Simultaneous state-based cryptographic splitting in a secure storage appliance
First Claim
1. A method of managing input/output (I/O) requests in a secure storage appliance, the method including:
- receiving a plurality of I/O requests at the secure storage appliance, each I/O request associated with a primary block of data and a volume, each volume associated with a plurality of primary data blocks, the volume being mapped to a specific subset of a plurality of physical storage devices, and the volume including a metadata store, wherein the plurality of I/O requests are thereby processed concurrently;
storing a plurality of primary blocks of data in buffers of the secure storage appliance, each of the primary blocks of data associated with one or more of the plurality of I/O requests, wherein at least one of the buffers is a direct buffer;
associating a state with each of the primary blocks of data, the state selected from a plurality of states associated with processing of an I/O request;
determining an availability of a resource in the secure storage appliance, the resource used to process an I/O request of a buffer; and
upon determining that the resource is available, applying the resource to a primary block of data in the buffer and updating the state associated with the primary block of data;
wherein the volume is presented as a single virtual disk to clients;
wherein the resource includes a parser driver configured to perform a cryptographic splitting operation on the primary block of data to generate a plurality of secondary data blocks;
wherein the metadata store includes share and key information defining volumes, virtual disks and client access rights, to either process or reroute requests assigned to the failed device;
wherein after cryptographically splitting the primary block of data into the plurality of secondary data blocks, each secondary data block is encrypted with a different session key, each secondary data block is included in a stripe of dataset;
wherein each stripe of dataset further includes a share label, the share label is in plain text; and
wherein each stripe of data further includes a signature identifying physical device that the stripe is stored, each stripe of data includes a header information, each stripe of data includes a virtual disk information, the signature, the header information, and the virtual disk information are encrypted with a same community of interest key.
12 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for managing I/O requests in a secure storage appliance are disclosed. One method includes receiving a plurality of I/O requests at the secure storage appliance, each I/O request associated with a block of data and a volume, each volume associated with a plurality of shares stored on a plurality of physical storage devices. The method further includes storing a plurality of blocks of data in buffers of the secure storage appliance, each of the blocks of data associated with one or more of the plurality of I/O requests. The method also includes associating a state with each of the blocks of data, the state selected from a plurality of states associated with processing of an I/O request. The method includes determining the availability of a resource in the secure storage appliance, the resource used to process an I/O request of a buffer, and, upon determining that the resource is available, applying the resource to a block of data in the buffer and updating the state associated with the block of data.
22 Citations
15 Claims
-
1. A method of managing input/output (I/O) requests in a secure storage appliance, the method including:
-
receiving a plurality of I/O requests at the secure storage appliance, each I/O request associated with a primary block of data and a volume, each volume associated with a plurality of primary data blocks, the volume being mapped to a specific subset of a plurality of physical storage devices, and the volume including a metadata store, wherein the plurality of I/O requests are thereby processed concurrently; storing a plurality of primary blocks of data in buffers of the secure storage appliance, each of the primary blocks of data associated with one or more of the plurality of I/O requests, wherein at least one of the buffers is a direct buffer; associating a state with each of the primary blocks of data, the state selected from a plurality of states associated with processing of an I/O request; determining an availability of a resource in the secure storage appliance, the resource used to process an I/O request of a buffer; and upon determining that the resource is available, applying the resource to a primary block of data in the buffer and updating the state associated with the primary block of data; wherein the volume is presented as a single virtual disk to clients; wherein the resource includes a parser driver configured to perform a cryptographic splitting operation on the primary block of data to generate a plurality of secondary data blocks; wherein the metadata store includes share and key information defining volumes, virtual disks and client access rights, to either process or reroute requests assigned to the failed device; wherein after cryptographically splitting the primary block of data into the plurality of secondary data blocks, each secondary data block is encrypted with a different session key, each secondary data block is included in a stripe of dataset; wherein each stripe of dataset further includes a share label, the share label is in plain text; and wherein each stripe of data further includes a signature identifying physical device that the stripe is stored, each stripe of data includes a header information, each stripe of data includes a virtual disk information, the signature, the header information, and the virtual disk information are encrypted with a same community of interest key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A secure storage appliance comprising:
-
a plurality of buffers; a plurality of resources useable in processing input/output (I/O) requests; a programmable circuit configured to execute program instructions to; receive a plurality of I/O requests at the secure storage appliance, each I/O request associated with a primary block of data and a volume, each volume associated with a plurality of primary data blocks, the volume being mapped to a specific subset of a plurality of physical storage devices, and the volume including a metadata store, wherein the plurality of I/O requests are thereby processed concurrently; store a plurality of primary blocks of data in buffers from among the plurality of buffers, each of the primary blocks of data associated with one or more of the plurality of I/O requests, wherein at least one of the buffers is a direct buffer; associate a state with each of the primary blocks of data, the state selected from a plurality of states associated with processing of an I/O request; determine an availability of a resource from among the plurality of resources; and apply the resource to a primary block of data in a buffer and updating the state associated with the primary block of data upon determining that the resource is available; wherein the volume is presented as a virtual disk to clients; wherein the resource includes a parser driver configured to perform a cryptographic splitting operation on the primary block of data to generate a plurality of secondary data blocks; wherein the metadata store includes share and key information defining volumes, virtual disks and client access rights, to either process or reroute requests assigned to the failed device; wherein after cryptographically splitting the primary block of data into the plurality of secondary data blocks, each secondary data block is encrypted with a different session key, each secondary data block is included in a stripe of dataset; wherein each stripe of dataset further includes a share label, the share label is in plain text; and wherein each stripe of data further includes a signature identifying physical device that the stripe is stored, each stripe of data includes a header information, each stripe of data includes a virtual disk information, the signature, the header information, and the virtual disk information are encrypted with a same community of interest key. - View Dependent Claims (12, 13, 14, 15)
-
Specification