Abstract: The present invention relates to digital rights management (DRM) for content that may be downloaded and securely transferred from one storage to another storage. The storage may be a disk drive, or network attached storage. The storage performs cryptographic operations and provides a root of trust. The DRM system enables secure copying or transfer of content from one storage device to another storage device. In this embodiment, a trusted server that is authenticated and trusted by both storage devices brokers the transfer of content. The trusted server may be a separate entity of the DRM system or may be a component or function of an existing server of the DRM system. In another embodiment, the storage devices may transfer content in a peer-to-peer fashion. The transfer of content may be authorized and controlled based on a digital certificate associated with the content.

Abstract: The present invention relates to digital rights management (DRM) for content that downloaded and saved to a storage device. The storage may be a disk drive, or network attached storage. In addition, the storage device performs cryptographic operations and provides a root of trust. The DRM employs a binding key, a content key, and an access key. The binding key binds the content to a specific storage and is based on a key that is concealed on the storage. The binding key is not stored on the storage device with the content. The content key is a key that has been assigned to the content. The access key is determined based on a cryptographic combination of the content key and the binding key. In one embodiment, the content is provisioned based on the access key and stored in encrypted form in the storage device.

Abstract: Embodiments described herein include systems and methods for managing security of a storage subsystem. Certain of these embodiments involve the use of a buffer protection module configured to intelligently police requests for access to the subsystem buffer memory.

Abstract: Disclosed herein is a data storage device comprising data storage media comprising a plurality of data sectors and control circuitry programmed to: receive a command from a host to cryptographically erase at least a portion of data stored on the data storage media; execute a cryptographic erase; receive a read command from the host to read a data sector in the data storage media; determine if the data sector has been cryptographically erased; and return configurable return data to the host in response to determining that the data sector has been cryptographically erased.

Abstract: The present invention relates to digital rights management (DRM) for content that downloaded and saved to a storage device. The storage may be a disk drive, or network attached storage. In addition, the storage device performs cryptographic operations and provides a root of trust. The DRM employs a binding key, a content key, and an access key. The binding key binds the content to a specific storage and is based on a key that is concealed on the storage. The binding key is not stored on the storage device with the content. The content key is a key that has been assigned to the content. The access key is determined based on a cryptographic combination of the content key and the binding key. In one embodiment, the content is provisioned based on the access key and stored in encrypted form in the storage device.

Abstract: The present invention relates to digital rights management (DRM) for content that may be downloaded and bound to a storage device. The storage device may be an intelligent storage device, such as a disk drive, or network attached storage. In addition, the storage device is capable of performing cryptographic operations and providing a root of trust. In one embodiment, the DRM employs a binding key, a content key, and an access key. The binding key binds the content to a specific storage and is based on a key that is concealed on the storage. However, the binding key is not stored on the storage with the content. The content key is a key that has been assigned to the content, for example, by a trusted third party. The access key is determined based on a cryptographic combination of the content key and the binding key. In one embodiment, the content is encrypted based on the access key and stored in encrypted form in the storage device.

Abstract: Data storage devices having one or more data security features are provided according to various embodiments of the present invention. In one embodiment, a data storage device comprises buffer and a buffer client. The buffer client comprises a scrambler configured to receive a configuration setting and a secret key on a certain event, to configure a scrambling function based on the received configuration setting, and to scramble data with the secret key using the scrambling function, wherein the buffer client is configured to write the scrambled data to the buffer.

Abstract: Data storage devices are provided according to various embodiments of the present invention. In one embodiment, a data storage device comprises a host interface, a buffer, a storage media interface, and a data manipulation engine. The data manipulation engine comprises a receive pipe configured to read first and second data blocks from first and second locations in the buffer and to check the validity of the first and second data blocks, an arithmetic logic unit configured to perform a logic operation on first and second user data of the first and second data blocks, respectively, to generate third user data, and a transmit pipe configured to receive the third user data from the arithmetic logic unit, to generate and append a third checksum to the third user data to produce a third data block, and to write the third data block to a third location in the buffer.

Abstract: A data storage device is disclosed comprising a non-volatile memory (NVM) including a plurality of sectors each having a sector size. An access command is received from a host, wherein the access command identifies a plurality of host blocks having a host block size less than the sector size. A plurality of the host blocks are mapped to a target sector. When the target sector spans an encryption zone boundary defined by the host blocks, a NVM command is generated identifying a first key corresponding to a first encryption zone and a second key corresponding to a second encryption zone. The NVM command is executed as a unitary operation to access a first part of the target sector using the first key and access a second part of the target sector using the second key.