發明的一實施例所繪示的資料儲存系統的示意圖。請參照圖1,資料儲存系統10包括主機系統11與記憶體儲存裝置12。主機系統11可將資料儲存至記憶體儲存裝置12中,或從記憶體儲存裝置12中讀取資料。例如,主機系統11為可實質地與記憶體儲存裝置12配合以儲存資料的任意系統,例如,電腦系統、數位相機、攝影機、通訊裝置、音訊播放器、視訊播放器或平板電腦等,而記憶體儲存裝置12為隨身碟、記憶卡、固態硬碟(Solid State Drive, SSD)、安全數位(Secure Digital, SD)卡、小型快閃(Compact Flash, CF)卡或嵌入式儲存裝置等各式非揮發性記憶體儲存裝置。FIG. 1 is a schematic diagram of a data storage system according to an embodiment of the invention. Referring to FIG. 1, the data storage system 10 includes a host system 11 and a memory storage device 12. The host system 11 can store data in or read from the memory storage device 12. For example, the host system 11 is any system that can substantially cooperate with the memory storage device 12 to store data, such as a computer system, a digital camera, a video camera, a communication device, an audio player, a video player, or a tablet computer, and the like. The storage device 12 is a flash drive, a memory card, a solid state drive (SSD), a Secure Digital (SD) card, a Compact Flash (CF) card, or an embedded storage device. Non-volatile memory storage device.

圖2是根據本發明的一實施例所繪示的主機系統與記憶體儲存裝置的功能方塊圖。請參照圖2,主機系統11包括處理器211、緩衝記憶體212及連接介面213。處理器211耦接至緩衝記憶體212與連接介面213。處理器211用以控制主機系統11的整體運作。例如,處理器211可以是中央處理器(CPU)或任意形式的處理電路。緩衝記憶體212包含各式揮發性記憶體。例如,緩衝記憶體212可包括一或多個動態隨機存取記憶體(dynamic random access memory, DRAM)。2 is a functional block diagram of a host system and a memory storage device according to an embodiment of the invention. Referring to FIG. 2, the host system 11 includes a processor 211, a buffer memory 212, and a connection interface 213. The processor 211 is coupled to the buffer memory 212 and the connection interface 213. The processor 211 is used to control the overall operation of the host system 11. For example, processor 211 can be a central processing unit (CPU) or any form of processing circuit. The buffer memory 212 contains various types of volatile memory. For example, buffer memory 212 can include one or more dynamic random access memory (DRAM).

連接介面213用以耦接至記憶體儲存裝置12。例如,連接介面213可以是相容於序列先進附件(Serial Advanced Technology Attachment, SATA)、並列先進附件(Parallel Advanced Technology Attachment, PATA)、高速周邊零件連接介面(Peripheral Component Interconnect Express, PCI Express)或通用序列匯流排(Universal Serial Bus, USB)等各式連接介面標準。此外,在另一實施例中,主機系統11還包含任意實務上所需的硬體裝置,例如網路介面卡、鍵盤(或觸控板)、螢幕及/或揚聲器等等。The connection interface 213 is coupled to the memory storage device 12 . For example, the connection interface 213 may be compatible with Serial Advanced Technology Attachment (SATA), Parallel Advanced Technology Attachment (PATA), Peripheral Component Interconnect Express (PCI Express) or general purpose. Various serial interface standards such as the serial bus (Universal Serial Bus, USB). In addition, in another embodiment, the host system 11 also includes any hardware devices required for practical purposes, such as a network interface card, a keyboard (or trackpad), a screen, and/or a speaker.

記憶體儲存裝置12包括記憶體控制器121、記憶體陣列222、連接介面223及加/解密引擎224。記憶體控制器121耦接至記憶體陣列222、連接介面223及加/解密引擎224。記憶體控制器121用以執行以硬體型式或韌體型式實作的多個邏輯閘或控制指令並且根據主機系統11的指令在記憶體陣列222中進行資料的寫入、讀取與抹除等運作。此外,記憶體控制器221也控制記憶體儲存裝置12的整體運作。The memory storage device 12 includes a memory controller 121, a memory array 222, a connection interface 223, and an encryption/decryption engine 224. The memory controller 121 is coupled to the memory array 222, the connection interface 223, and the encryption/decryption engine 224. The memory controller 121 is configured to execute a plurality of logic gates or control commands implemented in a hard type or a firmware type and perform writing, reading and erasing of data in the memory array 222 according to an instruction of the host system 11. Waiting for the operation. In addition, the memory controller 221 also controls the overall operation of the memory storage device 12.

記憶體陣列222包括多個記憶胞並且用以儲存主機系統11所寫入之資料。例如,記憶體陣列222可以是單階胞(single level cell, SLC)NAND型快閃記憶體模組(即,一個記憶胞可儲存1個位元的快閃記憶體模組)、多階胞(multi level cell, MLC)NAND型快閃記憶體模組(即,一個記憶胞可儲存2個位元的快閃記憶體模組)或三階胞(triple level cell, TLC)NAND型快閃記憶體模組(即,一個記憶胞可儲存3個位元的快閃記憶體模組)。此外,記憶體陣列222中的記憶胞是以臨界電壓的改變來儲存資料。The memory array 222 includes a plurality of memory cells and is used to store data written by the host system 11. For example, the memory array 222 can be a single level cell (SLC) NAND type flash memory module (ie, a memory cell can store 1 bit of flash memory module), multi-order cells. (multi level cell, MLC) NAND flash memory module (ie, a memory cell can store 2 bits of flash memory module) or triple level cell (TLC) NAND flash The memory module (ie, a memory cell can store a 3-bit flash memory module). In addition, the memory cells in the memory array 222 store data in a change in threshold voltage.

