Key Per IO Security Subsystem Class for NVM Express Storage Devices

Explore the Key Per IO (KPIO) Security Subsystem Class for NVM Express Storage Devices in this informative conference talk from USENIX Vault '20. Delve into the joint initiative between NVMe and TCG to define a new KPIO Security Subsystem Class under TCG Opal SSC. Learn about the architectural differences between traditional Self-Encrypting Drives (SED) and KPIO SSC, and discover how KPIO allows for management and secure downloading of large numbers of encryption keys into NVM subsystems. Understand the benefits of per-command data encryption, including support for GDPR compliance, easier data erasure in RAID/Erasure Coded systems, and granular encryption for sensitive files or host objects. Gain insights into the proposed KPIO SSC standard, its subtle features, and the current state of standardization efforts with NVMe and TCG working groups. Cover topics such as key provisioning, security capabilities, discovery, key tagging, and command structures. Conclude with a discussion on technical proposals for SCSI and SATA implementations, followed by a Q&A session.

Introduction
Encryption
Disclaimers
Concept
Use Cases
Key Provisioning
Security Capabilities
Benefits
Standardization
Discovery
Key Tag
Commands
Write Command
Recap
Hosts
Air Handling
Technical Proposal
Scuzzy and SATA
Questions
Raw Encrypted Data