Mapping encrypted and decrypted data via key management system

摘要

A data processing system having a host computer including a key manager, a control unit connected to the host computer, a data storage unit (such as a tape drive) controlled by the control unit, and data storage medium for storing data thereon to be written to or read from by the data storage unit. The key manager stores a data structure having at least one record having a volume serial number, as start location, a length entry, and a key for encrypting and decrypting data on the data storage medium. A data storage medium (such as data tape) is mounted on the data storage unit, and a volume recorded on the tape is retrieved. The control unit retrieves the data structure from the key manager and matches the volume serial number recorded in the retrieved data structure with the volume serial number retrieved from the data storage medium. It they match, the control unit passes to the data storage unit, commands to turn on or turn off encryption dependent upon the location where data is written by the data storage unit onto the data storage medium, or to turn on or turn off decryption dependent upon the location where data is read by the data storage unit from the data storage medium.

主权项

1. A data processing system comprising:
a host computer including a key manager; a control unit in communication with the key manager, wherein the control unit is distinct from the host computer; a data storage unit controlled by the control unit; a data structure stored on the host computer, the data structure configured to map the encryption of data stored on a non-transitory data storage medium readable and writable by the data storage unit; and wherein the data structure comprises:
at least one volume serial number entry comprising a volume serial number of the data storage medium;at least one location entry comprising a location address on the data storage medium of data to be accessed by the data storage unit;at least one length entry comprising the length of the data to be accessed from the data storage medium, the length of the data indicating a size of the data to be encrypted; andat least one key entry associated with said volume serial number, said location entry, and said length entry, said at least one key entry for recording a key to be used to encrypt and decrypt data stored at the associated location address on the data storage unit, and wherein the data structure is not stored on the storage unit.