Search

US-12627638-B2 - Storage device, storage system, and method of secure data movement between storage devices

US12627638B2US 12627638 B2US12627638 B2US 12627638B2US-12627638-B2

Abstract

A storage device includes: a storage memory component to store requested data in encrypted format; and a storage controller connected to the storage memory component over a storage interface, the storage controller to: receive a command and a decryption override indicator from a host device over a host interface to read the requested data from the storage memory component; retrieve the requested data from the storage memory component in the encrypted format in response to the command; and transmit the requested data in the encrypted format to a destination storage device over a transport layer in response to the decryption override indicator.

Inventors

  • Gayathiri Venkataraman
  • Matthew Shaun Bryson
  • Vishwanath MARAM

Assignees

  • SAMSUNG ELECTRONICS CO., LTD.

Dates

Publication Date
20260512
Application Date
20210416

Claims (19)

  1. 1 . A storage device comprising: a storage memory component configured to store requested data in encrypted format; and a storage controller connected to the storage memory component, the storage controller configured to: receive a command and a decryption override indicator from a host device over a host interface to read the requested data from the storage memory component; retrieve the requested data from the storage memory component in the encrypted format based on the command; transmit the requested data in the encrypted format to a destination storage device over a direct communication channel and based on the decryption override indicator, wherein the destination storage device comprises a local connection to the storage device for data migration via the direct communication channel; and transfer a key associated with the requested data for decrypting the requested data from the encrypted format, the transfer of the key from the storage device to the destination storage device over the direct communication channel and based on a request for the key from the destination storage device and a determination that an encryption/decryption algorithm of the destination storage device is compatible with encryption/decryption algorithm of the storage device.
  2. 2 . The storage device of claim 1 , wherein the direct communication channel comprises a secure communications channel between the storage device and the destination storage device, and wherein to transmit the requested data in the encrypted format to the destination storage device, the storage controller is configured to transmit the requested data in the encrypted format to the destination storage device through the secure communications channel.
  3. 3 . The storage device of claim 1 , wherein to transfer the key, the storage device is configured to transfer the key associated with the requested data to the destination storage device and the host device.
  4. 4 . The storage device of claim 3 , wherein to transfer the key, the storage device is configured to transfer an ownership of the key or information indicative of the ownership of the key.
  5. 5 . The storage device of claim 3 , wherein to transfer the key, the storage device is configured to retain a private key associated with the requested data, and to transfer a public key associated with the requested data.
  6. 6 . The storage device of claim 3 , wherein to transfer the key, the storage device is configured to transfer the key to the destination storage device and a key server communicably connected to the host device.
  7. 7 . The storage device of claim 3 , wherein the storage controller is configured to transfer the key based on a request for the key.
  8. 8 . The storage device of claim 1 , wherein the storage device comprises a solid state drive, the storage memory component comprises flash memory, and a storage interface comprises a flash interface layer of the storage device.
  9. 9 . A storage system comprising: a first storage device configured to: store requested data in an encrypted format; transmit the requested data in the encrypted format over a direct communication channel to a second storage device based on a read command and a first indicator, wherein the first storage device comprises a local connection to the second storage device for data migration via the direct communication channel; and transfer, over the direct communication channel, a key associated with the requested data for decrypting the requested data from the encrypted format from the first storage device to the second storage device based on a request for the key from the second storage device and a determination that an encryption/decryption algorithm of the second storage device is compatible with encryption/decryption algorithm of the first storage device; and the second storage device connected to the first storage device through the direct communication channel, the second storage device being configured to: receive the requested data in the encrypted format over the direct communication channel; and store the requested data in the encrypted format based on a write command and a second indicator.
  10. 10 . The storage system of claim 9 , wherein the first storage device comprises: a first storage memory component configured to store the requested data in the encrypted format; and a first storage controller connected to the first storage memory component over a first storage interface, the first storage controller configured to: receive the read command and the first indicator to read the requested data from the first storage memory component; retrieve the requested data from the first storage memory component in the encrypted format based on the read command; and transmit the requested data in the encrypted format to the second storage device over the direct communication channel based on the first indicator.
  11. 11 . The storage system of claim 10 , wherein to transfer the key, the first storage device is configured to push the transfer of the key to the second storage device based on transmitting the requested data.
  12. 12 . The storage system of claim 11 , wherein to transfer the key, the first storage device is configured to transfer an ownership of the key or information indicative of the ownership of the key.
  13. 13 . The storage system of claim 11 , wherein to transfer the key, the first storage device is configured to retain a private key associated with the requested data, and to transfer a public key associated with the requested data.
  14. 14 . The storage system of claim 11 , further comprising a key server communicably connected to the first and second storage devices, wherein to transfer the key, the first storage device is configured to transfer the key to the key server.
  15. 15 . The storage system of claim 11 , wherein the second storage device comprises: a second storage memory component; and a second storage controller connected to the second storage memory component over a second storage interface, the second storage controller configured to: receive the write command and the second indicator to write the requested data in the encrypted format to the second storage memory component; skip encryption of the requested data based on the second indicator; and store the requested data in the encrypted format in the second storage memory component.
  16. 16 . The storage system of claim 15 , wherein the second storage device is further configured to: receive a third command to read the requested data from the second storage memory component; retrieve the requested data in the encrypted format from the second storage memory component; retrieve the key; and decrypt the requested data according to the key.
  17. 17 . The storage system of claim 15 , wherein: at least one of the first storage device or the second storage device comprises a solid state drive; at least one of the first storage memory component or the second storage memory component comprises flash memory; and at least one of the first storage interface or the second storage interface comprises a flash interface layer.
  18. 18 . A method of securely transmitting data between storage devices, the method comprising: determining that an encryption method configured for a first storage device is operable or inoperable with an encryption method configured for a second storage device; based on the determining that the encryption method configured for the first storage device is operable with the encryption method configured for the second storage device: reading requested data in encrypted format at the first storage device; transmitting the requested data in the encrypted format from the first storage device over a direct communication channel to the second storage device, wherein the first storage device comprises a local connection to the second storage device for data migration via the direct communication channel; writing the requested data in the encrypted format at the second storage device by skipping encryption of the requested data; transferring, over the direct communication channel, from the first storage device a key associated with the requested data for decrypting the requested data to the second storage device based on a request for the key from the second storage device; reading the requested data at the second storage device; retrieving the key associated with the requested data; and decrypting the requested data using the key at the second storage device.
  19. 19 . The method of claim 18 , further comprising: based on the determining that the encryption method configured for the first storage device is inoperable with the encryption method configured for the second storage device: transmitting the requested data in the encrypted format along with decryption information from the first storage device to the second storage device.

