Abstract: A disclosed method for managing encryption keys, which may be performed by a key management server, responds to receiving, from a first client, a request to create a new key for a self-encrypting drive (SED) associated with the first client by retrieving unique identifiers of the first client and the SED, generating and storing the new key and a corresponding key identifier (KeyID), and associating the unique identifiers of the SED and first client with the new key. Upon receiving, from a second client, a locate key request that includes the SED identifier, providing the new key, the KeyID, and the first client identifier to the second client. Associating the SED and first client identifiers with the new key may include adding the identifiers as attributes of the KeyID. Embodiments may be implemented in accordance with a key management interoperability protocol (KMIP) standard.

Abstract: An information handling system may include a processor and a management controller communicatively coupled to the processor. The management controller may be configured to, in response to an encrypted storage resource being coupled to the information handling system: transmitting a request to at least one other management controller for an encryption key associated with the encrypted storage resource; receiving a response from the at least one other management controller, the response including the encryption key associated with the encrypted storage resource; and unlocking the encrypted storage resource with the received encryption key.

Abstract: An information handling system may include a processor; an encrypted storage resource, wherein the encrypted storage resource is coupled to the information handling system via a storage controller that does not implement locking and unlocking functionality for the encrypted storage resource; and a management controller configured to: receive a request to unlock the encrypted storage resource; determine an encryption key associated with the encrypted storage resource; and unlock the encrypted storage resource with the received encryption key via a sideband interface coupling the management controller to the encrypted storage resource.

Abstract: An information handling system may include a processor and a management controller communicatively coupled to the processor. The management controller may be configured to, in response to an encrypted storage resource being coupled to the information handling system: transmitting a request to at least one other management controller for an encryption key associated with the encrypted storage resource; receiving a response from the at least one other management controller, the response including the encryption key associated with the encrypted storage resource; and unlocking the encrypted storage resource with the received encryption key.

Abstract: A disclosed method for managing encryption keys, which may be performed by a key management server, responds to receiving, from a first client, a request to create a new key for a self-encrypting drive (SED) associated with the first client by retrieving unique identifiers of the first client and the SED, generating and storing the new key and a corresponding key identifier (KeyID), and associating the unique identifiers of the SED and first client with the new key. Upon receiving, from a second client, a locate key request that includes the SED identifier, providing the new key, the KeyID, and the first client identifier to the second client. Associating the SED and first client identifiers with the new key may include adding the identifiers as attributes of the KeyID. Embodiments may be implemented in accordance with a key management interoperability protocol (KMIP) standard.

Abstract: An information handling system includes an endpoint device and a service processor. The endpoint device is configured to share a passphrase with the service processor via shared memory architecture transfer mechanism. The service processor is configured generate the sent hash of a message; encrypt the message, the sent hash, and the nonce value using the passphrase to form an encrypted message; and transmit the encrypted message to the endpoint device over a sideband interface. The storage controller is further configured to decrypt the encrypted message using the passphrase to obtain the message, the sent hash, and the nonce value; compare the nonce value to a counter to determine if the nonce value is an old nonce value; calculate an observed hash of the message; and accept the message when the nonce value is not an old nonce value and the observed hash matches the received hash.

Abstract: Systems and methods for enabling license management in pre-boot environments are described. In some embodiments, a method may include: loading, by a Basic System Input/Output (BIOS) of an Information Handling System (IHS), prior to the booting of any Operating System (OS) by the IHS, a license manager Unified Extensible Firmware Interface (UEFI) driver; and executing, by the BIOS, a command received from a component or device coupled to the IHS following a license management protocol provided by the UEFI driver, where the command is to obtain or verify license data.

Abstract: An information handling system includes a first node configured to generate a random alphanumeric string, to receive a cipher text and a key from an enterprise key management server, and to decrypt the cipher text using the key and an algorithm to generate a first decrypted value. The first node compares the random alphanumeric string with the first decrypted value to verify the key that is received at the first node. A second node receives the cipher text, the key, and the algorithm from the first node in response to the first decrypted value matching the random alphanumeric string. The second node decrypts the cipher text using the key and the algorithm to generate a second decrypted value, and the first node compares the second decrypted value with the random alphanumeric string to verify the key that is received at the second node.

Abstract: An information handling system includes a first node configured to generate a random alphanumeric string, to receive a cipher text and a key from an enterprise key management server, and to decrypt the cipher text using the key and an algorithm to generate a first decrypted value. The first node compares the random alphanumeric string with the first decrypted value to verify the key that is received at the first node. A second node receives the cipher text, the key, and the algorithm from the first node in response to the first decrypted value matching the random alphanumeric string. The second node decrypts the cipher text using the key and the algorithm to generate a second decrypted value, and the first node compares the second decrypted value with the random alphanumeric string to verify the key that is received at the second node.

Abstract: An information handling system includes an endpoint device and a service processor. The endpoint device is configured to share a passphrase with the service processor via shared memory architecture transfer mechanism. The service processor is configured generate the sent hash of a message; encrypt the message, the sent hash, and the nonce value using the passphrase to form an encrypted message; and transmit the encrypted message to the endpoint device over a sideband interface. The storage controller is further configured to decrypt the encrypted message using the passphrase to obtain the message, the sent hash, and the nonce value; compare the nonce value to a counter to determine if the nonce value is an old nonce value; calculate an observed hash of the message; and accept the message when the nonce value is not an old nonce value and the observed hash matches the received hash.

Abstract: An information handling system includes storage drives, a first storage controller configured to map to a first subset of the storage drives, a second storage controller configured to map to a second subset of the storage drives different from the first subset, and a BMC. The BMC directs the storage controllers to detect storage traffic to the first and second subsets of storage drives, compares the storage traffic from the storage controllers, and remaps the first storage controller to map storage transactions on a third subset of the storage drives different from the first subset when the comparison indicates that the first storage traffic is greater than the second storage traffic.

Abstract: An information handling system includes storage drives, a first storage controller configured to map to a first subset of the storage drives, a second storage controller configured to map to a second subset of the storage drives different from the first subset, and a BMC. The BMC directs the storage controllers to detect storage traffic to the first and second subsets of storage drives, compares the storage traffic from the storage controllers, and remaps the first storage controller to map storage transactions on a third subset of the storage drives different from the first subset when the comparison indicates that the first storage traffic is greater than the second storage traffic.

Abstract: Systems and methods for enabling license management in pre-boot environments are described. In some embodiments, a method may include: loading, by a Basic System Input/Output (BIOS) of an Information Handling System (IHS), prior to the booting of any Operating System (OS) by the IHS, a license manager Unified Extensible Firmware Interface (UEFI) driver; and executing, by the BIOS, a command received from a component or device coupled to the IHS following a license management protocol provided by the UEFI driver, where the command is to obtain or verify license data.