Samsung Patents Per-Host Memory Encryption for CXL Devices

By Patentlyze Team · Updated May 22, 2026

As CXL memory pooling lets multiple servers share the same physical RAM, Samsung is filing patents to make sure one host can never read another's data — even if they're neighbors on the same stick.

What Samsung's CXL per-host encryption actually does

Imagine a co-working space where several companies share desks, but each company's filing cabinet is locked with a key only they hold. That's roughly what Samsung is trying to do with shared server memory.

CXL (Compute Express Link) is a newer interconnect standard that lets multiple servers — or "hosts" — share a single pool of fast memory. It's efficient, but it raises an obvious question: how do you stop Host A from accidentally (or deliberately) peeking at Host B's data?

This patent describes a CXL controller that automatically encrypts every piece of data using a key that's unique to the host that sent it. When your server writes data to shared memory, the controller looks up which encryption key belongs to you specifically, then locks the data before it ever lands in RAM. Another host using the same memory chip gets an entirely different key — so even if it could read the raw bytes, it would see gibberish.

How the key index table routes each host to its own cipher key

The patent centers on a CXL device — think of it as a smart memory card — that sits on the CXL bus and serves multiple host computers simultaneously. The core mechanism has three steps the CXL controller runs every time a host writes data:

• Address translation: The host sends its own physical memory address ("host physical address"), which the controller converts into the device's internal address ("device physical address"). This is standard CXL bookkeeping.
• Key index lookup: Using a key index table — essentially a lookup table keyed on the host identity, the incoming data, and the translated address — the controller finds a key index specific to that host. This index is the pointer to the right encryption key.
• Encryption: The controller pulls the actual cryptographic key from a separate key table using that index, then runs an encryption algorithm on the data before writing it to volatile memory (DRAM).

The two-table design (key index table → key table) is notable. It means you can update which key a host uses by only touching the index mapping, without reshuffling the entire key store. It also allows the same physical key to serve multiple address ranges, or for each address range to have its own key — giving fine-grained control over isolation granularity.

What this means for multi-tenant CXL memory security

CXL memory pooling is one of the more interesting infrastructure bets in data centers right now — it promises to reduce wasted RAM across server clusters. But pooling memory across tenants in a cloud environment is a security nightmare without strong isolation guarantees. Hardware-enforced per-host encryption at the memory controller level is a cleaner answer than software-side solutions, which can be bypassed or add latency at the OS layer.

For Samsung, this is also a product positioning play. If CXL memory modules ship with built-in multi-tenant encryption, Samsung can market them directly to hyperscalers and cloud providers who need to demonstrate compliance with data-isolation regulations — turning a standards-based component into a premium, security-differentiated SKU.

Editorial commentary on a publicly published patent application. Not legal advice.