連接介面223可以是相容於序列先進附件、並列先進附件、高速周邊零件連接介面或通用序列匯流排等各式連接介面標準。主機系統11與記憶體儲存裝置12可經由連接介面213與223來通訊並傳輸各式指令與資料。加/解密引擎224包括至少一個硬體加/解密電路並且支援至少一種加/解密演算法。在本實施例中,加/解密引擎224為進階加密標準(advanced encryption standard, AES)引擎並且使用進階加密標準演算法來加密與解密資料。在另一實施例中,加/解密引擎224亦可使用其他類型的加/解密演算法,例如,RSA演算法等等,本發明不加以限制。此外,記憶體儲存裝置12還可具有緩衝記憶體與電源管理模組等等基本組成元件,在此便不贅述。The connection interface 223 can be a variety of connection interface standards compatible with advanced serial accessories, parallel advanced accessories, high speed peripheral component connection interfaces, or universal serial busses. The host system 11 and the memory storage device 12 can communicate and transmit various instructions and materials via the connection interfaces 213 and 223. The encryption/decryption engine 224 includes at least one hardware encryption/decryption circuit and supports at least one encryption/decryption algorithm. In the present embodiment, the encryption/decryption engine 224 is an advanced encryption standard (AES) engine and uses an advanced encryption standard algorithm to encrypt and decrypt data. In another embodiment, the encryption/decryption engine 224 may also use other types of encryption/decryption algorithms, such as RSA algorithms and the like, which are not limited in the present invention. In addition, the memory storage device 12 can also have basic components such as a buffer memory and a power management module, and will not be described herein.

在本實施例中,主機系統11使用一檔案系統(file system)來管理來管理多個邏輯單元。其中,一個邏輯單元可以是一個邏輯區塊位址(logical block address, LBA)或由多個邏輯區塊位址組成。當欲儲存資料時,主機系統11會指示記憶體儲存裝置12將資料儲存至某一個邏輯單元。當欲讀取資料時,主機系統11會指示記憶體儲存裝置12從某一個邏輯單元讀取資料。此外,當欲刪除資料時,主機系統11會指示記憶體儲存裝置12刪除某一個邏輯單元所儲存的資料。In the present embodiment, the host system 11 manages to manage a plurality of logical units using a file system. Wherein, one logical unit may be a logical block address (LBA) or composed of multiple logical block addresses. When the data is to be stored, the host system 11 instructs the memory storage device 12 to store the data to a certain logical unit. When the data is to be read, the host system 11 instructs the memory storage device 12 to read data from a certain logical unit. In addition, when the data is to be deleted, the host system 11 instructs the memory storage device 12 to delete the data stored by a certain logical unit.

圖3是根據本發明的一實施例所繪示的資料存取機制的時序示意圖。請參照圖3,在步驟S301中,當欲使用記憶體儲存裝置12的硬體加密來儲存某一資料(亦稱為原始資料)時,主機系統11會發送加密寫入指令給記憶體儲存裝置12。不同於一般寫入指令,加密寫入指令帶有一個密碼(亦稱為第一密碼)。加密寫入指令用以指示依據第一密碼將所述原始資料儲存於至少一邏輯單元,其中所述至少一邏輯單元映射至記憶體儲存裝置12的至少一實體單元,且第一密碼用於在記憶體儲存裝置12中加密所述原始資料。FIG. 3 is a timing diagram of a data access mechanism according to an embodiment of the invention. Referring to FIG. 3, in step S301, when a piece of data (also referred to as original data) is to be stored using the hardware encryption of the memory storage device 12, the host system 11 sends an encrypted write command to the memory storage device. 12. Unlike a normal write command, an encrypted write command has a password (also known as a first password). The encrypted write command is configured to indicate that the original data is stored in the at least one logical unit according to the first password, wherein the at least one logical unit is mapped to the at least one physical unit of the memory storage device 12, and the first password is used in The original data is encrypted in the memory storage device 12.

在本實施例中,一個實體單元可以是一個實體區塊位址(physical block address, PBA)。在另一實施例中,一個實體單元亦可以是由多個實體區塊位址組成。一個實體區塊位址可用於定位記憶體陣列222中的一個實體區塊。例如,記憶體陣列222中屬於同一個實體區塊的多個記憶胞可被依序使用但會被同時抹除。以下為了說明方便,以LBA0表示由主機系統11指示用於儲存所述原始資料的邏輯單元,並且以PBA0表示邏輯單元LBA0所映射的實體單元。In this embodiment, one physical unit may be a physical block address (PBA). In another embodiment, one physical unit may also be composed of multiple physical block addresses. A physical block address can be used to locate a physical block in memory array 222. For example, multiple memory cells belonging to the same physical block in the memory array 222 can be used sequentially but will be erased at the same time. For convenience of explanation, the logical unit for storing the original material is indicated by the host system 11 in LBA0, and the physical unit to which the logical unit LBA0 is mapped is represented by PBA0.

