Apparatus for controlling embedded security on a storage platform

摘要

A method of securely operating a computerized system includes forming a connection to a user-removable physical security device (PSD) which is uniquely paired with the computerized system and which stories cryptographically secured data required for performing a protected function on the computerized system. The PSD may be realized as a USB or similar peripheral device containing security-related data and potentially security processing capability as well. The protected function could be decrypting of encrypted data encryption keys used to encrypt/decrypt user data for example. A user who has an established association with the PSD (e.g. by some preceding registration process) is authenticated, resulting in activation of the PSD on the computerized system. Upon such activation of the PSD, the computerized system engages in a security operation using the cryptographically secured data from the PSD to enable the protected function to be performed under control of the user on the computerized system.

主权项

1. A method of securely operating a computerized system, comprising:
forming a connection to a user-removable physical security device being uniquely paired with the computerized system and storing cryptographically secured data required for performing a protected function on the computerized system, the connection employing a first input/output interface of the computerized system; authenticating a user having an established association with the physical security device, the authenticating resulting in activation of the physical security device on the computerized system; and only upon the activation of the physical security device on the computerized system, engaging in a security operation using the cryptographically secured data on the physical security device to enable the protected function to be performed under control of the user on the computerized system, the computerized system being a storage array of a storage system and the protected function being encrypted data storage operations provided by the storage array using external storage devices accessed via a second input/output interface of the storage array; the storage array includes a security structure which contains keys and data needed by the storage array to protect and unprotect user data during the encrypted data storage operations, the security structure residing in a first memory of the storage array and being encrypted wholly or in part; the cryptographically secured data being stored in a second memory of the physical security device and including one or more encryption keys needed to decrypt the security structure to permit use of a resulting cleartext security structure for use in protecting and unprotecting the user data; and the security operation includes obtaining the encryption keys from the second memory of the physical security device and using the encryption keys to decrypt the security structure to obtain the keys and data for use in the encrypted data storage operations.