Abstract: A distributed data storage system can have an attestation module that is connected to the data storage device to disconnect the device from a distributed data storage network or prevent the data storage device from being initialized into the distributed data storage network. A first security evaluation of the data storage device can be conducted with the attestation module to verify an authenticity of the data storage device. The attestation module may then disconnect the network controller from the distributed data storage network and verify an authenticity of the network controller to allow the network controller and data storage device to service a data access request from a host of the distributed data storage network.

Abstract: A data storage device can employ a front end bus for boot operations. The physical connection of a secure boot assembly to the front end bus can provide efficient and reliable booting of the data storage device without a connection to a remote host or network. A secure boot assembly can provide a security module that connects to the boot module of the data storage device to authenticate a trustworthiness of the data storage device while the data storage device is disconnected from any remote host.

Abstract: Apparatus and method for local authentication of a collection of processing devices, such as but not limited to storage devices (e.g., SSDs, etc.). In some embodiments, an edge computing device is coupled between the collection of processing devices and an external network. The edge computing device performs a network authentication over the external network with a remote server using an edge token. The edge computing device further performs a local authentication of the collection using storage tokens of the respective processing devices, with the local authentication not utilizing the external network or the remote server. Both the edge token and the storage tokens may be generated from a client token of a client device.

Abstract: A distributed data storage system can connect a customization module to at least one host and a second data storage device via a network controller. The customization module may disconnect the first data storage device from the host and second data storage device prior to assessing a security operation of the first data storage device with the customization module, generating an optimization strategy with the customization module based on the assessed security operation, implementing the optimization strategy in the first data storage device to alter at least one security parameter of the first data storage device, and then connecting the first data storage device to the host and second data storage device to allow at least one data access to be executed to the first data storage device with the altered at least one security parameter.

Abstract: Security of computers, data storage devices, and servers can be improved with a multiple key access system. In some embodiments, a local key management device can be a locally (or virtually) located data storage device such as a HDD or SDD. The key management device may be part of a computer or server system and can have a first secure area protected by a cryptographic module (e.g. hardware integrated circuit). The first secure area can store a key to access a second secure area, which may function as a local key management server (LKMS) and store access information to securely communicate with and unlock another data storage device coupled to the computer. For example, the LKMS may store an access key to provide the computer with access to another data storage device. Communications between the LKMS and the other data storage device may be encrypted using a communication key.

Abstract: A data storage system can employ at least one data storage device having a supplemental processing bus that connects a first controller to a second controller with the supplemental bus being exposed to an exterior surface of a housing. The second controller may be positioned on a portable computing component connected to the supplemental bus while the portable computing component is positioned external to the housing. The computing capabilities of the portable computing component are identified with the first controller to allow a supplementation strategy to be generated with the first controller in response to connection of the portable computing component to the supplemental bus. The supplementation strategy can then be executed by assigning at least one processing task from the first controller to the second controller.

Abstract: A distributed data storage system can have an attestation module that is connected to the data storage device to disconnect the device from a distributed data storage network or prevent the data storage device from being initialized into the distributed data storage network. A first security evaluation of the data storage device can be conducted with the attestation module to verify an authenticity of the data storage device. The attestation module may then disconnect the network controller from the distributed data storage network and verify an authenticity of the network controller to allow the network controller and data storage device to service a data access request from a host of the distributed data storage network.

Abstract: A distributed data storage system can connect a customization module to at least one host and a second data storage device via a network controller. The customization module may disconnect the first data storage device from the host and second data storage device prior to assessing a security operation of the first data storage device with the customization module, generating an optimization strategy with the customization module based on the assessed security operation, implementing the optimization strategy in the first data storage device to alter at least one security parameter of the first data storage device, and then connecting the first data storage device to the host and second data storage device to allow at least one data access to be executed to the first data storage device with the altered at least one security parameter.

Abstract: Method and apparatus for implementing data security and privacy for a processing device. In some embodiments, the processing device is authenticated using a trusted authority. Self-authentication information is stored in a keystore of the processing device as a result of the authentication. The processing device subsequently operates in an untrusted mode by performing self-authentications using the self-authentication information in the keystore without further reference to the trusted authority. The trusted authority can be a remote server with which the processing device communicates over a network. The processing device can subsequently transition to a trust mode in which all authentications take place with the trusted authority without reference to the keystore. The processing device can be a data storage device such as a solid-state drive (SSD), a hard disc drive (HDD) or a hybrid drive (HDSD). The processing device can use untrust mode during manufacturing, and trust mode during field use.