在步驟S302中,記憶體儲存裝置12會根據所接收到的加密寫入指令使用所述第一密碼加密所述資料(即,原始資料)並將加密資料儲存至實體單元PBA0。例如,記憶體控制器221會從所述加密寫入指令中獲得所述第一密碼並指示加/解密引擎224使用所述第一密碼來加密所述原始資料以獲得加密資料。然後,記憶體控制器221會查詢一邏輯實體映射表格(logical to physical mapping table)以獲得實體單元PBA0並指示記憶體陣列222將所述加密資料儲存於實體單元PBA0。In step S302, the memory storage device 12 encrypts the data (ie, the original data) using the first password according to the received encrypted write command and stores the encrypted data to the physical unit PBA0. For example, the memory controller 221 obtains the first password from the encrypted write command and instructs the encryption/decryption engine 224 to encrypt the original data using the first password to obtain encrypted material. Then, the memory controller 221 queries a logical to physical mapping table to obtain the physical unit PBA0 and instructs the memory array 222 to store the encrypted data in the physical unit PBA0.

換言之,此時儲存於實體單元PBA0的資料是加/解密引擎224根據所述第一密碼對所述原始資料執行加密而產生的加密資料。此外,在一實施例中,除了第一密碼外,加/解密引擎224還會一併使用一個雜湊金鑰(hash key)來加密所述原始資料以獲得所述加密資料。例如,此雜湊金鑰是記錄於加/解密引擎224中,而非由所述加密寫入指令提供。In other words, the material stored at the physical unit PBA0 at this time is the encrypted data generated by the encryption/decryption engine 224 performing encryption on the original material based on the first password. Moreover, in an embodiment, in addition to the first password, the encryption/decryption engine 224 also uses a hash key to encrypt the original data to obtain the encrypted material. For example, this hash key is recorded in the encryption/decryption engine 224 and is not provided by the encrypted write command.

在步驟S303中,當欲讀取上述使用記憶體儲存裝置12的硬體加密來儲存的資料時,主機系統303會發送解密讀取指令。不同於一般讀取指令,解密讀取指令帶有一個密碼(亦稱為第二密碼)。解密讀取指令用以指示根據所述第二密碼從邏輯單元LBA0讀取資料。在本實施例中,第二密碼用於在記憶體儲存裝置12中解密所述加密資料。例如,第二密碼相同於第一密碼。In step S303, when the data stored using the hardware encryption of the memory storage device 12 is to be read, the host system 303 transmits a decryption read command. Unlike a normal read command, the decrypt read command has a password (also known as a second password). The decrypt read command is used to instruct to read data from the logical unit LBA0 according to the second password. In the present embodiment, the second password is used to decrypt the encrypted material in the memory storage device 12. For example, the second password is the same as the first password.

在步驟S304中,記憶體儲存裝置12根據所接收到的解密讀取指令從實體單元PBA0讀取所述加密資料並使用所述第二密碼解密所述加密資料。例如,在接收到解密讀取指令之後,記憶體控制器221會查詢所述邏輯實體映射表格以獲得實體單元PBA0並指示記憶體陣列222將儲存於實體單元PBA0的加密資料讀取出來。另外,記憶體控制器221會從所述解密讀取指令中獲得所述第二密碼並指示加/解密引擎224使用所述第二密碼來解密所述加密資料以獲得解密資料。在一實施例中,除了第二密碼外,加/解密引擎224也會一併使用所述雜湊金鑰來解密所述加密資料以獲得所述解密資料。In step S304, the memory storage device 12 reads the encrypted material from the physical unit PBA0 according to the received decrypted read command and decrypts the encrypted data using the second password. For example, after receiving the decrypted read command, the memory controller 221 queries the logical entity mapping table to obtain the physical unit PBA0 and instructs the memory array 222 to read the encrypted data stored in the physical unit PBA0. Additionally, the memory controller 221 obtains the second password from the decrypted read command and instructs the encryption/decryption engine 224 to decrypt the encrypted data using the second password to obtain decrypted material. In an embodiment, in addition to the second password, the encryption/decryption engine 224 also uses the hash key to decrypt the encrypted material to obtain the decrypted material.

在步驟S304中,記憶體儲存裝置12將所述解密資料傳送給主機系統11。須注意的是,若加/解密引擎224用於解密所述加密資料的第二密碼與雜湊金鑰皆正確,則所產生的解密資料會相同於加密前的原始資料。然而,若加/解密引擎224使用的第二密碼與雜湊金鑰的至少其中之一不正確,則加/解密引擎224解密所述加密資料之後會獲得沒有意義的一串亂碼。在一實施例中中,此亂碼仍會被傳送給主機系統11。In step S304, the memory storage device 12 transmits the decrypted data to the host system 11. It should be noted that if the second password and the hash key used by the encryption/decryption engine 224 to decrypt the encrypted data are correct, the generated decrypted data will be identical to the original data before encryption. However, if at least one of the second password and the hash key used by the encryption/decryption engine 224 is incorrect, the encryption/decryption engine 224 decrypts the encrypted material to obtain a string of garbled characters that are meaningless. In an embodiment, this garbled code will still be transmitted to the host system 11.

