[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN105354503B - Data encryption and decryption method for storage device - Google Patents

Data encryption and decryption method for storage device Download PDF

Info

Publication number
CN105354503B
CN105354503B CN201510733496.8A CN201510733496A CN105354503B CN 105354503 B CN105354503 B CN 105354503B CN 201510733496 A CN201510733496 A CN 201510733496A CN 105354503 B CN105354503 B CN 105354503B
Authority
CN
China
Prior art keywords
encryption
hard disk
storage device
data
write
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510733496.8A
Other languages
Chinese (zh)
Other versions
CN105354503A (en
Inventor
李凯
薛刚汝
沈昀
李辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Zhaoxin Semiconductor Co Ltd
Original Assignee
Shanghai Zhaoxin Integrated Circuit Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Zhaoxin Integrated Circuit Co Ltd filed Critical Shanghai Zhaoxin Integrated Circuit Co Ltd
Priority to CN201510733496.8A priority Critical patent/CN105354503B/en
Priority to TW104140050A priority patent/TWI564748B/en
Publication of CN105354503A publication Critical patent/CN105354503A/en
Application granted granted Critical
Publication of CN105354503B publication Critical patent/CN105354503B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/80Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开一种储存装置数据加解密方法,包括:提供一加解密引擎,所述加解密引擎为硬件;自写入指令解析出写入指令信息,并将写入数据与所述写入指令信息传递至该加解密引擎;以及经由该加解密引擎将一硬盘密钥与所述写入指令信息组合,以便加密所述写入数据,并将加密后的所述写入数据透过一通讯端口写入一储存装置。

Figure 201510733496

The invention discloses a method for encrypting and decrypting data in a storage device, comprising: providing an encryption and decryption engine, wherein the encryption and decryption engine is hardware; parses write instruction information from a write instruction, and compares the write data with the write instruction information is transmitted to the encryption and decryption engine; and a hard disk key is combined with the write command information through the encryption and decryption engine to encrypt the write data, and the encrypted write data is transmitted through a communication The port writes to a storage device.

Figure 201510733496

Description

储存装置数据加解密方法Storage device data encryption and decryption method

技术领域technical field

本发明涉及计算机技术领域,尤其涉及一种储存装置数据加解密方法。The present invention relates to the field of computer technology, and in particular, to a method for encrypting and decrypting data of a storage device.

背景技术Background technique

关于可卸式储存装置(以下称之为硬盘),数据加解密为保护用户数据安全性的常见方法。现有的硬盘加密技术通常是由软件(例如微软公司的Bitlock程序或者开源的Truecrypt程序等)在系统存储器中进行,或者是由储存装置的控制器在储存装置内部进行。上述硬盘加密技术的密钥会暴露在系统存储器中或连接储存装置的总线上,造成安全性下降。因此如何避免硬盘密钥暴露以及提升加密规则破解难度等,是本技术领域亟待解决的重要课题。Regarding removable storage devices (hereinafter referred to as hard disks), data encryption and decryption are common methods to protect the security of user data. The existing hard disk encryption technology is usually performed by software (such as the Bitlock program of Microsoft Corporation or the open source Truecrypt program, etc.) in the system memory, or performed by the controller of the storage device inside the storage device. The key of the above-mentioned hard disk encryption technology may be exposed in the system memory or on the bus connecting the storage device, resulting in a decrease in security. Therefore, how to avoid hard disk key exposure and improve the difficulty of cracking encryption rules, etc., are important issues to be solved urgently in the technical field.

发明内容SUMMARY OF THE INVENTION

根据本发明一种实施方式所实现的一储存装置数据加解密方法,包括:提供一加解密引擎,所述加解密引擎为硬件;自写入指令解析出写入指令信息,并将写入数据与所述写入指令信息传递至该加解密引擎;以及经由该加解密引擎将一硬盘密钥与所述写入指令信息组合,以便加密所述写入数据,并将加密后的所述写入数据透过一通讯端口写入一储存装置。According to an embodiment of the present invention, a method for encrypting and decrypting data in a storage device includes: providing an encryption and decryption engine, where the encryption and decryption engine is hardware; and parses the write instruction information from the write instruction, and writes the write data and the write instruction information is transmitted to the encryption/decryption engine; and a hard disk key is combined with the write instruction information via the encryption/decryption engine, so as to encrypt the write data and encrypt the encrypted write data. The input data is written to a storage device through a communication port.

在一种实施方式中,该储存装置数据加解密方法还包括:自读取指令解析出读取指令信息,并将取自该储存装置未解密的读取数据与所述读取指令信息传递至该加解密引擎;且经由该加解密引擎将所述硬盘密钥与所述读取指令信息组合,以便将未解密的所述读取数据解密,以响应所述读取指令。In one embodiment, the storage device data encryption and decryption method further includes: parsing the read command information from the read command, and transferring the undecrypted read data and the read command information from the storage device to a the encryption/decryption engine; and combining the hard disk key with the read instruction information via the encryption/decryption engine, so as to decrypt the undecrypted read data in response to the read instruction.

一种实施方式中,所述写入指令信息包括所述写入指令所指示的逻辑地址以及扇区的数量,且所述读取指令信息包括所述读取指令所指示的逻辑地址以及扇区的数量。该加解密引擎是根据所述逻辑地址以所述扇区为单位作数据加解密。In one embodiment, the write command information includes the logical address indicated by the write command and the number of sectors, and the read command information includes the logical address and the sector indicated by the read command quantity. The encryption/decryption engine performs data encryption/decryption in units of the sector according to the logical address.

一种实施方式中,该储存装置数据加解密方法还包括:提供一可信赖平台模块,该可信赖平台模块包括一硬盘密钥供应硬件,且所述硬盘密钥来自该硬盘密钥供应硬件。该加解密引擎可遵循一密钥交换协议与该硬盘密钥供应硬件通讯以取得所述硬盘密钥,以维护硬盘密钥安全性。另一种实施方式中,该加解密引擎是与该硬盘密钥供应硬件封装在一起,有效避免硬盘密钥曝光于外部。另一种实施方式中,该加解密引擎是与该硬盘密钥供应硬件制作在同一芯片上,有效避免硬盘密钥曝光于外部。In one embodiment, the storage device data encryption and decryption method further includes: providing a trusted platform module, the trusted platform module includes a hard disk key supply hardware, and the hard disk key comes from the hard disk key supply hardware. The encryption/decryption engine can communicate with the hard disk key supply hardware according to a key exchange protocol to obtain the hard disk key, so as to maintain the security of the hard disk key. In another embodiment, the encryption/decryption engine is packaged with the hard disk key supply hardware, which effectively prevents the hard disk key from being exposed to the outside. In another embodiment, the encryption/decryption engine is fabricated on the same chip as the hard disk key supply hardware, which effectively prevents the hard disk key from being exposed to the outside.

