Abstract: Apparatus and method for detecting unauthorized tampering with a data storage device having a housing and a memory. A first identifier value is stored on an external surface of the housing and a second identifier value is stored within the memory. The first and second identifier values are combined in a predetermined order to form a combined identifier value for which a digital signature is generated using a private key, and the digital signature is stored on the storage device. The digital signature, the first and second identifier values, and one or more dummy identification values are retrieved from the storage device and stored in a memory of a verification device, which combines the retrieved first and second identifier values in the predetermined order to generate a retrieved combined identifier value. The storage device is authenticated using the retrieved combined identifier value, the digital signature and a public key.

Abstract: Apparatus (400, 500) and method (200, 220, 240, 260, 280, 300) for detecting unauthorized tampering with a data storage device (100, 110, 140, 520). In some embodiments, the data storage device has a housing (112, 142) and a memory (192) supported by the housing. A first identifier value (202A, 222A, 242A, 262A, 282A, 306A) is stored on an external surface of the housing and a second identifier value (202B, 222B, 242B, 262B, 282B, 306B) is stored within the memory. A digital signature (210, 256, 296) generated in response to the first and second identifier values and in response to a private key (208, 254, 288) is stored on the storage device. Thereafter, the first identifier value is retrieved from the external surface of the housing and the second identifier value is retrieved from the memory. The storage device is authenticated using the retrieved first and second identifier values, the digital signature and a public key (228, 274, 312).

Abstract: Apparatus and method for in situ authentication and diagnostic repair of a data storage device in a multi-device user environment. In accordance with some embodiments, the method includes detecting an error condition associated with a selected data storage device in the multi-device user environment. A first level of user authentication is established by providing a challenge value generated by the selected data storage device to a remote device over a network associated with the selected data storage device. A first diagnostic tool stored on the selected data storage device is executed responsive to receipt of the first level of user authentication. A second level of user authentication is established by providing a second challenge value generated by the selected data storage device to the remote device. An output from the first diagnostic tool is used to execute a second diagnostic tool stored on the selected data storage device.

Abstract: Systems and methods are disclosed for performing data sanitization at a data storage device (DSD). In an embodiment, an apparatus may comprise a controller configured to receive a data sanitization command from a host, perform a data sanitization operation to securely erase data from a memory, produce an attestation including information related to the data sanitization operation, and sign the attestation to produce a signed attestation. In another embodiment, a memory device may store instructions that cause a processor to perform a method comprising performing a data sanitization operation to securely erase data from a data storage medium, generating an attestation including information related to the data sanitization operation, and digitally signing the attestation using an authentication key.

Abstract: The present disclosure relates to feature activation using near field communication. In an embodiment, a device may include a chip to receive and store wireless communications. An activation package may be stored to the chip, and identify a set of features to enable or disable on the device. The device may include a processor to detect the activation package and initiate device operations based on the identified set of features. In some embodiments, the chip may receive and store information while the device is in a powered-off state, and the processor may detect the activation package at a power on event.

Abstract: The present disclosure relates to remote feature activation. In an embodiment, a device may be manufactured having firmware configured to implement multiple unique features on the device. Features may be enabled and disabled on the device later or at a remote location. Enabled features may allow the device to perform corresponding functions, and disabled features may not allow the device to perform corresponding functions. Remote feature activation may include exchanging security information between an activation entity and the device.

Abstract: Apparatus and method for controlling access to protected functionality of a data storage device. In some embodiments, a plurality of identification (ID) values associated with a data storage device are combined to form a combined ID value. The combined ID value is cryptographically processed using a secret symmetric encryption key in combination with a hash function or a key derivation function to generate a unique device credential for the data storage device. The unique device credential is used as an input to a selected cryptographic function to control access to a protected function of the data storage device.

Abstract: Apparatus and method for data security through the use of an encrypted keystore data structure. In accordance with some embodiments, first and second sets of input data are respectively encrypted using first and second encryption keys to form corresponding first and second encrypted data sets. The first and second encryption keys are combined to form a string. A hidden key stored within a system on chip (SOC) is used to encrypt the string to form an encrypted keystore data structure, and the first and second encrypted data sets and the encrypted keystore data structure are stored in a memory.

Abstract: Apparatus and method for in situ authentication and diagnostic repair of a data storage device in a multi-device user environment. In accordance with some embodiments, the method includes detecting an error condition associated with a selected data storage device in the multi-device user environment. A first level of user authentication is established by providing a challenge value generated by the selected data storage device to a remote device over a network associated with the selected data storage device. A first diagnostic tool stored on the selected data storage device is executed responsive to receipt of the first level of user authentication. A second level of user authentication is established by providing a second challenge value generated by the selected data storage device to the remote device. An output from the first diagnostic tool is used to execute a second diagnostic tool stored on the selected data storage device.

Abstract: Systems and methods are disclosed for performing data sanitization at a data storage device (DSD). In an embodiment, a controller may direct a memory device to sanitize data by securely erasing the data, generate an attestation confirming that the data was successfully sanitized, and sign the attestation using an authentication key to create a signed attestation. In another embodiment, a circuit may direct a memory device to sanitize data based on the data sanitization instruction, generate a sanitization confirmation indicating that the data was successfully sanitized, and provide the sanitization confirmation including a first thumbprint and a second thumbprint to another device. Generating the sanitization confirmation may include processing a first storage encryption key to produce the first thumbprint, directing the memory device to obliterate the first storage encryption key, and processing a second storage encryption key to produce the second thumbprint.