在一實施例中,除了第二密碼與第一密碼不同而導致記憶體儲存裝置12回傳亂碼之外,若主機系統11使用一般讀取指令來讀取當前儲存有硬體加密之資料的邏輯單元,記憶體儲存裝置12也會回傳亂碼。因此,使用一般讀取指令將無法讀取到當初使用加密寫入指令所儲存之原始資料。In an embodiment, the host system 11 uses a general read command to read the logic that currently stores the hardware-encrypted data, except that the second password is different from the first password, causing the memory storage device 12 to return the garbled code. The unit, memory storage device 12 will also return garbled characters. Therefore, using the normal read command will not be able to read the original data stored using the encrypted write command.

圖4是根據本發明的另一實施例所繪示的資料存取機制的時序示意圖。請參照圖4,在步驟S401中,當欲使用記憶體儲存裝置12的硬體加密來儲存某一資料(即,原始資料)時,主機系統11會發送加密寫入指令給記憶體儲存裝置12。此加密寫入指令帶有第一密碼並且用以指示依據第一密碼將所述原始資料儲存於邏輯單元LBA0,其中邏輯單元LBA0映射至記憶體儲存裝置12的實體單元PBA0。FIG. 4 is a timing diagram of a data access mechanism according to another embodiment of the invention. Referring to FIG. 4, in step S401, when a certain piece of data (ie, original data) is to be stored using the hardware encryption of the memory storage device 12, the host system 11 sends an encrypted write command to the memory storage device 12. . The encrypted write command has a first password and is used to indicate that the original data is stored in the logical unit LBA0 according to the first password, wherein the logical unit LBA0 is mapped to the physical unit PBA0 of the memory storage device 12.

在步驟S402中,記憶體儲存裝置12會根據所接收到的加密寫入指令使用所述第一密碼加密所述資料(即,原始資料)並將加密資料儲存至實體單元PBA0。步驟S401與S402分別相同或相似於圖3中的步驟S301與S302,在此便不重複贅述。In step S402, the memory storage device 12 encrypts the data (ie, the original data) using the first password according to the received encrypted write command and stores the encrypted data to the physical unit PBA0. Steps S401 and S402 are respectively the same or similar to steps S301 and S302 in FIG. 3, and the details are not repeated here.

在步驟S403中,當欲讀取上述使用記憶體儲存裝置12的硬體加密來儲存的資料時,若主機系統11發送一般讀取指令來指示從邏輯單元LBA0讀取資料,則由於記憶體儲存裝置12無法從一般讀取指令中獲得第二密碼(或第一密碼),因此在步驟S404中,記憶體儲存裝置12會從實體單元PBA0讀取所述加密資料,但不解密此加密資料。然後,在步驟S405中,記憶體儲存裝置12會傳送未解密資料(即所讀取的加密資料)給主機系統11。例如,所述未解密資料即為一串亂碼。In step S403, when the data stored by the hardware encryption using the memory storage device 12 is to be read, if the host system 11 sends a general read command to instruct reading from the logical unit LBA0, the memory is stored. The device 12 is unable to obtain the second password (or the first password) from the general read command, so in step S404, the memory storage device 12 reads the encrypted material from the physical unit PBA0, but does not decrypt the encrypted data. Then, in step S405, the memory storage device 12 transmits the undecrypted material (i.e., the read encrypted data) to the host system 11. For example, the undecrypted data is a string of garbled characters.

換言之,對於由主機系統11指示使用記憶體儲存裝置12之硬體加密來保護的資料來說,若此資料被竊取而未經過加/解密引擎224解密,或者由不具有當初加密用的第一密碼的另一主機系統來讀取,則此資料都會以亂碼的形式被回傳,從而對其原始資料內容提供保護。In other words, for the data protected by the host system 11 to be protected by the hardware encryption of the memory storage device 12, if the data is stolen without being decrypted by the encryption/decryption engine 224, or by the first encryption. If the password is read by another host system, the data will be garbled back to protect the original data content.

在一實施例中,當接收到對應於至少一邏輯單元(例如,邏輯單元LBA0)的資料儲存操作時,主機系統11會判斷是否使用記憶體儲存裝置12的硬體加密。若欲使用記憶體儲存裝置12的硬體加密,主機系統11會將欲儲存之資料與第一密碼暫存於緩衝記憶體212中並根據暫存於緩衝記憶體212中的所述資料與第一密碼產生加密寫入指令。此加密寫入指令可在圖3的步驟S301或圖4的步驟S401中發送給記憶體儲存裝置12。In an embodiment, upon receiving a data storage operation corresponding to at least one logical unit (eg, logical unit LBA0), host system 11 determines whether to use hardware encryption of memory storage device 12. If the hardware encryption of the memory storage device 12 is to be used, the host system 11 temporarily stores the data to be stored and the first password in the buffer memory 212 and according to the data and the temporary storage in the buffer memory 212. A password generates an encrypted write command. This encrypted write command can be sent to the memory storage device 12 in step S301 of FIG. 3 or step S401 of FIG.

