Abstract: A system for use in an aerospace environment includes an array of storage drives each comprising a non-radiation-hardened drive controller, a non-radiation-hardened, non-volatile, storage medium, and a non-radiation-hardened volatile memory. The system includes a radiation-tolerant storage controller coupled to the array. The storage controller provides failure-resistant data redundancy among the storage drives of the array. The system includes a bus host that accesses the array via the storage controller. The storage controller implements security logic and a root-of-trust that provides to the bus host verification of authenticity of the radiation tolerant storage controller and the storage drives.

Abstract: The technology disclosed herein provides a system for allowing users to login into one or more devices without a password. Implementations of the system include one or more biometric data collection devices (shoe, glasses, watch) and a device configured to store one or more user identification data, receive a request for user verification, request user's biometric data from one or more of the biometric data collection devices, generate a personal unclonable function (PUF) value based on combination of at least one of the user identification data and the user's biometric data, and verify the user's identity by comparing the PUF value to the user's PUF benchmark.

Abstract: The technology disclosed herein provides a system for allowing users to login into one or more devices without a password. Implementations of the system include one or more biometric data collection devices (shoe, glasses, watch) and a device configured to store one or more user identification data, receive a request for user verification, request user's biometric data from one or more of the biometric data collection devices, generate a personal unclonable function (PUF) value based on combination of at least one of the user identification data and the user's biometric data, and verify the user's identity by comparing the PUF value to the user's PUF benchmark.

Abstract: Systems and methods are disclosed for performing data sanitization at a data storage device (DSD). In an embodiment, an apparatus may comprise a controller configured to receive a data sanitization command from a host, perform a data sanitization operation to securely erase data from a memory, produce an attestation including information related to the data sanitization operation, and sign the attestation to produce a signed attestation. In another embodiment, a memory device may store instructions that cause a processor to perform a method comprising performing a data sanitization operation to securely erase data from a data storage medium, generating an attestation including information related to the data sanitization operation, and digitally signing the attestation using an authentication key.

Abstract: The present disclosure relates to feature activation using near field communication. In an embodiment, a device may include a chip to receive and store wireless communications. An activation package may be stored to the chip, and identify a set of features to enable or disable on the device. The device may include a processor to detect the activation package and initiate device operations based on the identified set of features. In some embodiments, the chip may receive and store information while the device is in a powered-off state, and the processor may detect the activation package at a power on event.

Abstract: Apparatus and method for generating random numbers. In accordance with some embodiments, a first multi-bit string of entropy values is derived from a first entropy source having a first trust level and a different, second multi-bit string of entropy values is derived from a second entropy source having a different, second trust level. The first and second multi-bit strings of entropy values are combined in relation to the associated first and second trust levels to generate a multi-bit random number. The multi-bit random number is used as an input to a cryptographic function.

Abstract: The present disclosure relates to remote feature activation. In an embodiment, a device may be manufactured having firmware configured to implement multiple unique features on the device. Features may be enabled and disabled on the device later or at a remote location. Enabled features may allow the device to perform corresponding functions, and disabled features may not allow the device to perform corresponding functions. Remote feature activation may include exchanging security information between an activation entity and the device.

Abstract: Apparatus and method for controlling access to protected functionality of a data storage device. In some embodiments, a plurality of identification (ID) values associated with a data storage device are combined to form a combined ID value. The combined ID value is cryptographically processed using a secret symmetric encryption key in combination with a hash function or a key derivation function to generate a unique device credential for the data storage device. The unique device credential is used as an input to a selected cryptographic function to control access to a protected function of the data storage device.

Abstract: Apparatus and method for data security in a multi-device data storage enclosure. In some embodiments, the storage enclosure has a housing with opposing first and second ends. A plurality of active elements are disposed within the housing including an array of data storage devices, a control board, and an interconnection arrangement which mechanically and electrically interconnects the plurality of storage devices with the control board. A control circuit encrypts user data stored on a selected data storage device using a cryptographic encryption function and an associated cryptographic key. The key is partitioned into a plurality of portions, with each portion stored in a different one of the active elements.

Abstract: Apparatus and method for data security through the use of an encrypted keystore data structure. In accordance with some embodiments, first and second sets of input data are respectively encrypted using first and second encryption keys to form corresponding first and second encrypted data sets. The first and second encryption keys are combined to form a string. A hidden key stored within a system on chip (SOC) is used to encrypt the string to form an encrypted keystore data structure, and the first and second encrypted data sets and the encrypted keystore data structure are stored in a memory.