在本发明的上述储存装置数据加解密方法中的加解密引擎以硬件方式实现,数据安全性大大提升。此外,在数据加解密时还考虑写入/读取指令信息,大大提升被破解的难度。The encryption and decryption engine in the above-mentioned storage device data encryption and decryption method of the present invention is implemented in hardware, and the data security is greatly improved. In addition, the write/read instruction information is also considered during data encryption and decryption, which greatly increases the difficulty of being cracked.

下文特举实施例,并配合所附图示,详细说明本发明内容。Hereinafter, the present invention will be described in detail by way of embodiments and in conjunction with the accompanying drawings.

附图说明Description of drawings

图1图解根据本发明一种实施方式所实现的一芯片组100;FIG. 1 illustrates a chipset 100 implemented in accordance with one embodiment of the present invention;

图2A图解XTS-AES数据加密技术;Figure 2A illustrates the XTS-AES data encryption technique;

图2B图解XTS-AES数据解密技术;Figure 2B illustrates the XTS-AES data decryption technique;

图3图解一可信赖平台模块300;FIG. 3 illustrates a trusted platform module 300;

图4为硬盘密钥交换协议的流程图;Fig. 4 is the flow chart of the hard disk key exchange protocol;

图5A为SATA硬盘写入的流程图;Fig. 5A is the flow chart of SATA hard disk writing;

图5B为SATA硬盘读取的流程图;Fig. 5B is the flow chart of SATA hard disk reading;

图6为采用NCQ DMA的SATA硬盘写入流程图;Fig. 6 is the SATA hard disk writing flow chart that adopts NCQ DMA;

图7为USB硬盘写入的流程图。FIG. 7 is a flow chart of USB hard disk writing.

附图标记:Reference number:

100:芯片组; 102:储存装置主控制器;100: chipset; 102: storage device main controller;

104:加解密引擎; 106:通讯端口;104: Encryption and decryption engine; 106: Communication port;

108:储存装置;108: storage device;

202、204:加密运算硬件; 206:模乘组件;202, 204: encryption computing hardware; 206: modular multiplication component;

208、210:模加组件; 212:加密运算硬件;208, 210: Modular addition components; 212: Encryption computing hardware;

214:解密运算硬件; 216:模乘组件;214: decryption operation hardware; 216: modular multiplication component;

218、220:模加组件;218, 220: die plus components;

300:可信赖平台模块; 302:可信赖平台模块软件;300: Trusted Platform Module; 302: Trusted Platform Module Software;

304:硬盘密钥供应硬件;304: hard disk key supply hardware;

aj:常数;aj: constant;

C:密文; cc:数据;C: ciphertext; cc: data;

Cmd_Info:写入/读取指令信息;Cmd_Info: write/read command information;

Data:未加密的写入数据/解密的读取数据;Data: unencrypted write data/decrypted read data;

Data_Encrypted:加密的写入数据/未解密的读取数据;Data_Encrypted: encrypted write data / undecrypted read data;

DEK:硬盘密钥;DEK: hard disk key;

DEK_key1、DEK_key2:组成硬盘密钥DEK的两部分密钥;DEK_key1, DEK_key2: Two-part keys that make up the hard disk key DEK;

p:明文; pp:数据;p: plaintext; pp: data;

S402…S406、S502…S514、S522…S534、S602…S620、S702…S714:步骤;S402...S406, S502...S514, S522...S534, S602...S620, S702...S714: steps;

T:模乘结果。T: Modulo multiplication result.

具体实施方式Detailed ways

以下叙述列举本发明的多种实施例。以下叙述介绍本发明的基本概念,且并非意图限制本发明内容。实际发明范围应依照申请专利范围来界定。The following description lists various embodiments of the present invention. The following description introduces the basic concepts of the invention and is not intended to limit the content of the invention. The actual scope of invention should be defined according to the scope of the patent application.

图1图解根据本发明一种实施方式所实现的一芯片组100。该芯片组100包括一储存装置主控制器102以及一加解密引擎104。该储存装置主控制器102控制一通讯端口(communication port)106与一储存装置108之间的通讯。通讯端口106举例而言可以是串行高级技术附件(SATA)接口,也可以是通用串行总线(USB)接口。该储存装置108又称硬盘,可为机械硬盘或固态硬盘等。该加解密引擎104为硬件,耦接该储存装置主控制器102,以实现对写入或读出该储存装置108的数据进行加解密。由于该加解密引擎104以硬件方式封闭于芯片组100中,数据安全性大大提升。一种实施方式中,加解密引擎104所作的数据加解密完全不使用芯片组100外部空间作数据暂存。一种实施方式中,由北桥以及南桥组成的芯片组100是将该储存装置主控制器102以及该加解密引擎104制作在南桥内。在另一种实施方式中,还可将该加解密引擎104集成在该储存装置主控制器102内部,进一步提升加解密的安全性。至于该储存装置主控制器102,其包括自所接收的写入/读取指令解析出写入/读取指令信息Cmd_Info。在一种实施方式中,这里的写入/读取指令是由主机(图中未示出)的直接内存存取(DMA)控制器发送至该芯片组100的DMA请求。FIG. 1 illustrates a chipset 100 implemented in accordance with one embodiment of the present invention. The chipset 100 includes a storage device main controller 102 and an encryption/decryption engine 104 . The storage device master controller 102 controls communication between a communication port 106 and a storage device 108 . The communication port 106 may be, for example, a Serial Advanced Technology Attachment (SATA) interface or a Universal Serial Bus (USB) interface. The storage device 108 is also called a hard disk, and can be a mechanical hard disk or a solid-state hard disk. The encryption/decryption engine 104 is hardware and is coupled to the storage device main controller 102 to implement encryption and decryption of data written to or read from the storage device 108 . Since the encryption/decryption engine 104 is enclosed in the chipset 100 by hardware, data security is greatly improved. In one embodiment, the data encryption and decryption performed by the encryption/decryption engine 104 does not use the external space of the chipset 100 for temporary data storage at all. In one embodiment, the chipset 100 composed of the north bridge and the south bridge is made in the south bridge. In another embodiment, the encryption/decryption engine 104 can also be integrated inside the storage device main controller 102 to further improve the security of encryption and decryption. As for the storage device main controller 102, it includes parsing the write/read command information Cmd_Info from the received write/read command. In one embodiment, the write/read commands here are DMA requests sent to the chipset 100 by a direct memory access (DMA) controller of a host (not shown).

该加解密引擎104是在数据加解密时还考虑写入/读取指令信息Cmd_Info,大大提升被破解的难度。The encryption/decryption engine 104 also considers the write/read command information Cmd_Info when encrypting and decrypting data, which greatly increases the difficulty of being cracked.

