SNIA Developer Conference September 15-17, 2025 | Santa Clara, CA
Key per IO - Fine Grain Encryption for Storage
Salon V
Wed Sep 14 | 3:35pm
Abstract
The Key Per IO (KPIO) project is a joint initiative between NVM Express® and the Trusted Computing Group (TCG) Storage Work Group to define a new KPIO Security Subsystem Class (SSC) under TCG Opal SSC for NVMe® class of Storage Devices. Self-Encrypting Drives (SED) perform continuous encryption on user accessible data based on contiguous LBA ranges per namespace. This is done at interface speeds using a small number of keys generated/held in persistent media by the storage device. KPIO will allow large number of encryption keys to be managed and securely downloaded into the NVM subsystem. Encryption of user data then occurs on a per command basis (each command may request to use a different key). This provides a finer granularity of data encryption that enables a granular encryption scheme in order to support use cases: Support of EU - GDPR Support of data erasure when data is spread over many disks, support of data erasure of data that is mixed with other data needing to be preserved (multitenancy), assigning an encryption key to a single sensitive file or host object. The presentation will introduce the architectural differences between traditional SEDs and the KPIO SSC, provide an overview of the proposed TCG KPIO SSC spec and the features in the NVMe commands to allow use of KPIO, and conclude by summarizing the current state of the standardization proposals in NVM Express and the TCG Storage WG.
Learning Objectives
- Understand how encryption of data at rest protects that data today.
- Understand how fine grain encryption (KPIO) will be used to protect data at rest in the future.
- Understand possible use cases for KPIO (multi-tenant use of a common device, EU GDP use cases, others)
Related Sessions
Inspired by Nature: Biomimicry of the Immune System for Ransomware Mitigation
Ransomware attacks pose an existential threat to enterprise infrastructure, with devastating consequences for organizations and individuals alike. Drawing inspiration from the human immune system, this talk proposes a novel approach to ransomware mitigation using biomimicry. By studying the immune system's strategies and tactics, we can develop innovative solutions to detect, respond to, and prevent ransomware attacks. This talk will explore the parallels between biological and digital systems, highlighting key biomimicry-inspired strategies for ransomware mitigation, including system protection, pathogen recognition, and adaptive response. By leveraging the power of biomimicry, we can create more robust and resilient cybersecurity systems, better equipped to defend against the evolving threat of ransomware.
Emerging Trends in Automotive Fabrics and Data Security
The blurring of the lines between data centers and automobiles continues to grow fuzzier. This talk explores the trends in automotive fabrics tying together a wild array of sensors, displays, processors, memory, and storage. Another data center trend that may actually appear first in cars is the need for post-quantum security algorithms, preventing malicious intruders from steering our cars off bridges.
New Developments in Data Security Algorithms
Storage developers need to understand that the algorithms and protocols used for data protection are in the midst of significant changes. This is driven by increases in the size of storage devices, the complexity of large data storage systems, discoveries of weaknesses, and improvements in attacks on encryption. Storage devices are seeing changes in block encryption algorithms and in implementations of those algorithms. Post-quantum cryptographic (PQC) algorithms will improve resistance to attacks using quantum computers, and a new timeline is in effect for adoption of those algorithms. Various protocols are being updated to use the new algorithms and to manage the transition to PQC.
SPDM PQC & Authorization
DMTF’s Security Protocol and Data Model (SPDM) protocol is a widely used set of standards that enable secure communication and device authentication for platform-level security. This session will give an update on major developments by the SPDM Working Group, and where the group is going over the next year. In the past year, DMTF has released SPDM version 1.4, the first version to support CNSA 2.0 algorithms for post-quantum cryptography. This was added to the specification in a way that maintains backwards compatibility with existing deployments and enables platforms to adopt forward-looking requirements. The SPDM to Storage binding (version 1.0) was also released, enabling SPDM to secure a broad range of storage transports using a common command set. This release enables SPDM across a variety of storage protocols using a broadly compatible command set.
DMTF has also released the SPDM Authorization specification, which adds access policies on top of SPDM. The authorization specification leverages the capabilities of SPDM to bring access control, credential provisioning, and policy management to modern platforms, including support for CXL. The session will conclude with a look at the SPDM Working Group’s roadmap, including anticipated enhancements and potential new use cases.