Abstract: Apparatus and method for controlling access to protected functionality of a data storage device. In some embodiments, a plurality of identification (ID) values associated with a data storage device are combined to form a combined ID value. The combined ID value is cryptographically processed using a secret symmetric encryption key in combination with a hash function or a key derivation function to generate a unique device credential for the data storage device. The unique device credential is used as an input to a selected cryptographic function to control access to a protected function of the data storage device.

Abstract: Systems and methods are disclosed for performing data sanitization at a data storage device (DSD). In an embodiment, a controller may direct a memory device to sanitize data by securely erasing the data, generate an attestation confirming that the data was successfully sanitized, and sign the attestation using an authentication key to create a signed attestation. In another embodiment, a circuit may direct a memory device to sanitize data based on the data sanitization instruction, generate a sanitization confirmation indicating that the data was successfully sanitized, and provide the sanitization confirmation including a first thumbprint and a second thumbprint to another device. Generating the sanitization confirmation may include processing a first storage encryption key to produce the first thumbprint, directing the memory device to obliterate the first storage encryption key, and processing a second storage encryption key to produce the second thumbprint.

Abstract: Systems and methods are disclosed for performing data sanitization at a data storage device (DSD). In an embodiment, an apparatus may comprise a controller configured to receive a data sanitization command from a host, perform a data sanitization operation to securely erase data from a memory, produce an attestation including information related to the data sanitization operation, and sign the attestation to produce a signed attestation. In another embodiment, a memory device may store instructions that cause a processor to perform a method comprising performing a data sanitization operation to securely erase data from a data storage medium, generating an attestation including information related to the data sanitization operation, and digitally signing the attestation using an authentication key.

Abstract: Apparatus and method for data security through the use of an encrypted keystore data structure. In accordance with some embodiments, first and second sets of input data are respectively encrypted using first and second encryption keys to form corresponding first and second encrypted data sets. The first and second encryption keys are combined to form a string. A hidden key stored within a system on chip (SOC) is used to encrypt the string to form an encrypted keystore data structure, and the first and second encrypted data sets and the encrypted keystore data structure are stored in a memory.

Abstract: Apparatus and method for performing authentication processing during device initialization. In accordance with some embodiments, a data storage device has a main memory which stores user data from a host, and a controller with initialization programming stored in a boot memory. The initialization programming is executed by the controller to transition the data storage device from an inactive state to a normal operational mode. During a bootstrap mode, the controller generates a first authentication token, receives a second authentication token responsive to the first authentication token, and authorizes use of new system programming responsive to the second authentication token. The new system programming is stored in a local memory of the data storage device and executed by the controller during the normal operational mode.

Abstract: A storage device that supports Trusted Computer Group (TCG) security allows management of TCG security features by a Basic Input/Output System (BIOS) using non-TCG security commands supported by the BIOS. In one implementation, a BIOS that does not support TCG security but does support ATA security can use ATA drive unlock to invoke TCG drive unlock on the storage device. Further, the storage device can be transitioned among multiple security operating modes (e.g., Undeclared, ATA security or TCG security).

Abstract: A data storage device in which access to user data is restricted. The data storage device includes a data memory having memory locations that store user data. The device also has a program memory. The program memory includes first program code that enables a user to create a first device security ID and thereby restrict access to the stored data. Second program code, also included in the program memory, is capable of receiving a security command and comparing a second device security ID associated with the received security command to a stored security key. If the second device security ID and the stored security key correspond, then authentication with the first device security ID is bypassed and access is provided to the stored data.

Abstract: A storage device that supports Trusted Computer Group (TCG) security allows management of TCG security features by a Basic Input/Output System (BIOS) using non-TCG security commands supported by the BIOS. In one implementation, a BIOS that does not support TCG security but does support ATA security can use ATA drive unlock to invoke TCG drive unlock on the storage device. Further, the storage device can be transitioned among multiple security operating modes (e.g., Undeclared, ATA security or TCG security).

Abstract: A data storage device in which access to user data is restricted. The data storage device includes a data memory having memory locations that store user data. The device also has a program memory. The program memory includes first program code that enables a user to create a first device security ID and thereby restrict access to the stored data. Second program code, also included in the program memory, is capable of receiving a security command and comparing a second device security ID associated with the received security command to a stored security key. If the second device security ID and the stored security key correspond, then authentication with the first device security ID is bypassed and access is provided to the stored data.

Abstract: A method of reducing read/write head wear and disc wear through controlling fly height of the read/write head to improve reliability of a disc drive is disclosed. Absent data transfer operations, a fly height adjusted sweep cycle routine executes a sweep cycle sub-routine that positions the read/write head at an inner most data track, lowers the fly height of the read/write head and performs a seek to the outer most data track to sweep debris from a recording surface and then raises the fly height above an operating fly height for the read/write head, oscillates the read/write head to dislodge debris accumulated on the read/write head and holds the read/write head at the raised fly height while awaiting a new data transfer operation.