此段落讨论写入指令。该储存装置主控制器102会自所接收的写入指令解析出写入指令信息Cmd_Info,并将写入数据Data与所述写入指令信息Cmd_Info传递至该加解密引擎104。该加解密引擎104将硬盘密钥DEK与所述写入指令信息Cmd_Info组合,以便加密所述写入数据Data,并将加密后的所述写入数据Data_Encrypted交由该储存装置主控制器102透过该通讯端口106写入该储存装置108。This paragraph discusses write instructions. The storage device main controller 102 parses the write command information Cmd_Info from the received write command, and transmits the write data Data and the write command information Cmd_Info to the encryption/decryption engine 104 . The encryption/decryption engine 104 combines the hard disk key DEK with the write instruction information Cmd_Info to encrypt the write data Data, and passes the encrypted write data Data_Encrypted to the storage device main controller 102 for transparent Write to the storage device 108 through the communication port 106 .

此段落讨论读取指令。该储存装置主控制器102自所接收的读取指令解析出读取指令信息Cmd_Info,并将取自该储存装置108的未解密的读取数据Data_Encrypted与所述读取指令信息Cmd_Info传递至该加解密引擎104。该加解密引擎104将所述硬盘密钥DEK与所述读取指令信息Cmd_Info组合,以便将未解密的所述读取数据Data_Encrypted解密,解密后的读取数据Data交由该储存装置主控制器102响应所述读取指令。This paragraph discusses read instructions. The storage device main controller 102 parses the read command information Cmd_Info from the received read command, and transmits the undecrypted read data Data_Encrypted and the read command information Cmd_Info from the storage device 108 to the encryption device. Decryption engine 104 . The encryption/decryption engine 104 combines the hard disk key DEK with the read instruction information Cmd_Info, so as to decrypt the undecrypted read data Data_Encrypted, and deliver the decrypted read data Data to the storage device main controller 102 responds to the read instruction.

DMA请求所存取的数据是以格式相对固定的数据块为单位进行传输,方便本发明的加解密引擎104进行自动的加解密操作,无需软件参与。DMA请求的写入/读取指令中包括其要存取的逻辑地址(例如,LBA)及扇区(sector)数量。一种实施方式中,加解密引擎104是根据写入/读取指令所指示的逻辑地址(例如,LBA)中的扇区号以扇区为单位作数据加解密;例如,XTS-AES/SM4数据加解密技术。写入/读取指令信息Cmd_Info包括所述写入/读取指令所指示的逻辑地址及扇区数量。The data accessed by the DMA request is transmitted in units of data blocks with a relatively fixed format, which facilitates the encryption and decryption engine 104 of the present invention to perform automatic encryption and decryption operations without software participation. The write/read command of the DMA request includes the logical address (eg, LBA) to be accessed and the number of sectors. In one embodiment, the encryption/decryption engine 104 encrypts and decrypts data in units of sectors according to the sector number in the logical address (eg, LBA) indicated by the write/read command; for example, XTS-AES/SM4 data Encryption and decryption technology. The write/read command information Cmd_Info includes the logical address and sector number indicated by the write/read command.

图2A图解XTS-AES数据加密技术。写入指令信息Cmd_Info包括写入指令所指示的硬盘扇区号i。硬盘密钥DEK由密钥DEK_key1以及密钥DEK_key2两部分组成。硬盘扇区号i经过加密运算硬件202与密钥DEK_key2结合后,是由模乘组件206与常数aj结合,模乘结果T是经模加组件208与未加密的写入数据p(即「明文」,图1以Data标号)结合,模加结果pp经过加密运算硬件204与密钥DEK_key1结合后,产生的数据cc将由模加组件210与模乘结果T结合,获得加密的写入数据C(即「密文」,图1以Data_Encrypted标号)。图2A是以XTS-AES加密算法为例说明,但本发明并不限于此,采取其他加密算法也落入本发明欲保护的范围。Figure 2A illustrates the XTS-AES data encryption technique. The write command information Cmd_Info includes the hard disk sector number i indicated by the write command. The hard disk key DEK consists of two parts: the key DEK_key1 and the key DEK_key2. After the hard disk sector number i is combined with the key DEK_key2 by the encryption computing hardware 202, it is combined with the constant aj by the modular multiplication component 206, and the modular multiplication result T is the unencrypted written data p (that is, "plaintext") by the modular multiplication component 208. ", Fig. 1 is combined with the data label), after the modular addition result pp is combined with the key DEK_key1 through the encryption operation hardware 204, the generated data cc will be combined with the modular multiplication result T by the modular addition component 210 to obtain the encrypted write data C ( That is, "ciphertext", labeled as Data_Encrypted in Figure 1). FIG. 2A takes the XTS-AES encryption algorithm as an example to illustrate, but the present invention is not limited to this, and other encryption algorithms also fall within the scope of the present invention to be protected.

图2B图解XTS-AES数据解密技术。读取指令信息Cmd_Info包括读取指令所指示的硬盘扇区号i。硬盘密钥DEK由密钥DEK_key1以及密钥DEK_key2两部分组成。硬盘扇区号i经过加密运算硬件212与密钥DEK_key2结合后,是由模乘组件216与常数aj结合,模乘结果T是经模加组件218与未解密的读取数据C(即「密文」,图1以Data_Encrypted标号)结合,模加结果cc经过解密运算硬件214与密钥DEK_key1结合后,产生的数据pp将由模加组件220与模乘结果T结合,获得解密的读取数据p(即「明文」,图1以Data标号)。图2B是以XTS-AES解密算法为例说明,但本发明并不限于此,采取其他解密算法也落入本发明欲保护的范围。Figure 2B illustrates the XTS-AES data decryption technique. The read command information Cmd_Info includes the hard disk sector number i indicated by the read command. The hard disk key DEK consists of two parts: the key DEK_key1 and the key DEK_key2. After the hard disk sector number i is combined with the key DEK_key2 by the encryption operation hardware 212, it is combined with the constant aj by the modular multiplication component 216, and the modular multiplication result T is obtained by the modular multiplication component 218 and the undecrypted read data C (that is, "encrypted"). "Text", in Fig. 1 is combined with the label Data_Encrypted), after the modular addition result cc is combined with the key DEK_key1 by the decryption operation hardware 214, the generated data pp will be combined with the modular multiplication result T by the modular addition component 220 to obtain the decrypted read data p (ie "plaintext", marked with Data in Figure 1). FIG. 2B takes the XTS-AES decryption algorithm as an example to illustrate, but the present invention is not limited to this, and other decryption algorithms are also within the scope of protection of the present invention.

值得注意的是,本发明以硬盘扇区号i与硬盘密钥组合后对写入数据Data进行加密,使得在以数据块(例如扇区)为单位的DMA存取请求中,数据块与数据块之间的加解密不存在相依赖关系,图2A、图2B所描述技术使得不同扇区号的同样数据呈不同加密结果,不易被破解。此外,由于不同扇区号的加密独立,故不同扇区号的未解密数据可独立抽读和解密。It is worth noting that the present invention encrypts the written data Data after the combination of the hard disk sector number i and the hard disk key, so that in a DMA access request with a data block (such as a sector) as a unit, the data block and the data block are encrypted. There is no interdependent relationship between encryption and decryption. The technology described in FIG. 2A and FIG. 2B makes the same data of different sector numbers show different encryption results, which is not easy to be cracked. In addition, since the encryption of different sector numbers is independent, the undecrypted data of different sector numbers can be independently extracted and decrypted.

