SNIA-SDC23-Hibbard-Key-Per-IO.pdf

1、1|2023 SNIA.All Rights Reserved.Virtual ConferenceSeptember 28-29,2021How to use an Encryption Key per I/OEric Hibbard,CISSP,FIP,CISASamsung Semiconductor,Inc.Presented by2|2023 SNIA.All Rights Reserved.Key per I/O(KPIO)IntroSection Subtitle3|2023 SNIA.All Rights Reserved.Basic Data At Rest Protecti

2、on Model:Properties:Encrypt all user accessible data all the time,at interface speedsKeys generated&stored in NVM by the storage deviceMedia Encryption Key(MEK)associated with contiguous LBA ranges or NamespacesOpal/Enterprise SSC*deliver passwords to drive in the clear(when not using Trusted Comput

3、ing Group(TCG)*-Secure Messaging)Background on Self Encrypting Drives(SEDs)*Other names and brands may be claimed as the property of others.4|2023 SNIA.All Rights Reserved.Key Per I/OFine-grain data at rest encryption using storage devices(SSDs)Encryption engine in the storage deviceKey management c

4、ontrolled by the hostAlignment with OASIS Key Management Interoperability Protocol(KMIP)Version 2.xSpecificationIndustry Standard BodyStatusNVMe TP4055NVM ExpressRatifiedTCG Key Per I/O SSC v1.00TCGPublishedTCG Key Per I/O Application Note v1.00TCGIn Public ReviewTCG SIIS v1.11TCGPublishedTCG Key Pe

5、r I/O Test CasesTCGUnder Development5|2023 SNIA.All Rights Reserved.Key Per I/O Technology OverviewEnables Storage Devices(SDs)support of Host-Managed(i.e.,Customer-managed)Storage Encryption Use Cases.Hosts no longer need to encrypt-at-compute with host/customer supplied encryption keys.They can no

6、w parallelize encryption across SDs with host-supplied Media Encryption Keys(MEKs)to increase storage systems performance&bandwidth.Encrypted MEKs are injected into Self Encrypting Drive(SED)s key cache and assigned a“Key Tag”by host software.Subsequent I/O can use the“Key Tag”to identify the MEK to