Key per IO - Fine Grain Encryption for Storage

The Key Per IO (KPIO) project is a joint initiative between NVM Express® and the Trusted Computing Group (TCG) Storage Work Group to define a new KPIO Security Subsystem Class (SSC) under TCG Opal SSC for NVMe® class of Storage Devices. Self-Encrypting Drives (SED) perform continuous encryption on user accessible data based on contiguous LBA ranges per namespace. This is done at interface speeds using a small number of keys generated/held in persistent media by the storage device. KPIO will allow large number of encryption keys to be managed and securely downloaded into the NVM subsystem. Encryption of user data then occurs on a per command basis (each command may request to use a different key). This provides a finer granularity of data encryption that enables a granular encryption scheme in order to support use cases: Support of EU - GDPR Support of data erasure when data is spread over many disks, support of data erasure of data that is mixed with other data needing to be preserved (multitenancy), assigning an encryption key to a single sensitive file or host object. The presentation will introduce the architectural differences between traditional SEDs and the KPIO SSC, provide an overview of the proposed TCG KPIO SSC spec and the features in the NVMe commands to allow use of KPIO, and conclude by summarizing the current state of the standardization proposals in NVM Express and the TCG Storage WG.