Remote grant of access to locked data storage device

The invention claimed is: 1. A data storage device comprising: a data path comprising: a data port configured to transmit data between a host computer system and the data storage device; a non-volatile storage medium configured to store encrypted user content data; and a cryptography engine connected between the data port and the non-volatile storage medium and configured to use a cryptographic key to decrypt the encrypted user content data stored on the non-volatile storage medium in response to a data request from the host computer system; and an access controller configured to: store, on a non-volatile data store of the data storage device and before receiving a registration request, authorization data associated with a manager device and comprising a manager key in encrypted form; during a registration process to register a user device with the data storage device: receive, from the user device, the registration request to register the user device; generate, responsive to the registration request, a remote registration challenge for the manager device, wherein: the host computer system is a first device; the user device is a second device; the manager device is a third device; and the manager device is located remotely from the data storage device; send, to the user device, the remote registration challenge for the manager device, wherein the user device is configured to communicate the remote registration challenge to the manager device; receive, from the user device, a remote registration response calculated by the manager device to approve the registration request, wherein the user device is further configured to receive the remote registration response from the manager device; decrypt the manager key based at least partly on the remote registration response; calculate the cryptographic key based at least partly on the remote registration response calculated by the manager device and the manager key; and create and store, on the non-volatile data store, an encrypted authorization data entry associated with the user device, wherein the encrypted authorization data entry indicates the cryptographic key; and during an unlock process for the registered user device: receive, from the registered user device, an unlock request; determine, responsive to the unlock request and based on the encrypted authorization data entry associated with the registered user device, the cryptographic key; and provide, responsive to the unlock request, the cryptographic key to the cryptography engine to decrypt the encrypted user content for access by the host computer system. 2. The data storage device of claim 1 , wherein the remote registration challenge is shareable over an insecure communication channel. 3. The data storage device of claim 1 , wherein the registration request comprises a public key of the user device. 4. The data storage device of claim 3 , wherein the access controller is further configured to generate and send the remote registration challenge upon determining, based on the public key, that the user device is not registered with the data storage device. 5. The data storage device of claim 1 , wherein: the remote registration challenge is based on an unlocking public key associated with the manager device in an encrypted authorization data entry for the manager device; and the unlocking public key is stored on the non-volatile data store of the data storage device for use in generating the remote registration challenge. 6. The data storage device of claim 5 , wherein the unlocking public key associated with the manager device corresponds to an unlocking private key stored on the manager device and used to generate the remote registration response. 7. The data storage device of claim 5 , wherein the unlocking public key associated with the manager device is stored on the non-volatile data store of the data storage device and accessible in response to receiving the registration request. 8. The data storage device of claim 1 , wherein: the manager key is encrypted based on a discarded ephemeral private key; the remote registration challenge is based on an ephemeral public key that corresponds to the discarded ephemeral private key; and the access controller decrypts the manager key based on an ephemeral unlock secret generated from the discarded ephemeral private key and an unlocking public key. 9. The data storage device of claim 8 , wherein the ephemeral public key is stored on the non-volatile data store and accessible in response to receiving the registration request. 10. The data storage device of claim 1 , wherein: the access controller is further configured to store, on the non-volatile data store and before receiving the registration request, multiple entries associated with respective multiple manager devices; and one manager device of the multiple manager devices is associated with a remote approver role defined by enabling the generation of the remote registration challenge for the one manager device of the multiple manager devices. 11. The data storage device of claim 10 , wherein the generation of the remote registration challenge is enabled by providing, in response to receiving the registration request, access to an unlocking public key associated with the one of the multiple manager devices. 12. The data storage device of claim 10 , wherein: the generation of the remote registration challenge is enabled by providing access, in response to receiving the registration request, to an ephemeral public key; and the ephemeral public key is associated with a discarded ephemeral private key used to encrypt the manager key. 13. The data storage device of claim 1 , wherein: the encrypted authorization data entry associated with the user device comprises an encrypted user key that is decryptable based at least partly on a further response calculated by the user device during the unlock process; and the access controller is configured to calculate the cryptographic key based on the user key during the unlock process. 14. The data storage device of claim 13 , wherein the access controller is further configured to, during the unlock process: decrypt, responsive to the user device, the encrypted authorization data entry associated with the user device; generate an unlock challenge based on the encrypted authorization data entry associated with the user device; send the unlock challenge to the user device; and receive, responsive to the unlock challenge, the further response from the user device. 15. The data storage device of claim 1 , wherein: transmitting data between the host computer system and the data storage device is over a data channel; and receiving the registration request, sending the remote registration challenge, and receiving the remote registration response is over a communication channel that is different from the data channel. 16. The data storage device of claim 15 , wherein: the communication channel is a wireless communication channel; and generating the remote registration challenge for the manager device remote from the data storage device comprises generating the remote registration challenge for the manager device that is out of range of the wireless communication channel. 17. The data storage device of claim 1 , wherein receiving the registration request, sending the remote registration challenge, and receiving the remote registration response is in communication with an application installed on the user device. 18. A method for approving access to a data storage device, t