一种实施方式中,XTS-AES以及XTS-SM4为经由一缓存器位元设定的两种加解密运算选项;XTS-SM4加解密运算的硬件架构与图2A以及图2B类似。XTS-AES加解密技术可通过“efuse”位使能或除能,以符合政策法规。In one embodiment, XTS-AES and XTS-SM4 are two encryption/decryption operation options set via a register bit; the hardware architecture of XTS-SM4 encryption/decryption operation is similar to FIG. 2A and FIG. 2B . XTS-AES encryption and decryption technology can be enabled or disabled through the "efuse" bit to comply with policies and regulations.

此段落讨论硬盘密钥DEK。图3图解一可信赖平台模块(Trusted PlatformModule,TPM)300,其中包括可信赖平台模块软件302以及硬盘密钥供应硬件304。硬盘密钥供应硬件304即与加解密引擎104连接,供应该加解密引擎104所需的硬盘密钥DEK。可信赖平台模块300可通过统一可扩展固件接口(UEFI)或操作系统(OS)使可信赖平台模块软件302运行,以操作该硬盘密钥供应硬件304产生硬盘密钥DEK。This paragraph discusses the hard disk key DEK. FIG. 3 illustrates a Trusted Platform Module (TPM) 300 , which includes Trusted Platform Module software 302 and hard disk key provisioning hardware 304 . The hard disk key supply hardware 304 is connected to the encryption/decryption engine 104 and supplies the hard disk key DEK required by the encryption/decryption engine 104 . The trusted platform module 300 can run the trusted platform module software 302 through the Unified Extensible Firmware Interface (UEFI) or operating system (OS) to operate the hard disk key provisioning hardware 304 to generate the hard disk key DEK.

此段落讨论硬盘密钥供应硬件304以及加解密引擎104之间的通讯安全。一种实施方式中,加解密引擎104是遵循一密钥交换协议(例如,Diffie-Hellman密钥交换协议)与该硬盘密钥供应硬件304通讯。图4为硬盘密钥交换协议的流程图。步骤S402,加解密引擎104与硬盘密钥供应硬件304确定一密钥交换密钥(Key Exchange Key,KEK)。步骤S404,硬盘密钥供应硬件304将硬盘密钥DEK以该密钥交换密钥KEK加密后,传输给该加解密引擎104。步骤S406,加解密引擎104利用自身计算的密钥交换密钥KEK解密出硬盘密钥DEK。加解密引擎104即是以流程所示步骤自硬盘密钥供应硬件304安全获得硬盘密钥DEK。This paragraph discusses communication security between the hard disk key provisioning hardware 304 and the encryption/decryption engine 104 . In one embodiment, the encryption/decryption engine 104 communicates with the hard disk key provisioning hardware 304 according to a key exchange protocol (eg, Diffie-Hellman key exchange protocol). FIG. 4 is a flowchart of a hard disk key exchange protocol. Step S402, the encryption/decryption engine 104 and the hard disk key supply hardware 304 determine a key exchange key (Key Exchange Key, KEK). Step S404 , the hard disk key supply hardware 304 encrypts the hard disk key DEK with the key exchange key KEK, and then transmits it to the encryption/decryption engine 104 . Step S406, the encryption/decryption engine 104 decrypts the hard disk key DEK by using the key exchange key KEK calculated by itself. The encryption/decryption engine 104 securely obtains the hard disk key DEK from the hard disk key supply hardware 304 in the steps shown in the flow.

硬盘密钥供应硬件304以及加解密引擎104之间的通讯封闭性也可以硬件架构实现。一种实施方式中,加解密引擎104是与硬盘密钥供应硬件304封装在一起。一种实施方式中,加解密引擎104是与硬盘密钥供应硬件304制作在同一芯片上。一种实施方式中,由北桥以及南桥组成的芯片组100是将该储存装置主控制器102、该加解密引擎104、以及该硬盘密钥供应硬件304制作在南桥内。以上封闭的通信环境保证硬盘密钥DEK不会暴露在外部总线或者接口,使得硬盘密钥供应硬件304以及加解密引擎104之间允许以明文(非加密)方式通讯。The communication closure between the hard disk key supply hardware 304 and the encryption/decryption engine 104 can also be implemented in a hardware architecture. In one embodiment, the encryption/decryption engine 104 is packaged with the hard disk key provisioning hardware 304 . In one embodiment, the encryption/decryption engine 104 is fabricated on the same chip as the hard disk key supply hardware 304 . In one embodiment, the chipset 100 consisting of a north bridge and a south bridge is made in the south bridge. The above closed communication environment ensures that the hard disk key DEK will not be exposed on the external bus or interface, so that the hard disk key supply hardware 304 and the encryption/decryption engine 104 are allowed to communicate in plaintext (unencrypted).

一种实施方式中,该加解密引擎104对该硬盘密钥供应硬件304的硬盘密钥DEK要求是在该硬盘密钥供应硬件304确认使用者设定的辨识条件满足后才由该硬盘密钥供应硬件304受理。密码、智能卡(smart card)、指纹、远程认证(remote attestation)、用户身份(user identity)、系统状态(system status)都可作为由使用者设定的辨识条件。辨识条件可由UEFI或OS型式运作的可信赖平台模块软件302作设定。In one embodiment, the hard disk key DEK request of the encryption/decryption engine 104 to the hard disk key provisioning hardware 304 is not issued by the hard disk key until the hard disk key provisioning hardware 304 confirms that the identification condition set by the user is satisfied. The provisioning hardware 304 accepts. Password, smart card (smart card), fingerprint, remote attestation, user identity (user identity), system status (system status) can be used as identification conditions set by the user. The identification conditions can be set by the Trusted Platform Module software 302 operating in UEFI or OS type.

一种实施方式中,可信赖平台模块300还利用密钥迁移(key migration)技术对硬盘密钥DEK作加密备份。In one embodiment, the trusted platform module 300 further uses a key migration technology to make encrypted backups of the hard disk key DEK.

以下特别讨论芯片组100如何对串行高级技术附件(SATA)的储存装置108作加解密。SATA硬盘(对应108)可为机械硬盘(HDD)或固态硬盘(SDD)。芯片组100可设计对SATA硬盘108作全硬盘加密或特定逻辑地址(例如,LBA)的部分硬盘加密,此可由芯片组100经由基本输入输出系统(BIOS)设定。加解密引擎104可采用XTS-AES或XTS-SM4等加密算法,以逻辑地址(如,LBA)为调整(tweak,对应第2A图、第2B图的硬盘扇区号i)。硬盘扇区尺寸(sectorsize)例如为512字节或4K字节。The following specifically discusses how the chipset 100 encrypts and decrypts the Serial Advanced Technology Attachment (SATA) storage device 108 . The SATA hard disk (corresponding to 108 ) can be a mechanical hard disk (HDD) or a solid-state disk (SDD). The chipset 100 can be designed to perform full hard disk encryption for the SATA hard disk 108 or partial hard disk encryption for a specific logical address (eg, LBA), which can be configured by the chipset 100 via a basic input output system (BIOS). The encryption/decryption engine 104 may use encryption algorithms such as XTS-AES or XTS-SM4, and use the logical address (eg, LBA) as the adjustment (tweak, corresponding to the hard disk sector number i in Figure 2A and Figure 2B). The hard disk sector size (sectorsize) is, for example, 512 bytes or 4K bytes.