反之,若不需使用記憶體儲存裝置12的硬體加密,則主機系統11會將欲儲存之資料暫存於緩衝記憶體212中並根據暫存於緩衝記憶體212中的所述資料產生一般寫入指令。此一般寫入指令未帶有所述第一密碼並且用於指示將欲儲存之資料儲存於所述至少一邏輯單元(例如,邏輯單元LBA0)。換言之,根據一般寫入指令所儲存的資料將不會被加/解密引擎224加密。此外,根據一般寫入指令所儲存的資料也可直接使用一般讀取指令來讀取,而不會讀到亂碼。On the other hand, if the hardware encryption of the memory storage device 12 is not required, the host system 11 temporarily stores the data to be stored in the buffer memory 212 and generates the data according to the data temporarily stored in the buffer memory 212. Write instructions. The general write command does not carry the first password and is used to indicate that the data to be stored is stored in the at least one logical unit (eg, logical unit LBA0). In other words, the data stored according to the general write command will not be encrypted by the encryption/decryption engine 224. In addition, the data stored according to the general write command can also be read directly using the general read command without reading garbled characters.

在一實施例中,是否使用記憶體儲存裝置12的硬體加密可根據使用者執行的資料儲存操作來決定。例如,在使用者執行資料儲存操作時,可讓使用者自行選擇是否使用硬體加密。或者,在一實施例中,是否使用記憶體儲存裝置12的硬體加密亦可根據所欲儲存之資料的類型或儲存位置等資訊而由主機系統11自動決定。例如,若所欲儲存之資料為與身分資訊(例如,身分證號碼或各式帳號密碼等)有關的機敏資料或被儲存於需額外保護的重要資料夾,則主機系統11可自動啟用所述硬體加密。In one embodiment, whether or not to use the hardware encryption of the memory storage device 12 can be determined based on a data storage operation performed by the user. For example, when the user performs a data storage operation, the user can choose whether to use hardware encryption. Alternatively, in an embodiment, whether or not to use the hardware encryption of the memory storage device 12 may be automatically determined by the host system 11 based on information such as the type of data to be stored or the storage location. For example, if the information to be stored is sensitive information related to identity information (for example, identity card number or various account passwords, etc.) or stored in an important folder requiring additional protection, the host system 11 can automatically enable the Hardware encryption.

在一實施例中,若某一邏輯單元(例如,邏輯單元LBA0)是用於儲存硬體加密之資料,則主機系統11會在檔案系統中將所述邏輯單元(例如,邏輯單元LBA0)標記為硬體加密狀態。例如,可在檔案系統中將邏輯單元LBA0之檔案的附檔名設定為「.aes」作為硬體加密狀態之標記。須注意的是,若主機系統11亦支援使用加密軟體來執行之主機端加密操作,則用於儲存經由主機端加密操作之加密資料的邏輯單元可能會被標記為軟體加密狀態。所標記的硬體加密狀態不會相同於所標記的軟體加密狀態。例如,可在檔案系統中將某一邏輯單元之檔案的附檔名設定為「.host」作為軟體加密狀態之標記,但具體的標記內容不限於此。In an embodiment, if a logical unit (eg, logical unit LBA0) is used to store hardware encrypted data, host system 11 marks the logical unit (eg, logical unit LBA0) in the file system. Encrypted state for the hardware. For example, the file name of the file of the logical unit LBA0 can be set to ".aes" as a mark of the hardware encryption state in the file system. It should be noted that if the host system 11 also supports the host-side encryption operation using the encryption software, the logical unit for storing the encrypted data via the host-side encryption operation may be marked as the software encryption state. The marked hardware encryption status will not be the same as the marked software encryption status. For example, the file name of a certain logical unit file may be set to ".host" as a mark of the software encryption state in the file system, but the specific mark content is not limited to this.

在一實施例中,當接收到對應於至少一邏輯單元(例如,邏輯單元LBA0)的資料讀取操作時,主機系統11也會判斷所欲讀取之邏輯單元是否在檔案系統中被標記為硬體加密狀態。若欲讀取之邏輯單元被標記為硬體加密狀態,主機系統11會使用相應的解密讀取指令來讀取資料。關於使用解密讀取指令來讀取資料之操作可參照圖3步驟S303與S304之說明,在此便不贅述。反之,若欲讀取之邏輯單元未被標記為硬體加密狀態,主機系統11可直接使用一般讀取指令來讀取資料。In an embodiment, upon receiving a data read operation corresponding to at least one logical unit (eg, logical unit LBA0), host system 11 also determines whether the logical unit to be read is marked in the file system as Hardware encryption status. If the logical unit to be read is marked as a hardware encrypted state, the host system 11 will use the corresponding decrypted read command to read the data. For the operation of reading data using the decryption read command, reference may be made to the description of steps S303 and S304 of FIG. 3, and details are not described herein. Conversely, if the logical unit to be read is not marked as a hardware encrypted state, the host system 11 can directly read the data using a general read command.

