The Key Per IO (KPIO) project was a joint initiative between NVM Express® and the Trusted Computing Group (TCG) Storage Work Group to define a new KPIO Security Subsystem Class (SSC) under TCG Opal SSC for NVMe® class of Storage Devices. Self-Encrypting Drives (SED) perform continuous encryption on user accessible data based on contiguous LBA ranges per namespace. This is done at interface speeds using a small number of keys generated/held in persistent media by the storage device. KPIO allows a large number of encryption keys to be managed and securely downloaded into the NVM subsystem. Encryption of user data then occurs on a per command basis (each command may request to use a different key). These specifications are now available. This presentation will examine how to use this new capability to support use cases such as Support of EU - GDPR Support of data erasure when data is spread over many disks, support of data erasure of data that is mixed with other data needing to be preserved (multitenancy), assigning an encryption key to a single sensitive file or host object.
How to use an Encryption Key per IO
Thu Sep 21 | 9:10am
Location:
Salon VI, Salon VII
Abstract
Learning Objectives
- Understand how encryption of data at rest protects that data today.
- Understand how fine grain encryption (KPIO) will be used to protect data at rest in the future.
- Understand possible use cases for KPIO (multi-tenant use of a common device, EU GDP use cases, others)
- Understand the NVMe KPIO APIs and the interdependencies with key management
---
Eric Hibbard
Samsung Semiconductor, Inc.
Related Sessions