Description

CROSS-REFERENCE TO RELATED APPLICATION(S) This application claims priority to and the benefit of U.S. Provisional Application No. 63/155,185, filed on Mar. 1, 2021, entitled “SECURE DATA MOVEMENT BETWEEN NVME SSDS,” the entire content of which is incorporated by reference herein. FIELD Aspects of one or more embodiments of the present disclosure relate to a storage device, and more particularly, to a storage device to securely transmit data, a storage system including the same, and a method of securely transmitting data between storage devices. BACKGROUND Generally, various stages of digital data include data at rest, data in use, and data in transit. From among these stages, data at rest may include data that is housed physically on a storage device, for example, such as on a solid-state drive (SSD), a hard-disk drive (HDDs), and the like, in any suitable digital form, and may include both structured and unstructured data. Unlike data in use or data in transit, data at rest may generally refer to data that is stored in persistent storage, while data in use and data in transit may refer to data that is being processed or temporarily stored in volatile memory, for example, such as random access memory (RAM). To prevent unauthorized access to such data at rest, various security measures may be employed, for example, such as password protection, data encryption, or a combination thereof. While these security measures may generally be effective against unauthorized access while the data is physically stored in the storage device, when transmitting such data at rest from one storage device to another, for example, such as during a virtual machine migration, a volume snapshot, a backup of the data, an archive of the data, and the like, the data may be transmitted in an unsecure format, for example, such as in plain text. For example, the data may be physically stored in encrypted format at a source storage device, may be decrypted by the source storage device to be transmitted to a destination storage device in a decrypted format (e.g., in plain text), may be transmitted to the destination storage device in the decrypted format, and may be re-encrypted by the destination storage device prior to being physically stored in encrypted format in the destination storage device. Thus, such data at rest may be vulnerable to unauthorized access or attacks while being transferred, moved, or copied between storage devices. The above information disclosed in this Background section is for enhancement of understanding of the background of the present disclosure, and therefore, it may contain information that does not constitute prior art. SUMMARY One or more embodiments of the present disclosure are directed to a storage device to securely transmit data, a storage system including the same, and a method of securely transmitting data between storage devices. According to one or more embodiments of the present disclosure, a storage device includes: a storage memory component configured to store requested data in encrypted format; and a storage controller connected to the storage memory component over a storage interface, the storage controller configured to: receive a command and a decryption override indicator from a host device over a host interface to read the requested data from the storage memory component; retrieve the requested data from the storage memory component in the encrypted format in response to the command; and transmit the requested data in the encrypted format to a destination storage device over a transport layer in response to the decryption override indicator. In an embodiment, the transport layer may include at least the host device, and to transmit the requested data in the encrypted format to the destination storage device, the storage controller may be configured to transmit the requested data in the encrypted format to the destination storage device through at least the host device. In an embodiment, the transport layer may further include a destination host device, and to transmit the requested data in the encrypted format to the destination storage device, the storage controller may be configured to transmit the requested data in the encrypted format to the destination storage device through at least the host device and the destination host device. In an embodiment, the transport layer may include a secure communications channel between the storage device and the destination storage device, and to transmit the requested data in the encrypted format to the destination storage device, the storage controller may be configured to transmit the requested data in the encrypted format to the destination storage device through the secure communications channel. In an embodiment, the storage controller may be further configured to transfer a key associated with the requested data to the destination storage device for decrypting the requested data. In an embodiment, to transfer the key, the storage device may