Enhancing Data Encryption Capabilities in the Data Center with the NVM Express® Key Per I/O Feature


By: Festus Hategekimana, SSD Security Architect at Solidigm, and Chandra Nelogal, Distinguished Member of the Technical Staff at Dell

In today’s existing data centers, data is encrypted with encryption keys that are generated and managed within the storage device alongside the encrypted data. By tightly coupling encrypted data with encryption keys in the data center, not only does this create a potential security risk for customers. Furthermore, these storage devices routinely self-manage encrypted data, meaning that the host has limited control over data encryption keys and by extension, the data itself. By using an NVMe® device that enables the usage of host-maintained data encryption keys and the physical separation of data encryption keys from encrypted data, data center managers can guarantee improved overall data security for tenants and an overall improved storage system performance.

Introducing NVM Express® (NVMe®) Key Per I/O

The NVMe Key Per I/O feature, developed by NVM Express in collaboration with the Trusted Computing Group (TCG), enables host-managed data encryption keys to be used by NVMe storage devices on an I/O command basis and expands granular capabilities for host user data encryption on non-volatile media. By using Key Per I/O, storage systems can maintain data encryption keys separately from encrypted data stored on a storage device, allowing the host to associate any number of data encryption keys with host user data at any granularity level while preserving data-at-rest protection properties.

NVMe devices utilizing the Key Per I/O feature enhance data protection capabilities by allowing data encryption keys to be generated and maintained external to the storage device, ensuring they are not stored persistently on the storage device. This enables encryption key management to be done by the host, creating scalable tenant isolation support and expanding granular host control of the device’s namespaces.

Key Pey I/O Benefits and Use Cases

With Key Per I/O, NVMe devices can now natively separate the data center management role from the host data encryption role, allowing tenants to have complete control of their data and platform owners to have flexible and dynamic management of the device’s namespaces without needing any tenant intervention. Hyperscalers can also experience the added benefit of dynamic scaling and support for an increased number of tenants on existing NVMe storage devices without needing to upgrade to larger storage devices.

An ideal use case for NVMe Key Per I/O is data erasure or the process of clearing tenant data from a storage device when it is no longer needed. Using Key Per I/O, hosts can easily delete specific client data across multiple storage devices without needing to go through more drastic processes, such as erasing a band or device. Data center managers can expand their total number of tenants while maintaining tenant isolation and without needing to upgrade to larger hardware caches, reducing total cost of ownership.

Furthermore, data center hosts can utilize Key Per I/O to dynamically create, delete and maintain RAID volumes spanning across multiple drives with complete control outside of the storage device.Essentially, Key Per I/O enables a host to establish cryptographic isolation between tenants from host applications, all the way down to the logical block addresses or LBAs.

Learn More and Download the Key Per I/O Specification

The full Key Per I/O specifications are publicly available for download on the NVM Express and TCG websites.

To learn more about NVMe Key Per I/O, watch the How to Use an Encryption Key Per I/O presentation recording from Flash Memory Summit 2023, which is live on the NVM Express YouTube channel. Finally, NVM Express has published a Key Per I/O video interview, which includes additional information on this topic.