Abstract: Systems and methods are disclosed for performing data sanitization at a data storage device (DSD). In an embodiment, a controller may direct a memory device to sanitize data by securely erasing the data, generate an attestation confirming that the data was successfully sanitized, and sign the attestation using an authentication key to create a signed attestation. In another embodiment, a circuit may direct a memory device to sanitize data based on the data sanitization instruction, generate a sanitization confirmation indicating that the data was successfully sanitized, and provide the sanitization confirmation including a first thumbprint and a second thumbprint to another device. Generating the sanitization confirmation may include processing a first storage encryption key to produce the first thumbprint, directing the memory device to obliterate the first storage encryption key, and processing a second storage encryption key to produce the second thumbprint.

Abstract: Apparatus and method for controlling access to protected functionality of a data storage device. In some embodiments, a plurality of identification (ID) values associated with a data storage device are combined to form a combined ID value. The combined ID value is cryptographically processed using a secret symmetric encryption key in combination with a hash function or a key derivation function to generate a unique device credential for the data storage device. The unique device credential is used as an input to a selected cryptographic function to control access to a protected function of the data storage device.

Abstract: Apparatus and method for data security in a multi-device data storage enclosure. In some embodiments, the storage enclosure has a housing with opposing first and second ends. A plurality of active elements are disposed within the housing including an array of data storage devices, a control board, and an interconnection arrangement which mechanically and electrically interconnects the plurality of storage devices with the control board. A control circuit encrypts user data stored on a selected data storage device using a cryptographic encryption function and an associated cryptographic key. The key is partitioned into a plurality of portions, with each portion stored in a different one of the active elements.

Abstract: Apparatus and method for generating random numbers. In accordance with some embodiments, a first multi-bit string of entropy values is derived from a first entropy source having a first trust level and a different, second multi-bit string of entropy values is derived from a second entropy source having a different, second trust level. The first and second multi-bit strings of entropy values are combined in relation to the associated first and second trust levels to generate a multi-bit random number. The multi-bit random number is used as an input to a cryptographic function.

Abstract: Systems and methods are disclosed for performing data sanitization at a data storage device (DSD). In an embodiment, an apparatus may comprise a controller configured to receive a data sanitization command from a host, perform a data sanitization operation to securely erase data from a memory, produce an attestation including information related to the data sanitization operation, and sign the attestation to produce a signed attestation. In another embodiment, a memory device may store instructions that cause a processor to perform a method comprising performing a data sanitization operation to securely erase data from a data storage medium, generating an attestation including information related to the data sanitization operation, and digitally signing the attestation using an authentication key.

Abstract: Systems and methods are disclosed for performing data sanitization at a data storage device (DSD). In an embodiment, a controller may direct a memory device to sanitize data by securely erasing the data, generate an attestation confirming that the data was successfully sanitized, and sign the attestation using an authentication key to create a signed attestation. In another embodiment, a circuit may direct a memory device to sanitize data based on the data sanitization instruction, generate a sanitization confirmation indicating that the data was successfully sanitized, and provide the sanitization confirmation including a first thumbprint and a second thumbprint to another device. Generating the sanitization confirmation may include processing a first storage encryption key to produce the first thumbprint, directing the memory device to obliterate the first storage encryption key, and processing a second storage encryption key to produce the second thumbprint.

Abstract: Apparatus and method for data security through the use of an encrypted keystore data structure. In accordance with some embodiments, first and second sets of input data are respectively encrypted using first and second encryption keys to form corresponding first and second encrypted data sets. The first and second encryption keys are combined to form a string. A hidden key stored within a system on chip (SOC) is used to encrypt the string to form an encrypted keystore data structure, and the first and second encrypted data sets and the encrypted keystore data structure are stored in a memory.

Abstract: Apparatus and method for performing authentication processing during device initialization. In accordance with some embodiments, a data storage device has a main memory which stores user data from a host, and a controller with initialization programming stored in a boot memory. The initialization programming is executed by the controller to transition the data storage device from an inactive state to a normal operational mode. During a bootstrap mode, the controller generates a first authentication token, receives a second authentication token responsive to the first authentication token, and authorizes use of new system programming responsive to the second authentication token. The new system programming is stored in a local memory of the data storage device and executed by the controller during the normal operational mode.

Abstract: A storage device that supports Trusted Computer Group (TCG) security allows management of TCG security features by a Basic Input/Output System (BIOS) using non-TCG security commands supported by the BIOS. In one implementation, a BIOS that does not support TCG security but does support ATA security can use ATA drive unlock to invoke TCG drive unlock on the storage device. Further, the storage device can be transitioned among multiple security operating modes (e.g., Undeclared, ATA security or TCG security).

Abstract: A storage device that supports Trusted Computer Group (TCG) security allows management of TCG security features by a Basic Input/Output System (BIOS) using non-TCG security commands supported by the BIOS. In one implementation, a BIOS that does not support TCG security but does support ATA security can use ATA drive unlock to invoke TCG drive unlock on the storage device. Further, the storage device can be transitioned among multiple security operating modes (e.g., Undeclared, ATA security or TCG security).