NORCROSS, GEORGIA – AMI®, a global leader in powering, managing and securing the world’s connected digital infrastructure through its BIOS, BMC and security solutions, is pleased to announce support for the Key Management Service (KMS) Protocol in its Aptio® V UEFI Firmware.
UEFI system firmware using the UEFI KMS protocol can manage multiple key managers to create, store, retrieve and delete keys of different formats and sizes. Within the firmware, UEFI device drivers can use the UEFI KMS protocol without knowing the details about the individual key managers to enhance platform security.
Data privacy and protection policies and regulations have strict requirements in terms of responsibility and corrective actions in the event of a data breach. To comply with these policies and regulations, most global organizations password-protect their servers and mobile devices and encrypt their storage devices. The latter is useful so that if a device is lost or stolen, its contents can remain secure. Storage of encryption keys on the system is a potential threat vector as it provides no protection if the system is stolen or hacked.
“One downside of encrypting the storage device is that if the system becomes inoperable, simply swapping the storage device out and into another system to boot the system is impossible. In fact, this is prevented by design: to secure its data, the storage device in the system is encrypted precisely so that it cannot simply be put into another system and read,” commented Puran Nallagatla, Vice President of Global BIOS Engineering.
“However, from a support standpoint, not being able to transfer the storage device from a defunct system into a working system is a significant pain point. To do so, the storage device would first need to be unencrypted prior to its transfer, which in the event of a catastrophic hardware failure is not always possible,” he continued.
For this reason, companies often engage with remote KMS providers such as Thales to provide remote storage and retrieval of the required keys.
“As more organizations use encryption to protect data and meet compliance requirements, managing the lifecycle of a large number of keys securely can be challenging as data is often encrypted across multiple and diverse IT environments. The use of a dedicated centralized key management platform can alleviate problems by assuring security without impairing performance and Thales is pleased to collaborate with AMI to help deliver such a platform supporting AMIs BIOS Key Management Service Protocol,” said Todd Moore, Vice President, Encryption Solutions at Thales.
The UEFI KMS protocol is also beneficial for systems used in enterprise and data center applications which typically require unattended operations. If a scheduled reboot is planned, the system can connect to a KMS to have the storage devices unencrypted without any user intervention or custom workaround. Although currently many workarounds and custom implementations exist that address this specific need, there has been demonstrated interest from the industry in having the UEFI KMS protocol implemented directly in the UEFI firmware as AMI has announced today.
“Customers wanting higher levels of security choose our MegaRAID® controllers, featuring SafeStore™ software, which helps to create and locally manage their keys. Now with AMI’s implementation of the UEFI KMS protocol in their Aptio V UEFI BIOS firmware, an external path opens for key management. SafeStore software customers can seamlessly have their keys stored and managed externally. This lets them perform operations like drive migration and controller replacement without human intervention and with encryption fully in place,” said Jas Tremblay, vice president and general manager of the Data Center Storage Group, Broadcom.
To provide deeper insight into its implementation of the UEFI KMS protocol, AMI will present a session called Implementing and Using the UEFI Key Management Service at the next UEFI Plugfest event. This forthcoming presentation from AMI will discuss the options for and challenges of the implementation of the UEFI KMS protocol, as well the high-level interactions between the UEFI device drivers and external Key Management server using the UEFI KMS protocol.
For more information about UEFI, the UEFI Specification and the UEFI Plugfest, please visit https://uefi.org/.
To learn more about Aptio V UEFI Firmware from AMI, please visit ami.com/aptio.
UEFI® is a registered trademark of the UEFI Forum in the United States and/or other countries.
The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. MegaRAID® and SafeStore™ are trademarks or registered trademarks of Broadcom Inc. and/or its subsidiaries in the US and/or other countries.