圖5是根據本發明的一實施例所繪示的資料儲存方法的流程圖。請參照圖5,在步驟S501中,接收對應於至少一邏輯單元的資料儲存操作。例如,此資料儲存操作可能是使用者儲存某一檔案。在步驟S502中,判斷是否使用記憶體儲存裝置的硬體加密。若需使用硬體加密,在步驟S503中,發送帶有的一密碼的加密寫入指令以指示根據第一密碼將資料儲存於至少一邏輯單元。若判定不需使用硬體加密,在步驟S504中,發送未帶有所述第一密碼的一般寫入指令以指示將資料儲存於所述至少一邏輯單元。另外,若需使用硬體加密,在步驟S505中,在檔案系統中將所述至少一邏輯單元標記為硬體加密狀態。FIG. 5 is a flowchart of a data storage method according to an embodiment of the invention. Referring to FIG. 5, in step S501, a data storage operation corresponding to at least one logical unit is received. For example, this data storage operation may be that the user stores a file. In step S502, it is determined whether or not to use the hardware encryption of the memory storage device. If hardware encryption is to be used, in step S503, an encrypted write command with a password is sent to indicate that the data is stored in at least one logical unit according to the first password. If it is determined that hardware encryption is not required, in step S504, a general write command without the first password is sent to indicate that the data is stored in the at least one logical unit. In addition, if hardware encryption is to be used, in step S505, the at least one logical unit is marked as a hardware encrypted state in the file system.

圖6是根據本發明的一實施例所繪示的資料讀取方法的流程圖。請參照圖6,在步驟S601中,接收對應於至少一邏輯單元的資料讀取操作。例如,此資料讀取操作可能是使用者開啟某一檔案。在步驟S602中,判斷所述至少一邏輯單元是否在檔案系統中被標記為硬體加密狀態。若所述至少一邏輯單元在檔案系統中被標記為硬體加密狀態,在步驟S603中,發送帶有第二密碼的解密讀取指令以指示根據第二密碼從所述至少一邏輯單元讀取資料。反之,若所述至少一邏輯單元未在檔案系統中被標記為硬體加密狀態,在步驟S604中,發送未帶有第二密碼的一般讀取指令以指示從所述至少一邏輯單元讀取資料。FIG. 6 is a flowchart of a data reading method according to an embodiment of the invention. Referring to FIG. 6, in step S601, a data reading operation corresponding to at least one logical unit is received. For example, this data reading operation may be when a user opens a file. In step S602, it is determined whether the at least one logical unit is marked as a hardware encrypted state in the file system. If the at least one logical unit is marked as a hardware encrypted state in the file system, in step S603, a decrypted read command with a second password is sent to indicate that the at least one logical unit is read according to the second password. data. On the other hand, if the at least one logical unit is not marked as a hardware encrypted state in the file system, in step S604, a general read command without the second password is sent to indicate reading from the at least one logical unit. data.

然而,圖3至圖6中各步驟已詳細說明如上,在此便不再贅述。值得注意的是,圖3至圖6中各步驟可以實作為多個程式碼或是電路,本發明不加以限制。此外,圖3至圖6的方法可以搭配以上範例實施例使用,也可以單獨使用,本發明不加以限制。However, the steps in FIGS. 3 to 6 have been described in detail above, and will not be described again. It should be noted that the steps in FIG. 3 to FIG. 6 can be implemented as a plurality of codes or circuits, and the present invention is not limited. In addition, the methods of FIG. 3 to FIG. 6 may be used in combination with the above exemplary embodiments, or may be used alone, and the invention is not limited thereto.

綜上所述,本發明透過訂定特定的加密寫入指令與解密讀取指令,可讓主機系統告知特定的資料需要由記憶體儲存裝置進行加密儲存,並且在讀取資料時可以順利地從記憶體儲存裝置讀取解密後的資料。藉此,可提高對於資料的保護效率與操作彈性。此外,透過在主機系統的檔案系統中將特定的邏輯單元標記為硬體加密狀態,主機系統亦可在讀取資料時動態地決定使用加密讀取指令或一般讀取指令來讀取資料。In summary, the present invention allows the host system to notify that a specific data needs to be encrypted and stored by the memory storage device by setting a specific encrypted write command and a decrypt read command, and can smoothly be read from the data. The memory storage device reads the decrypted data. Thereby, the protection efficiency and operational flexibility of the data can be improved. In addition, by marking a specific logical unit as a hardware encryption state in the file system of the host system, the host system can also dynamically determine whether to use an encrypted read command or a normal read command to read data when reading data.

雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed in the above embodiments, it is not intended to limit the present invention, and any one of ordinary skill in the art can make some changes and refinements without departing from the spirit and scope of the present invention. The scope of the invention is defined by the scope of the appended claims.

