Data security

摘要

This document discloses data security systems and methods of securing data. A cache memory can be connected between a decryption engine and a central processing unit (“CPU”) to increase security of encrypted data that is stored in a datastore. The decryption engine can retrieve the encrypted data from the datastore, decrypt the data, and store the decrypted data in the cache. In turn, the decrypted data can be accessed by the CPU. The data can be encrypted with a secret key, so that decryption can be performed with the secret key. The key can be varied based on a memory address associated with the data. The key can be protected by restricting direct access to the decryption engine by the CPU.

主权项

1. A data security system, comprising:
a first datastore storing encrypted data; a second datastore connectable to an external processing unit; a controller serially connected between the first datastore and the second datastore, the second datastore being serially connected between the controller and the external processing unit; and a decryption engine coupled to the controller, the decryption engine including at least one processor and being configured to obtain at least a portion of the encrypted data from the controller and decrypt the portion of the encrypted data; the decryption engine being connected to the controller in a manner that prevents the external processing unit from accessing the decryption engine, wherein the controller is connected between the decryption engine and each of the first datastore and the second datastore, and wherein the controller is configured to:
receive data requests when data requested by the external processing unit are not stored in the second datastore,obtain from the first datastore first data corresponding to the requested data,determine whether the first data are encrypted based on whether the requested data are stored in a first memory window in the first datastore, andif the first data are encrypted, provide the first data to the decryption engine obtain from the decryption engine decrypted data corresponding to the first data, and store the decrypted data in the second datastore to make the decrypted data directly accessible to the external processing unit, andif the first data are not encrypted, store the first data in the second datastore without providing the first data to the decryption engine.