Encryption key destruction for secure data erasure
US-8938624-B2 · Jan 20, 2015 · US
Using encryption keys to manage data retention
US10756895B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10756895-B2 |
| Application number | US-201816165582-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 19, 2018 |
| Priority date | Jul 22, 2016 |
| Publication date | Aug 25, 2020 |
| Grant date | Aug 25, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems and methods for using encryption keys to manage data retention are described. In one embodiment, the systems and methods may include receiving data such as user data from a host of the storage drive, encrypting the data using an encryption key, writing the encrypted data to the storage drive, and retaining the encrypted data on the storage drive based at least in part on a validity of the encryption key.
First claim
Opening claim text (preview).
What is claimed is: 1. A storage system comprising: a storage drive comprising a controller and a data retention module, the data retention module configured to: associate data with an encryption key according to a retention policy with a circuit of a verification module, the encryption key having a key expiration date selected to coincide with an expiration date of the data set by the data retention module; encrypt data using the encryption key; write the encrypted data and an encryption identifier corresponding with the encryption key to the storage drive; scan the storage drive for the encryption identifier in response to a data read request for the encrypted data; decrypt the encrypted data with the encryption key in response to the data read request being tendered within the expiration date of the data; and make storage space of the storage drive associated with the encrypted data available for storage of data different from the encrypted data after determining the data read request is tendered after the encryption key expiration date by removing one or more logical block addresses (LBA) associated with the encrypted data from a mapping table. 2. The storage system of claim 1 , wherein user data is blocked from being stored in the first storage area. 3. The storage system of claim 1 , wherein the first storage area comprises the mapping table that maps the (LBA) of the encrypted data with a physical location on the storage drive. 4. The storage system of claim 1 , comprising the controller to: receive the data from a host of the storage drive, the data including user data. 5. The storage system of claim 1 , comprising the controller to: store an encryption identifier of the encryption key in metadata associated with the encrypted data; and identify an expiration policy of the encryption key from the encryption identifier. 6. The storage system of claim 1 , wherein the data read request designates the LBA mapped in the mapping table. 7. The storage system of claim 5 , comprising the controller to: acquire the encryption identifier associated with the encrypted data in response to the data read request. 8. The storage system of claim 7 , comprising the controller to: verify a validity of the encryption key based at least in part on acquiring the encryption identifier. 9. The storage system of claim 1 , comprising the controller to: delete the encryption key in response to the expiration of the key expiration date. 10. The storage system of claim 1 , comprising the controller to: keep the encrypted data in the storage drive after removing the one or more LB A from the mapping table. 11. A method comprising: connecting a controller of a storage drive to a data retention module; associating user data with an encryption key according to a retention policy, the encryption key having a key expiration date selected by the data retention module to match an expiration date of the user data set by the data retention module; encrypting the user data using the encryption key; writing the encrypted user data and an encryption identifier corresponding with the encryption key to the storage drive; scanning the storage drive for the encryption identifier in response to a data read request for the encrypted user data; decrypting the encrypted user data with the encryption key in response to the data read request being tendered within the expiration date of the data; and making storage space of the storage drive associated with the encrypted user data available for storage of data different from the encrypted user data after determining the encryption key data read request is tendered after the encryption key expiration date by removing one or more logical block addresses (LBA) associated with the encrypted user data from a mapping table. 12. The method of claim 11 , wherein user data is blocked from being stored in a first portion of the storage drive separate from a second portion of the storage drive where the encrypted user data is stored. 13. The method of claim 11 , wherein the first storage area comprises a mapping table that maps a logical block address (LBA) of the encrypted data with a physical location on the storage drive. 14. The method of claim 11 , comprising the controller to: receive the data from a host of the apparatus, the data including user data. 15. The method of claim 11 , comprising the controller to: store the encryption identifier of the encryption key in metadata associated with the encrypted data; and identify an expiration policy of the encryption key. 16. The method of claim 11 , comprising the controller to: receive a command to read the encrypted data from the storage drive. 17. The method of claim 16 , comprising the controller to: acquire the encryption identifier associated with the encrypted data. 18. The method of claim 17 , comprising the controller to: verify a validity of the encryption key based at least in part on acquiring the encryption identifier. 19. The method of claim 11 , wherein user data is blocked from being stored in the mapping table that maps the (LBA) of the encrypted user data with a physical location on the storage drive. 20. The method of claim 11 , wherein the encrypted user data is removed during a garbage collection process after the expiration date of the encryption key.
Assignees
Inventors
Classifications
Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these (network architectures or network communication protocols for key exchange in a packet data network H04L63/061) · CPC title
One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key · CPC title
by using cryptography (for digital transmission H04L9/00) · CPC title
- H04L9/088Primary
Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms (network architectures or network communication protocols for using time-dependent keys in a packet data network H04L63/068) · CPC title
Security improvement · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10756895B2 cover?
- Systems and methods for using encryption keys to manage data retention are described. In one embodiment, the systems and methods may include receiving data such as user data from a host of the storage drive, encrypting the data using an encryption key, writing the encrypted data to the storage drive, and retaining the encrypted data on the storage drive based at least in part on a validity of t…
- Who is the assignee on this patent?
- Seagate Technology Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/088. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Aug 25 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).