图5A为SATA硬盘写入的流程图。步骤S502,SATA控制器(对应102)解析收到的写入指令(如WRITE DMA EXT),得到包括逻辑地址(如LBA)以及扇区数量(sector count)的写入指令信息Cmd_Info,并将其提供给加解密引擎104作加密请求。步骤S504,加解密引擎104向硬盘密钥供应硬件304索取硬盘密钥DEK。步骤S506,硬盘密钥供应硬件304确认用户预先定义条件满足后,供应硬盘密钥DEK。步骤S508,SATA控制器102接收到激活允许(例如,直接内存存取所定义的激活允许DMA Activate Frame Information Structure,DMA ActivateFIS)后,将未加密的写入数据Data转发给加解密引擎104(例如,以数据块DATA FIS为单位转发,一DATA FIS可包括多个扇区,一个DMA指令可包括多个DATA FIS写入),即,加解密引擎104从SATA控制器102接收未加密的写入数据Data(例如,以数据块DATA FIS为单位接收)。步骤S510,加解密引擎104基于硬盘密钥DEK及写入指令信息Cmd_Info将未加密的写入数据Data加密,并将加密后的写入数据Data_Encrypted转发给SATA控制器102;加解密引擎104可继续加密下一笔DATA FIS,直至不再从SATA控制器102接收到数据。步骤S512,SATA控制器102将加密后的写入数据Data_Encrypted写入SATA硬盘108。步骤S514,后续的硬盘状况(Status传输)是由SATA控制器102不经加解密引擎104传回上层软件。在一实施例中,SATA控制器102及加解密引擎104会循环执行步骤S508至S514,直至完成该写入指令所指示的所有DATA FIS的加密。FIG. 5A is a flow chart of writing to a SATA hard disk. Step S502, the SATA controller (corresponding to 102) parses the received write command (such as WRITE DMA EXT), obtains the write command information Cmd_Info including the logical address (such as LBA) and the number of sectors (sector count), and stores it. Provided to the encryption/decryption engine 104 for encryption request. In step S504, the encryption/decryption engine 104 requests the hard disk key DEK from the hard disk key supply hardware 304. In step S506, the hard disk key provisioning hardware 304 supplies the hard disk key DEK after confirming that the user's pre-defined conditions are satisfied. Step S508, after the SATA controller 102 receives the activation permission (for example, the activation permission defined by direct memory access, DMA Activate Frame Information Structure, DMA ActivateFIS), it forwards the unencrypted write data Data to the encryption and decryption engine 104 (for example, DMA Activate FIS). , forwarded in units of data blocks DATA FIS, one DATA FIS may include multiple sectors, and one DMA command may include multiple DATA FIS writes), that is, the encryption/decryption engine 104 receives unencrypted writes from the SATA controller 102 Data Data (for example, received in units of data blocks DATA FIS). Step S510, the encryption/decryption engine 104 encrypts the unencrypted write data Data based on the hard disk key DEK and the write instruction information Cmd_Info, and forwards the encrypted write data Data_Encrypted to the SATA controller 102; the encryption/decryption engine 104 can continue The next DATA FIS is encrypted until no more data is received from the SATA controller 102 . Step S512 , the SATA controller 102 writes the encrypted write data Data_Encrypted into the SATA hard disk 108 . Step S514 , the subsequent hard disk status (Status transmission) is sent back to the upper-layer software by the SATA controller 102 without the encryption/decryption engine 104 . In one embodiment, the SATA controller 102 and the encryption/decryption engine 104 will perform steps S508 to S514 cyclically until the encryption of all DATA FISs indicated by the write command is completed.

图5B为SATA硬盘读取的流程图。步骤S522,SATA控制器102解析收到的读取指令,得到包括逻辑地址(如LBA)以及扇区数量(sector count)的读取指令信息Cmd_Info,并将其提供给加解密引擎104作解密请求。步骤S524,加解密引擎104向硬盘密钥供应硬件304索取硬盘密钥DEK。步骤S526,硬盘密钥供应硬件304确认用户预先定义条件满足后,供应硬盘密钥DEK。步骤S528,SATA控制器102将SATA硬盘108的未解密的读取数据Data_Encrypted转发给加解密引擎104(例如,以所述数据块DATA FIS为单位转发),即,加解密引擎104从SATA控制器102接收未解密的读取数据Data_Encrypted(例如,以数据块DATA FIS为单位接收)。步骤S530,加解密引擎104基于硬盘密钥DEK及读取指令信息Cmd_Info将未解密的读取数据Data_Encrypted解密,并将解密的读取数据Data转发给SATA控制器102;加解密引擎104可继续解密下一笔DATA FIS,直至不再从SATA控制器102接收到数据。步骤S532,SATA控制器102将解密的读取数据Data传回上层软件。步骤S534,后续的硬盘状况(Status传输)是由SATA控制器102不经加解密引擎104传回上层软件。在一实施例中,SATA控制器102及加解密引擎104会循环执行步骤S528至S534,直至完成该读取指令所指示的所有DATA FIS的解密。FIG. 5B is a flow chart of reading a SATA hard disk. Step S522, the SATA controller 102 parses the received read command, obtains the read command information Cmd_Info including the logical address (such as LBA) and the sector count, and provides it to the encryption/decryption engine 104 as a decryption request . In step S524, the encryption/decryption engine 104 requests the hard disk key DEK from the hard disk key supply hardware 304. In step S526, the hard disk key provisioning hardware 304 supplies the hard disk key DEK after confirming that the user pre-defined conditions are satisfied. In step S528, the SATA controller 102 forwards the undecrypted read data Data_Encrypted of the SATA hard disk 108 to the encryption/decryption engine 104 (for example, in the unit of the data block DATA FIS), that is, the encryption/decryption engine 104 sends the data from the SATA controller to the encryption/decryption engine 104. 102 Receives undecrypted read data Data_Encrypted (eg, received in units of data blocks DATA FIS). Step S530, the encryption/decryption engine 104 decrypts the undecrypted read data Data_Encrypted based on the hard disk key DEK and the read instruction information Cmd_Info, and forwards the decrypted read data Data to the SATA controller 102; the encryption/decryption engine 104 can continue to decrypt The next DATA FIS, until no more data is received from the SATA controller 102 . In step S532, the SATA controller 102 returns the decrypted read data Data to the upper-layer software. Step S534 , the subsequent hard disk status (Status transmission) is sent back to the upper-layer software by the SATA controller 102 without going through the encryption/decryption engine 104 . In one embodiment, the SATA controller 102 and the encryption/decryption engine 104 will perform steps S528 to S534 cyclically until the decryption of all DATA FISs indicated by the read command is completed.

