Abstract: Disclosed herein is a device configured to covertly communicate state information within a transmitter address field of a message. The device comprises a memory configured to store a state key and state information of the device, and a controller in communication with the memory. The controller is configured to apply a one-way function, using the state key, to the state information to produce a transmitter address, and transmit the message, including the transmitter address in the transmitter address field of the message.

Abstract: Disclosed herein is a data storage device. A data port transmits data between a host computer system and the data storage device. A non-volatile storage medium stores encrypted user content data and a cryptography engine uses a cryptographic key to decrypt the encrypted user content data stored on the storage medium in response to a request from the host computer system. An access controller receives a request from a manager device to initialize the data storage device. The controller generates the cryptographic key, generates a manager key configured to provide manager access for the manager device and provide access to the cryptographic key, and stores, on a data store, authorization data indicative of the manager key and accessible based on a private key stored on the manager device.

Abstract: Disclosed herein is a data storage device. A data port transmits data between a host computer system and the data storage device. A non-volatile storage medium stores encrypted user content data and a cryptography engine connected between the data port and the storage medium uses a cryptographic key to decrypt the encrypted user content data. The access controller generates an authorization request for a manager device. The authorization request comprises a certificate. The certificate comprising key data. In response to receiving the key data in a response to the authorization request generated by the manager device, the access controller generates configuration data based on the key data to register the device to be authorized as an authorized device.

Abstract: Disclosed herein is a data storage device. A data port transmits data between a host computer system and the data storage device. A non-volatile storage medium stores encrypted user content data and a cryptography engine connected between the data port and the storage medium uses a cryptographic key to decrypt the encrypted user content data. Multiple manager device records each comprise a first key identical for each of the records, and a second key that different for each of the records. The controller generates an authorization request using the first key and receives a response to the request generated by a manager device. The response is specific to that manager device. The controller uses the response to locate the record; decrypts the located manager device record to obtain key data; and generates configuration data based on the key data to register the device.

Abstract: Disclosed herein is a data storage device. A data port transmits data between a host computer system and the data storage device. A non-volatile storage medium stores encrypted user content data and a cryptography engine connected between the data port and the storage medium uses a cryptographic key to decrypt the encrypted user content data. The access controller generates authorization request data indicative of multiple devices to be authorized, and stores the authorization request data on non-volatile configuration memory of the data storage device. Upon approval of the authorization request data by a manager device that is registered with the access controller as a manager device, the access controller locates the authorization request data of one of the multiple devices to be authorized and registers the one of the multiple devices to be authorized as an authorized device.

Abstract: Disclosed herein is a data storage device. A data port transmits data between a host computer system and the data storage device. A non-volatile storage medium stores encrypted user content data and a cryptography engine connected between the data port and the storage medium uses a cryptographic key to decrypt the encrypted user content data. The access controller generates a challenge for a manager device. The challenge comprises a blinded public key of an ephemeral unlock key pair that is blinded by an unlock blinding key. The challenge further comprises the unlock blinding key in encrypted form. The access controller further provides the challenge to the device to be authorized for sending the challenge to the manager device; receives a response to the challenge; decrypts the unlock blinding key and calculates a shared secret; and upon determining that the response indicates approval of registering the device, registers the device to be authorized as an authorized device.

Abstract: Data storage devices, methods, and systems for passcode authentication based on automatically generated and dynamically changing unlock passcodes are described. An access controller of a data storage device is configured to receive a first passcode based on an externally generated input passcode that is synchronized with internal generation of an unlock passcode by the access controller. The access controller generates a second passcode based on the internally generated unlock passcode, and unlocking the data storage device is responsive to the first passcode matching the second passcode.

Abstract: An in-line security device to transfer cryptographic key material, the device comprising: a first connector configured to connect, via wire, with a host device; a second connector configured to connect, via wire, with a data storage device; a pass-through circuit between the first connector and the second connector to facilitate data communication between the host device and the data storage device; and a communication interface to send cryptographic key material to the data storage device via the second connector.

Abstract: Disclosed herein is a data storage device comprising a data path and an access controller. The access controller generates a recovery private key, generates encrypted authorization data based on the recovery private key, stores the encrypted authorization data, and sends the recovery private key to a manager device. When recovery is desired, access controller receives a recovery public key, calculated based on the recovery private key, from a recovery manager device, decrypts the encrypted authorization data based on the recovery public key, generates a challenge for the recovery manager device based on the decrypted authorization data, sends the challenge to the recovery manager device over the communication channel that is different from the data path, receives a response to the challenge from the recovery manager device over the communication channel, and based at least partly on the response, enables decryption of the encrypted user content data.

Abstract: This disclosure relates to a data storage device. A data port transmits data between a host computer system and the data storage device over a data channel. The device repeatedly broadcasts advertising packets over a wireless communication channel different from the data channel. Each advertising packet comprises a random value and a message authentication code calculated based on the random value and an identity key. The identity key is readable by a device to be connected and in proximity of the data storage device out of band of the data channel and the communication channel. The identity key enables the device to be connected to verify the message authentication code based on the random value and the identity key to thereby authenticate the data storage device.

