SNIA Developer Conference September 15-17, 2025 | Santa Clara, CA
Abstract
The Key Per IO (KPIO) project is a joint initiative between NVM Express® and the Trusted Computing Group (TCG) Storage Work Group to define a new Security Subsystem Class (SSC), the Key Per IO SSC, for NVMe® class of Storage Devices.
Key Per IO allows hosts to own, control, and specify the Media Encryption Keys (MEKs) that a Storage Device uses for its device-level user data encryption. Key Per IO achieves this by allowing hosts to securely download a large number of media encryption keys into the NVM subsystem and to specify on a per command basis which of those media encryption keys the Storage Device uses for encryption.
Since the MEKs can come from a variety of sources external to the Storage Devices, data can be encrypted by keys that are known to only a particular host and/or tenant. This control over the keys and their encryption granularity can be a powerful security control for multitenant scenarios (e.g., cloud, containers, VMs).
This session provides a brief overview of the KPIO functionality, summarizes the current state of the specifications, and explores a few of the compelling use cases.