SATA传输还可用于原生指令排序(Native Command Queue,NCQ)的DMA技术。SATA transfers can also be used for DMA technology for Native Command Queue (NCQ).

图6为采用NCQ DMA的SATA硬盘写入流程图。步骤S602,SATA控制器102解析收到的写入指令(如WRITE FPDMA QUEUED),得到其标签(TAG,使遵循NCQ的多个写入指令或多个读取指令得以区别)、以及包括逻辑地址(如LBA)、与扇区数量与尺寸(sector count andsize)的写入指令信息Cmd_Info。步骤S604,SATA硬盘108接收到NCQ指令后,会向主机发出状态信息(Register D2H FIS),以允许还接收下一条NCQ指令。SATA硬盘108也可能切换去处理其他优先权更高、或者先前接收到的NCQ指令。步骤S606,SATA硬盘108在处理以标签(TAG)识别的指令前,对主机发出DMA设定(DMA Setup FIS)以及激活信息(DMA ACTIVEFIS)。步骤S608,SATA控制器102自DMA设定信息解析出标签,找出对应的DMA缓冲器(DMAbuffer)以及写入指令信息Cmd_Info,并将其提供给加解密引擎104作加密请求。步骤S610,加解密引擎104向硬盘密钥供应硬件304索取硬盘密钥DEK。步骤S612,硬盘密钥供应硬件304确认用户预先定义条件满足后,供应硬盘密钥DEK。步骤S614,SATA控制器102将未加密的写入数据Data转发给加解密引擎104(例如,以数据块DATA FIS为单位转发,一DATA FIS可包括多个扇区,一个DMA指令可包括多个DATA FIS写入),即,加解密引擎104从SATA控制器102接收未加密的写入数据Data(例如,以数据块DATA FIS为单位接收)。步骤S616,加解密引擎104基于硬盘密钥DEK及写入指令信息Cmd_Info将未加密的写入数据Data加密成加密后的写入数据Data_Encrypted,并转发给SATA控制器102;加解密引擎104可继续加密下一笔数据,直至不再从SATA控制器102接收到数据。步骤S618,SATA控制器102将加密后的写入数据Data_Encrypted写入SATA硬盘108。步骤S620,SATA硬盘108向主机发送一个更新信息(SET Device Bits FIS),更新主机中缓存器(SActive register)以及状态(Status)的值,该更新信息是经SATA控制器102,不经加解密引擎104传送回上层软件。NCQ DMA的SATA硬盘读取流程也是以同样概念安全取得硬盘密钥DEK,并封闭在加解密引擎104中完成SATA控制器102自SATA硬盘108取得的未解密读取数据Data_Encrypted。在一实施例中,SATA控制器102及加解密引擎104会循环执行步骤S614和S620,直至完成该写入指令所指示的所有DATA FIS的加密。Figure 6 is a flow chart of writing to a SATA hard disk using NCQ DMA. Step S602, the SATA controller 102 parses the received write command (such as WRITE FPDMA QUEUED), and obtains its tag (TAG, which distinguishes multiple write commands or multiple read commands following NCQ), and includes a logical address. (eg LBA), and write command information Cmd_Info with sector count and size. In step S604, after receiving the NCQ command, the SATA hard disk 108 sends a status message (Register D2H FIS) to the host to allow the next NCQ command to be received. The SATA hard disk 108 may also switch to process other higher priority or previously received NCQ commands. Step S606, before processing the command identified by the tag (TAG), the SATA hard disk 108 sends a DMA setup (DMA Setup FIS) and an activation information (DMA ACTIVEFIS) to the host. In step S608, the SATA controller 102 parses the tag from the DMA setting information, finds the corresponding DMA buffer (DMAbuffer) and the write command information Cmd_Info, and provides it to the encryption/decryption engine 104 for encryption request. In step S610, the encryption/decryption engine 104 requests the hard disk key DEK from the hard disk key supply hardware 304. In step S612, the hard disk key provisioning hardware 304 supplies the hard disk key DEK after confirming that the user's pre-defined conditions are satisfied. Step S614, the SATA controller 102 forwards the unencrypted write data Data to the encryption/decryption engine 104 (for example, forwarding in units of data blocks DATA FIS, a DATA FIS may include multiple sectors, and a DMA command may include multiple DATA FIS write), that is, the encryption/decryption engine 104 receives the unencrypted write data Data from the SATA controller 102 (eg, received in units of data blocks DATA FIS). Step S616, the encryption/decryption engine 104 encrypts the unencrypted write data Data into encrypted write data Data_Encrypted based on the hard disk key DEK and the write instruction information Cmd_Info, and forwards it to the SATA controller 102; the encryption/decryption engine 104 can continue The next data is encrypted until no more data is received from the SATA controller 102 . Step S618 , the SATA controller 102 writes the encrypted write data Data_Encrypted to the SATA hard disk 108 . Step S620, the SATA hard disk 108 sends an update message (SET Device Bits FIS) to the host to update the values of the register (SActive register) and the status (Status) in the host. The update message is passed through the SATA controller 102 without encryption and decryption. The engine 104 passes back to the upper layer software. The SATA hard disk reading process of the NCQ DMA also uses the same concept to securely obtain the hard disk key DEK, and is enclosed in the encryption and decryption engine 104 to complete the undecrypted read data Data_Encrypted obtained by the SATA controller 102 from the SATA hard disk 108 . In one embodiment, the SATA controller 102 and the encryption/decryption engine 104 will cyclically execute steps S614 and S620 until the encryption of all DATA FISs indicated by the write command is completed.

以下特别讨论芯片组100如何对通用串行总线(USB)通讯的储存装置108作加解密。芯片组100可设计对USB硬盘(对应108)作全硬盘加密、或特定逻辑地址(例如,LBA)范围的部分硬盘加密,此可由芯片组100经由基本输入输出系统(BIOS)设定。芯片组100也可经基本输入输出系统(BIOS)针对特定USB通讯端口使能或除能其所连接的储存装置的加密。USB控制器(对应图1中102)控制USB通讯端口(对应图1中106)以及USB硬盘108之间采用USB2.0标准下的数据块传输(Bulk-Only Transport,BOT)协议、或USB 3.0标准下的通用串行总线连接小型计算机系统接口(USB Attached SCSI,UAS)协议等以数据块为单位传输数据的USB协议。The following specifically discusses how the chipset 100 encrypts and decrypts the storage device 108 for Universal Serial Bus (USB) communication. Chipset 100 can be designed to perform full-disk encryption for USB hard drives (corresponding to 108 ), or partial hard-disk encryption for a specific logical address (eg, LBA) range, which can be configured by chipset 100 via a basic input output system (BIOS). The chipset 100 can also enable or disable encryption of the storage device to which it is connected via a basic input output system (BIOS) for a specific USB communication port. The USB controller (corresponding to 102 in FIG. 1 ) controls the USB communication port (corresponding to 106 in FIG. 1 ) and the USB hard disk 108 using the Bulk-Only Transport (BOT) protocol under the USB2.0 standard, or the USB 3.0 A USB protocol that transmits data in units of data blocks, such as the Universal Serial Bus (USB Attached SCSI, UAS) protocol under the standard.

