Samsung Patents Per-Host Encryption for Shared CXL Memory Devices

By Patentlyze Team · Updated May 22, 2026

When multiple servers share the same pool of memory — a growing trend in modern data centers — how do you stop one machine from reading another's data? Samsung's new patent tackles that problem head-on inside the CXL memory controller itself.

What Samsung's CXL memory encryption actually does

Imagine a co-working space where several companies share the same filing cabinets. It's efficient, but you'd want each company's files locked with their own key so nobody else can rifle through them. That's roughly the problem Samsung is solving here — but for server memory.

CXL (Compute Express Link) is a newer interconnect standard that lets multiple host computers — think separate servers in a data center — share a single pool of fast memory. That's great for efficiency, but it raises an obvious question: what stops host A from snooping on host B's data?

Samsung's patent describes a CXL memory device that automatically encrypts data per host before it ever hits the memory chips. Each host gets its own encryption keys, looked up through a two-layer table system inside the controller. The result: even if the physical memory is shared, each tenant's data is locked behind keys only their host can use.

How the two-stage key lookup encrypts CXL writes

The patent describes a CXL device — essentially a memory module with its own onboard controller — that sits between multiple host machines and a bank of DRAM connected across several channels.

The controller has two distinct sub-systems working in sequence:

• CXL sub-system controller: When a write request arrives, it takes the incoming host data and the physical memory address being targeted, then looks up a key index in a key-index table. The key index is specific to the requesting host — so host A and host B will get different key indices for the same operation.
• Memory sub-system controller: It takes that key index and uses it to look up the actual encryption key (or keys) from a separate key table. It then runs an encryption algorithm using the data, the device physical address, and those keys to produce encrypted output before writing it to DRAM.

The two-table approach — key-index table first, then key table — means the system can support many hosts and many different memory regions, each with isolated cryptographic credentials. The address itself is folded into the encryption input (a technique called address tweak), which means moving encrypted data to a different address would cause decryption to fail, adding an extra layer of tamper resistance.

What this means for multi-tenant server memory security

As data centers increasingly adopt CXL-based memory pooling — where compute resources and memory are disaggregated and shared — the security model for that shared memory becomes critical. Today, most memory encryption is handled at the CPU level, which works fine when one machine owns all its memory. But in a pooled CXL setup, the memory device itself needs to enforce isolation, because the host CPU may not even have visibility into what else is sharing that pool.

For cloud providers and enterprises running multi-tenant workloads, this kind of hardware-enforced, per-host encryption at the memory device level could become a baseline compliance requirement. It also shifts security responsibility closer to the data, rather than relying entirely on the host OS or hypervisor to keep tenants separated.

Editorial commentary on a publicly published patent application. Not legal advice.