10‧‧‧資料儲存系統10‧‧‧ Data Storage System

11‧‧‧主機系統11‧‧‧Host system

12‧‧‧記憶體儲存裝置12‧‧‧Memory storage device

211‧‧‧處理器211‧‧‧ processor

212‧‧‧緩衝記憶體212‧‧‧Buffered memory

213、223‧‧‧連接介面213, 223‧‧‧ connection interface

221‧‧‧記憶體控制器221‧‧‧ memory controller

222‧‧‧記憶體陣列222‧‧‧ memory array

224‧‧‧加/解密引擎224‧‧‧Add/Decrypt Engine

S301~S305、S401~S405、S501~S505、S601~S604‧‧‧步驟S301~S305, S401~S405, S501~S505, S601~S604‧‧‧ steps

圖1是根據本發明的一實施例所繪示的資料儲存系統的示意圖。 圖2是根據本發明的一實施例所繪示的主機系統與記憶體儲存裝置的功能方塊圖。 圖3是根據本發明的一實施例所繪示的資料存取機制的時序示意圖。 圖4是根據本發明的另一實施例所繪示的資料存取機制的時序示意圖。 圖5是根據本發明的一實施例所繪示的資料儲存方法的流程圖。 圖6是根據本發明的一實施例所繪示的資料讀取方法的流程圖。FIG. 1 is a schematic diagram of a data storage system according to an embodiment of the invention. 2 is a functional block diagram of a host system and a memory storage device according to an embodiment of the invention. FIG. 3 is a timing diagram of a data access mechanism according to an embodiment of the invention. FIG. 4 is a timing diagram of a data access mechanism according to another embodiment of the invention. FIG. 5 is a flowchart of a data storage method according to an embodiment of the invention. FIG. 6 is a flowchart of a data reading method according to an embodiment of the invention.

Claims (9)

一種資料儲存系統,包括: 一主機系統;以及 一記憶體儲存裝置,其經由一連接介面耦接至該主機系統, 其中該主機系統用以發送一加密寫入指令,其帶有一第一密碼並且指示依據該第一密碼將一資料儲存於至少一邏輯單元,其中該至少一邏輯單元映射至該記憶體儲存裝置的至少一實體單元, 其中該記憶體儲存裝置用以根據該加密寫入指令使用該第一密碼加密該資料並將一加密資料儲存至該至少一實體單元, 其中該主機系統更用以發送一解密讀取指令,其帶有一第二密碼並且指示根據該第二密碼從該至少一邏輯單元讀取該資料, 其中該記憶體儲存裝置更用以根據該解密讀取指令從該至少一實體單元讀取該加密資料並使用該第二密碼解密該加密資料並將一解密資料傳送給該主機系統。A data storage system, comprising: a host system; and a memory storage device coupled to the host system via a connection interface, wherein the host system is configured to send an encrypted write command with a first password and Instructing to store, according to the first password, a data in at least one logical unit, wherein the at least one logical unit is mapped to at least one physical unit of the memory storage device, wherein the memory storage device is configured to use according to the encrypted write instruction The first password encrypts the data and stores an encrypted data to the at least one physical unit, wherein the host system is further configured to send a decrypted read command with a second password and indicating from the at least the second password a logic unit reads the data, wherein the memory storage device is further configured to read the encrypted data from the at least one physical unit according to the decrypted read command and decrypt the encrypted data and transmit the decrypted data by using the second password Give the host system. 如申請專利範圍第1項所述的資料儲存系統,其中該主機系統更用以在一檔案系統中將該至少一邏輯單元標記為一硬體加密狀態。The data storage system of claim 1, wherein the host system is further configured to mark the at least one logical unit as a hardware encrypted state in a file system. 如申請專利範圍第1項所述的資料儲存系統,其中該主機系統包括一緩衝記憶體, 其中該主機系統更用以將該資料與該第一密碼暫存於該緩衝記憶體中並根據暫存於該緩衝記憶體中的該資料與該第一密碼產生該加密寫入指令。The data storage system of claim 1, wherein the host system includes a buffer memory, wherein the host system is further configured to temporarily store the data and the first password in the buffer memory according to the temporary The data stored in the buffer memory and the first password generate the encrypted write command. 如申請專利範圍第1項所述的資料儲存系統,其中當欲讀取儲存於該至少一邏輯單元的該資料時,該主機系統更用以判斷該至少一邏輯單元是否在一檔案系統中被標記為一硬體加密狀態, 其中該主機系統發送該解密讀取指令之操作是對應於判定該至少一邏輯單元在該檔案系統中被標記為該硬體加密狀態而執行。The data storage system of claim 1, wherein when the data stored in the at least one logical unit is to be read, the host system is further configured to determine whether the at least one logical unit is in a file system. Marked as a hardware encrypted state, wherein the operation of the decryption read command by the host system is performed corresponding to determining that the at least one logical unit is marked as the hardware encrypted state in the file system. 如申請專利範圍第1項所述的資料儲存系統,其中若該主機系統發送未帶有該第二密碼的一一般讀取指令以指示從該至少一邏輯單元讀取該資料,該記憶體儲存裝置更用以傳送從該至少一實體單元讀取且尚未解密的該加密資料至該主機系統。The data storage system of claim 1, wherein if the host system sends a general read command without the second password to indicate that the data is read from the at least one logical unit, the memory is stored. The device is further configured to transmit the encrypted data read from the at least one physical unit and not yet decrypted to the host system. 一種資料儲存方法,用於一主機系統,該資料儲存方法包括: 發送一加密寫入指令,其帶有一第一密碼並且指示依據該第一密碼將一資料儲存於至少一邏輯單元,其中該至少一邏輯單元映射至一記憶體儲存裝置的至少一實體單元,且該第一密碼用於在該記憶體儲存裝置中加密該資料;以及 在一檔案系統中將該至少一邏輯單元標記為一硬體加密狀態。A data storage method for a host system, the data storage method comprising: transmitting an encrypted write command with a first password and indicating that a data is stored in the at least one logical unit according to the first password, wherein the at least one a logical unit is mapped to at least one physical unit of a memory storage device, and the first password is used to encrypt the data in the memory storage device; and the at least one logical unit is marked as a hard file in a file system Body encryption status. 如申請專利範圍第6項所述的資料儲存方法,更包括: 將該資料與該第一密碼暫存於該主機系統的一緩衝記憶體中;以及 根據暫存於該緩衝記憶體中的該資料與該第一密碼產生該加密寫入指令。The data storage method of claim 6, further comprising: temporarily storing the data and the first password in a buffer memory of the host system; and according to the temporary storage in the buffer memory The data and the first password generate the encrypted write command. 一種資料讀取方法,用於一主機系統,該資料讀取方法包括: 判斷至少一邏輯單元是否在一檔案系統中被標記為一硬體加密狀態,其中該至少一邏輯單元映射至一記憶體儲存裝置的至少一實體單元;以及 若該至少一邏輯單元被標記為該硬體加密狀態,發送一解密讀取指令,其帶有一第二密碼並且指示根據該第二密碼從該至少一邏輯單元讀取一資料,其中該第二密碼用於在該記憶體儲存裝置中解密該資料。A data reading method for a host system, the data reading method comprising: determining whether at least one logical unit is marked as a hardware encrypted state in a file system, wherein the at least one logical unit is mapped to a memory At least one physical unit of the storage device; and if the at least one logical unit is marked as the hardware encrypted state, transmitting a decrypted read command with a second password and indicating from the at least one logical unit based on the second password Reading a data, wherein the second password is used to decrypt the data in the memory storage device. 如申請專利範圍第8項所述的資料讀取方法,更包括: 若該至少一邏輯單元未被標記為該硬體加密狀態,發送未帶有該第二密碼的一一般讀取指令,其指示從該至少一邏輯單元讀取該資料。The method for reading data according to claim 8 further includes: if the at least one logical unit is not marked as the hardware encryption state, sending a general read command without the second password, Instructing to read the material from the at least one logical unit.
TW106104155A 2017-02-08 2017-02-08 Data storage system, data storage method and data read method TW201830284A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW106104155A TW201830284A (en) 2017-02-08 2017-02-08 Data storage system, data storage method and data read method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW106104155A TW201830284A (en) 2017-02-08 2017-02-08 Data storage system, data storage method and data read method