图7为USB硬盘写入的流程图。步骤S702,USB控制器102解析收到的写入指令(如write(10)),得到包括逻辑地址(如LBA)以及扇区数量(sector count)的写入指令信息Cmd_Info,并将其提供给加解密引擎104作加密请求。步骤S704,加解密引擎104向硬盘密钥供应硬件304索取硬盘密钥DEK。步骤S706,硬盘密钥供应硬件304确认用户预先定义条件满足后,供应硬盘密钥DEK。步骤S708,USB控制器102将未加密的写入数据Data(例如,以数据包(data package)为单位)转发给加解密引擎104。步骤S710,加解密引擎104基于硬盘密钥DEK及写入指令信息Cmd_Info将未加密的写入数据Data加密,并将加密后的写入数据Data_Encrypted转发给USB控制器102;加解密引擎104可继续加密下一笔写入数据,直至不再从USB控制器102接收到数据。步骤S712,USB控制器102将加密后的写入数据Data_Encrypted写入USB硬盘108。步骤S714,后续的硬盘状况(Status传输)是由USB控制器102不经加解密引擎104传回上层软件。USB硬盘读取流程也是以同样概念安全取得硬盘密钥DEK,并封闭在加解密引擎104中完成USB控制器102自USB硬盘108取得的未解密读取数据Data_Encrypted。在一实施例中,USB控制器102及加解密引擎104会循环执行步骤S708和S714,直至完成该写入指令所指示的所有数据包(data package)的加密。FIG. 7 is a flow chart of USB hard disk writing. Step S702, the USB controller 102 parses the received write command (eg write(10)), obtains the write command information Cmd_Info including the logical address (eg LBA) and sector count, and provides it to The encryption/decryption engine 104 makes an encryption request. Step S704, the encryption/decryption engine 104 requests the hard disk key DEK from the hard disk key supply hardware 304. In step S706, the hard disk key provisioning hardware 304 supplies the hard disk key DEK after confirming that the user's pre-defined conditions are satisfied. Step S708 , the USB controller 102 forwards the unencrypted write data Data (eg, in units of data packages) to the encryption/decryption engine 104 . Step S710, the encryption/decryption engine 104 encrypts the unencrypted write data Data based on the hard disk key DEK and the write instruction information Cmd_Info, and forwards the encrypted write data Data_Encrypted to the USB controller 102; the encryption/decryption engine 104 can continue The next write data is encrypted until no more data is received from the USB controller 102 . Step S712 , the USB controller 102 writes the encrypted write data Data_Encrypted into the USB hard disk 108 . Step S714 , the subsequent hard disk status (Status transmission) is sent back to the upper-layer software by the USB controller 102 without the encryption and decryption engine 104 . The USB hard disk reading process also uses the same concept to securely obtain the hard disk key DEK, and is enclosed in the encryption and decryption engine 104 to complete the undecrypted read data Data_Encrypted obtained by the USB controller 102 from the USB hard disk 108 . In one embodiment, the USB controller 102 and the encryption/decryption engine 104 will cyclically execute steps S708 and S714 until the encryption of all data packages indicated by the write command is completed.

在一种实施方式中,本发明所揭露的储存装置主控制器102以及加解密引擎104是实现在一主机控制器中,安装于主机端。In one embodiment, the storage device host controller 102 and the encryption/decryption engine 104 disclosed in the present invention are implemented in a host controller and installed on the host.

虽然本发明已以较佳实施例揭露如上,但其并非用以限定本发明,任何熟悉此项技艺者,在不脱离本发明的精神和范围内,当可做些许更动与润饰,因此本发明的保护范围当视申请专利范围所界定的为准。Although the present invention has been disclosed above with preferred embodiments, it is not intended to limit the present invention. Anyone familiar with the art can make some changes and modifications without departing from the spirit and scope of the present invention. Therefore, this The protection scope of the invention shall be determined by the scope of the patent application.

Claims (19)

1. A data encryption and decryption method for a storage device, comprising:
providing an encryption and decryption engine which is hardware;
analyzing writing instruction information from the writing instruction, and transmitting the writing data and the writing instruction information to the encryption and decryption engine; and
after a hard disk secret key and the write-in instruction information are combined before encryption by the encryption and decryption engine, the write-in data are encrypted by the combination of the hard disk secret key and the write-in instruction information, and the encrypted write-in data are written into a storage device through a communication port, wherein the hard disk secret key comes from a trusted platform module;
wherein the step of passing the write data and the write command information to the encryption/decryption engine further comprises: the write data is forwarded to the encryption/decryption engine upon determining that an activation grant defined by a direct memory access is received.
2. The storage device data encryption and decryption method of claim 1, further comprising:
analyzing reading instruction information from the reading instruction, and transmitting the undecrypted reading data and the reading instruction information which are taken from the storage device to the encryption and decryption engine; and is
The hard disk key is combined with the read instruction information via the encryption and decryption engine to decrypt the undecrypted read data in response to the read instruction.
3. The storage device data encryption and decryption method of claim 2, wherein:
the writing instruction information comprises a logical address indicated by the writing instruction and the number of sectors; and is
The read instruction information includes a logical address indicated by the read instruction and the number of sectors.
4. The storage device data encryption and decryption method of claim 3, wherein:
the encryption and decryption engine is used for encrypting and decrypting data by taking the sector as a unit according to the logical address.
5. The method of claim 1, wherein the trusted platform module comprises a hard disk key provisioning hardware, and the hard disk key is derived from the hard disk key provisioning hardware.
6. The storage device data encryption and decryption method of claim 5, wherein:
the trusted platform module operates the hard disk key provisioning hardware through a unified extensible firmware interface or operating system.
7. The storage device data encryption and decryption method of claim 5, wherein:
the encryption/decryption engine follows a key exchange protocol to communicate with the hard disk key provisioning hardware to obtain the hard disk key.
8. The storage device data encryption and decryption method of claim 5, wherein:
the encryption and decryption engine is packaged together with the hard disk key supply hardware or manufactured on the same chip.
9. The storage device data encryption and decryption method of claim 5, wherein:
the hard disk key requirement of the encryption and decryption engine on the hard disk key supply hardware is accepted by the hard disk key supply hardware after the hard disk key supply hardware confirms that the identification condition set by the user is satisfied.
10. The storage device data encryption and decryption method of claim 5, wherein:
the hard disk secret key is encrypted and backed up by the trusted platform module.
11. The storage device data encryption and decryption method of claim 1, further comprising:
the storage device is partially encrypted through the setting of the basic input and output system, and only the write-in data of a specific logical address is encrypted.
12. The storage device data encryption and decryption method of claim 1,
wherein the communication port is a serial high-tech accessory interface.
13. The storage device data encryption and decryption method of claim 1, further comprising:
parsing a tag from the write instruction, the tag distinguishing write instructions that follow a native instruction ordering; and
transmitting corresponding write command information to the encryption and decryption engine according to the label indicated by the storage device;
wherein the write instruction information further includes a sector size indicated by the write instruction.
14. The storage device data encryption and decryption method of claim 1, further comprising:
encryption of the storage device connected to the communication port using the universal serial bus is enabled or disabled via the bios.
15. The storage device data encryption and decryption method of claim 14, further comprising:
and controlling a data block transmission protocol to be adopted between the communication port and the storage device.
16. The storage device data encryption and decryption method of claim 14, further comprising:
the communication port and the storage device are controlled to be connected with a small computer system interface protocol by adopting a universal serial bus.
17. The method as claimed in claim 1, wherein the encryption/decryption engine is implemented in a south bridge.
18. The method as claimed in claim 5, wherein the encryption/decryption engine and the hardware key supply are implemented in a south bridge.
19. The method of claim 1, wherein the write command is a DMA request from a host.
CN201510733496.8A 2015-11-02 2015-11-02 Data encryption and decryption method for storage device Active CN105354503B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201510733496.8A CN105354503B (en) 2015-11-02 2015-11-02 Data encryption and decryption method for storage device
TW104140050A TWI564748B (en) 2015-11-02 2015-12-01 Disk encryption and decryption method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510733496.8A CN105354503B (en) 2015-11-02 2015-11-02 Data encryption and decryption method for storage device