Abstract: Apparatus and method for local authentication of a collection of processing devices, such as but not limited to storage devices (e.g., SSDs, etc.). In some embodiments, an edge computing device is coupled between the collection of processing devices and an external network. The edge computing device performs a network authentication over the external network with a remote server using an edge token. The edge computing device further performs a local authentication of the collection using storage tokens of the respective processing devices, with the local authentication not utilizing the external network or the remote server. Both the edge token and the storage tokens may be generated from a client token of a client device.

Abstract: A data storage device can transition a functional data storage medium into a read only data surface. Data can be written to a data storage medium with a data writer of a transducing head prior to a security threat being identified. A write head of the transducing head is deactivated in response to the security threat by selecting a permanent deactivation mechanism.

Abstract: A data storage system can employ at least one data storage device having a supplemental processing bus that connects a first controller to a second controller with the supplemental bus being exposed to an exterior surface of a housing. The second controller may be positioned on a portable computing component connected to the supplemental bus while the portable computing component is positioned external to the housing. The computing capabilities of the portable computing component are identified with the first controller to allow a supplementation strategy to be generated with the first controller in response to connection of the portable computing component to the supplemental bus. The supplementation strategy can then be executed by assigning at least one processing task from the first controller to the second controller.

Abstract: A data storage device can have one or more timestamps to indicate chronological information associated with data stored in the data storage device. A controller may be connected to a timestamp module and a transducing head to allow a timestamp to be written to a magnetic data storage medium as directed by the timestamp module. The timestamp can consist of chronological information relating to user-generated data stored on the data storage medium.

Abstract: A data storage device can employ a front end bus to optimize data storage performance. A first controller may be connected to a first memory via a first bus and to a second memory via a second bus with the first bus and first memory housed within an internal cavity of an enclosure while the second bus is exposed to an exterior surface of the housing and the second memory is separated from the internal cavity. The first controller can be configured to substitute the second memory for the first memory in response to a front end controller identifying a type of data storage of the second memory.

Abstract: A data storage system can provide device provenance with a storage device encoded with a key certificate and initialized into a distributed data system. A handshake module of the data storage device may derive a secure identifier and a provenance module of the data storage device can monitor data storage device activity to maintain an in-device provenance. A trusted data pathway between the data storage device and a host of the distributed data storage system can be formed with the secure identifier.

Abstract: A data storage device can employ a front end bus for boot operations. The physical connection of a secure boot assembly to the front end bus can provide efficient and reliable booting of the data storage device without a connection to a remote host or network. A secure boot assembly can provide a security module that connects to the boot module of the data storage device to authenticate a trustworthiness of the data storage device while the data storage device is disconnected from any remote host.

Abstract: Security of data storage devices and servers can be improved by the system and methods described herein. In some embodiments, a key management server may be locally or externally located. An encryption key may be used for locking a portion or the entirety of a storage device. The key management server may communicate with data storage devices regarding encryption keys using secure protocols. For example, the key management server may generate a communication key that may be used to securely encrypt messages between the server and a data storage device.

Abstract: Systems and methods for wireless enabled security in relation to a storage drive are described. In one embodiment, the systems and methods may include receiving, at a storage drive, a request from a host of the storage drive. In some cases, the request may be received via a wired connection between the storage drive and the host. In some embodiments, the systems and methods may include determining whether the request is flagged by the host as a secure connection request, processing the request upon determining the request is not flagged as a secure connection request, and establishing a wireless connection with the host upon determining the request is flagged by the host as a secure connection request.

Abstract: Apparatus and method for configuring a data storage device as a write once read many (WORM) drive. In some embodiments, the storage device has a rotatable disc with at least one data recording layer, and a data transducer that is selectively moveable with respect to the rotatable disc. The data transducer has a write element configured to write data to the data recording layer, and a read element configured to read data from the data recording layer. A control circuit is configured to physically disable the write element in response to a write element disable signal. The disabling of the write element prevents further writing of data to the data recording layer. The read element remains operative to continue reading data from the data recording layer after the write element has been disabled.

Abstract: A local key management system can be implemented with a unified extensible firmware interface (“UEFI”) basic input/output system (“BIOS”). The local key management system may be part of a removable data storage device that has a first secure area protected by a cryptographic module (e.g. hardware integrated circuit). The removable data storage device may also have a second secure area that stores a key to unlock a security enabled data storage device. The UEFI BIOS may be implemented to manage unlocking of security enabled data storage devices or data bands. The UEFI BIOS may also load a UEFI registration shell to manage registration of one or more security enabled drives or bands.