Publications (1)

Publication Number Publication Date
TW201830284A true TW201830284A (en) 2018-08-16

Family

ID=63960610

Family Applications (1)

Application Number Title Priority Date Filing Date
TW106104155A TW201830284A (en) 2017-02-08 2017-02-08 Data storage system, data storage method and data read method

Country Status (1)

Country Link
TW (1) TW201830284A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111723352A (en) * 2020-06-19 2020-09-29 龙岩学院 Wireless data reading and storing system and method
TWI733375B (en) * 2020-03-17 2021-07-11 群聯電子股份有限公司 Data transfer method and memory storage device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI733375B (en) * 2020-03-17 2021-07-11 群聯電子股份有限公司 Data transfer method and memory storage device
US11216217B2 (en) 2020-03-17 2022-01-04 Phison Electronics Corp. Data transfer method after data encryption function is disabled and memory storage device
CN111723352A (en) * 2020-06-19 2020-09-29 龙岩学院 Wireless data reading and storing system and method
CN111723352B (en) * 2020-06-19 2023-08-08 龙岩学院 Wireless data reading and storing system and method

Similar Documents

Publication Publication Date Title
JP5662037B2 (en) Data whitening to read and write data to non-volatile memory
KR101869059B1 (en) Storage device and memory controller thereof
KR102176612B1 (en) Secure subsystem
KR102223819B1 (en) Virtual bands concentration for self encrypting drives
JP2020119298A (en) Memory system
TWI679554B (en) Data storage device and operating method therefor
US20140032935A1 (en) Memory system and encryption method in memory system
JP2015191670A (en) Storage system and methods for performing and authenticating write-protection thereof
US20130191636A1 (en) Storage device, host device, and information processing method
US11329815B2 (en) Key management device and processor chip for data encryption/decryption
JP2016012335A (en) Storage device, storage device system, and information terminal
US10664414B2 (en) Controller and advanced method for deleting data
TW202107474A (en) Data writing method, memory control circuit unit and memory storage device
US20140109242A1 (en) Data protecting method, mobile communication device, and memory storage device
TW201830284A (en) Data storage system, data storage method and data read method
US11644983B2 (en) Storage device having encryption
TWI736000B (en) Data storage device and operating method therefor
US11368302B2 (en) Key management device and processor chip having bypass channels
TWI775284B (en) Memory system, its control method and information processing system
US20220393859A1 (en) Secure Data Storage with a Dynamically Generated Key
KR20230082807A (en) Storage controller and operation method of electronic system
KR20100094862A (en) Data storage device and data management method thereof
US20240086336A1 (en) Storage device deleting encryption key, method of operating the same, and method of operating electronic device including the same
KR20240037139A (en) Storage device deleting encryption key, method of operating the same, and method of operating electronic device having the same
JP5978260B2 (en) Virtual band concentrator for self-encrypting drives