Publications (2)

Publication Number Publication Date
CN105354503A CN105354503A (en) 2016-02-24
CN105354503B true CN105354503B (en) 2020-11-17

Family

ID=55330474

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510733496.8A Active CN105354503B (en) 2015-11-02 2015-11-02 Data encryption and decryption method for storage device

Country Status (2)

Country Link
CN (1) CN105354503B (en)
TW (1) TWI564748B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107766735A (en) * 2016-08-17 2018-03-06 西安莫贝克半导体科技有限公司 A kind of invisible encryption storage method
CN107888373A (en) * 2016-09-29 2018-04-06 北京忆芯科技有限公司 XTS AES encryptions circuit, decryption circuit and its method
CN108920964B (en) * 2018-06-21 2020-09-29 深圳忆联信息系统有限公司 Reconfigurable hardware encryption and decryption method, system, computer equipment and storage medium
WO2020019334A1 (en) * 2018-07-27 2020-01-30 威刚科技股份有限公司 Hard disk having encrypting and decrypting function, and application system for same
CN109672521B (en) * 2018-12-26 2022-11-29 贵州华芯通半导体技术有限公司 Security storage system and method based on national encryption engine
TWI722496B (en) * 2019-06-20 2021-03-21 慧榮科技股份有限公司 Method and apparatus for encrypting and decrypting user data
CN113051533A (en) * 2021-03-29 2021-06-29 郑州中科集成电路与信息系统产业创新研究院 Safety management method of terminal equipment
CN113127896B (en) * 2021-03-29 2022-02-22 深圳市安存数据技术有限公司 Data processing method and device based on independent encryption chip
CN115994115B (en) * 2023-03-22 2023-10-20 成都登临科技有限公司 Chip control method, chip set and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1924835A (en) * 2006-09-01 2007-03-07 西安交通大学 Dynamic key based hardware data enciphering method and device thereof
CN101082883A (en) * 2006-05-31 2007-12-05 朴显泽 Storage apparatus having multiple layer encrypting protection
CN101582109A (en) * 2009-06-10 2009-11-18 成都市华为赛门铁克科技有限公司 Data encryption method and device, data decryption method and device and solid state disk
CN103886234A (en) * 2014-02-27 2014-06-25 浙江诸暨奇创电子科技有限公司 Safety computer based on encrypted hard disk and data safety control method of safety computer

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2603099A1 (en) * 2005-03-28 2006-10-05 Datallegro, Inc. Non-invasive encryption for relational database management systems
KR101601790B1 (en) * 2009-09-22 2016-03-21 삼성전자주식회사 Storage system including cryptography key selection device and selection method for cryptography key
KR101612518B1 (en) * 2009-11-26 2016-04-15 삼성전자주식회사 Endecryptor enabling parallel processing and en/decryption method thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101082883A (en) * 2006-05-31 2007-12-05 朴显泽 Storage apparatus having multiple layer encrypting protection
CN1924835A (en) * 2006-09-01 2007-03-07 西安交通大学 Dynamic key based hardware data enciphering method and device thereof
CN101582109A (en) * 2009-06-10 2009-11-18 成都市华为赛门铁克科技有限公司 Data encryption method and device, data decryption method and device and solid state disk
CN103886234A (en) * 2014-02-27 2014-06-25 浙江诸暨奇创电子科技有限公司 Safety computer based on encrypted hard disk and data safety control method of safety computer

Also Published As

Publication number Publication date
CN105354503A (en) 2016-02-24
TW201717099A (en) 2017-05-16
TWI564748B (en) 2017-01-01

Similar Documents

Publication Publication Date Title
CN105243344B (en) Chipset with hard disk encryption and host controller
CN105354503B (en) Data encryption and decryption method for storage device
CN109844751B (en) Method and processor for providing information isolation
TWI492088B (en) System, method and computer readable medium for controlling a solid-state disk
US10503934B2 (en) Secure subsystem
US10810138B2 (en) Enhanced storage encryption with total memory encryption (TME) and multi-key total memory encryption (MKTME)
CN104160407B (en) Using storage control EBI guaranteeing the data transmission security between storage device and main frame
TWI620093B (en) Method and apparatus for securing computer mass storage data
US20080052537A1 (en) Storage device, write-back method, and computer product
CN114730342B (en) Data storage device encryption
US20240272810A1 (en) Memory system and storage system
US12058259B2 (en) Data storage device encryption
TW201830284A (en) Data storage system, data storage method and data read method
US9158943B2 (en) Encryption and decryption device for portable storage device and encryption and decryption method thereof
US20240241955A1 (en) Data security for portable storage mediums
US20150127956A1 (en) Stored device with partitions
KR101620685B1 (en) Method and apparatus for managing time-out data stored
CN117592068A (en) Encrypted data conversion methods, devices, equipment and storage media

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: Room 301, 2537 Jinke Road, Zhangjiang High Tech Park, Pudong New Area, Shanghai 201203

Patentee after: Shanghai Zhaoxin Semiconductor Co.,Ltd.

Address before: Room 301, 2537 Jinke Road, Zhangjiang High Tech Park, Pudong New Area, Shanghai 201203

Patentee before: VIA ALLIANCE SEMICONDUCTOR Co.,Ltd.

CP01 Change in the name or title of a patent holder