Abstract: Disclosed herein is a data storage device comprising a data path and an access controller. The data path comprises a data port configured to transmit data between a host computer and the data storage device. The data storage device is configured to register with the host computer as a block data storage device. A non-volatile storage medium stores encrypted user content data and a cryptography engine is connected between the data port and the storage medium and uses a cryptographic key to decrypt the encrypted user content data. The access controller generates a challenge for an authorized device; sends the challenge to the authorized device; receives a response to the challenge from the authorized device over the communication channel; calculates the cryptographic key based on the response; and provides the cryptographic key to the cryptography engine to decrypt the encrypted user content data stored on the storage medium.

Abstract: A data storage device comprising a data path and an access controller, wherein: the data path comprises: a data port configured to transmit data between a host computer system and the data storage device, wherein the data storage device is configured to register with the host computer system as a block data storage device; a non-volatile storage medium configured to store user content data; and the access controller is configured to: repeatedly and automatically generate a dynamically changing unlock passcode for unlocking the data storage device; receive a first passcode including, at least, an input passcode provided by a user device external to the data storage device, wherein the input passcode is generated externally to the data storage device and synchronously with the generation of the unlock passcode by the access controller; and provide access to the user content data via the data port in response to the first passcode matching with a second passcode generated by the access controller, wherein the se

Abstract: Disclosed herein is a data storage device with storage medium that stores encrypted user content data. A cryptography engine uses a cryptographic key to decrypt the encrypted user content data. An access controller receives, from a user device, a request to register the user device and generates a challenge for a manager device. The manager device is located remotely from the data storage device. The controller sends, to the user device, the challenge for the manager device; receives, from the user device, a response calculated by the manager device to approve the request to register; calculates the cryptographic key based at least partly on the response calculated by the manager device; and creates and stores authorization data associated with the user device. The authorisation data indicates the cryptographic key, to register the user device with the data storage device.

Abstract: An in-line security device to transfer cryptographic key material, the device comprising: a first connector configured to connect, via wire, with a host device; a second connector configured to connect, via wire, with a data storage device; a pass-through circuit between the first connector and the second connector to facilitate data communication between the host device and the data storage device; and a communication interface to send cryptographic key material to the data storage device via the second connector.

Abstract: Disclosed herein is a data storage device comprising a data path and an access controller. The data path comprises a data port configured to transmit data between a host computer and the data storage device and registers with the host computer system as a block data storage device. A non-volatile storage medium stores encrypted user content data. A cryptography engine is connected between the data port and the storage medium and uses a key to decrypt the encrypted user content data. A data store stores multiple entries comprising authorization data associated with respective authorized devices. The access controller receives from a manager device a public key associated with a private key stored on a device to be authorized, creates the authorization data, and stores the authorization data in association with the public key in the data store, thereby registering the device to be authorized as one of the authorized devices.

Abstract: Disclosed herein is a data storage device comprising a data path, an access controller, and a data store. The data path comprises a data port configured to transmit data between a host computer system and the data storage device; a non-volatile storage medium configured to store encrypted user content data; and a cryptography engine connected between the data port and the storage medium and configured to use a cryptographic key to decrypt the encrypted user content data stored on the storage medium in response to a request from the host computer system. The access controller is configured to store on the data store multiple entries associated with multiple respective registered devices. The multiple entries comprise authorization data indicative of cryptographic keys that selectively provide user access or manager access for each of the multiple registered devices.

Abstract: Disclosed herein is a data storage device. A data port transmits data between a host computer system and the data storage device. A non-volatile storage medium stores encrypted user content data and a cryptography engine connected between the data port and the storage medium uses a cryptographic key to decrypt the encrypted user content data. The access controller receives from a manager device a public key. The public key is associated with a private key stored on a device to be authorized. The controller determines a user key that provides access to the cryptographic key; encrypts the user key based on the public key and such that the user key is decryptable based on the private key stored on the device to be authorized; and stores, on the data store, authorization data indicative of the encrypted user key.

Abstract: Disclosed herein is a device configured to covertly communicate state information within a transmitter address field of a message. The device comprises a memory configured to store a state key and state information of the device, and a controller in communication with the memory. The controller is configured to apply a one-way function, using the state key, to the state information to produce a transmitter address, and transmit the message, including the transmitter address in the transmitter address field of the message.

Abstract: This disclosure relates to a data storage device. A data port transmits data between a host computer system and the data storage device over a data channel. The device repeatedly broadcasts advertising packets over a wireless communication channel different from the data channel. Each advertising packet comprises a random value and a message authentication code calculated based on the random value and an identity key. The identity key is readable by a device to be connected and in proximity of the data storage device out of band of the data channel and the communication channel. The identity key enables the device to be connected to verify the message authentication code based on the random value and the identity key to thereby authenticate the data storage device.

Abstract: Disclosed here is a data storage device comprising a non-transitory storage medium configured to store user content data, a data port configured to transfer the user content data between the storage medium and a host computer system over a data channel, and a controller. The controller is configured to select one of multiple file system formats, format the storage medium by creating a file system in accordance with the selected file system format on the storage medium, and register with the host computer system as a block data storage device.