Securing data using per tenant encryption keys

US 10,013,364 B1
Filed: 06/26/2015
Issued: 07/03/2018
Est. Priority Date: 06/26/2015
Status: Active Grant

First Claim

Patent Images

1. In a data storage system, a method of securing data on a set of storage drives, the method comprising:

encrypting data from a first tenant using a first tenant key to form first tenant encrypted data and storing the first tenant encrypted data on the set of storage drives;

encrypting data from a second tenant using a second tenant key to form second tenant encrypted data and storing the second tenant encrypted data on the set of storage drives, each of the first tenant and the second tenant being one of a department within an enterprise, a host computer, and a virtual machine, the first tenant being different from the second tenant, and the first tenant key and the second tenant key being per tenant keys that are different from each other; and

destroying the first tenant key to prevent the first tenant encrypted data stored on the set of storage drives from being decrypted while maintaining the second tenant key to enable decryption of the second tenant encrypted data stored on the set of storage drives,wherein the storing of the first tenant encrypted data on the set of storage drives includes;

encrypting the first tenant encrypted data using per drive encryption keys that are different from the per tenant keys to form first tenant doubly-encrypted data; and

storing the first tenant doubly-encrypted data on the set of storage drives, the data storage system including (i) processing circuitry configured to perform host input/output (I/O) operations on behalf of the first and second tenants, and (ii) I/O expansion circuitry, coupled to the processing circuitry, providing at least one additional input and output for the data storage system, andwherein the encrypting of the first tenant encrypted data using the per drive encryption keys includes;

provisioning the I/O expansion circuitry with the per drive encryption keys;

providing access to the first tenant encrypted data for the I/O expansion circuitry; and

performing the encrypting of the first tenant encrypted data within the I/O expansion circuitry to form the first tenant doubly-encrypted data using the per drive encryption keys.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment is directed to a technique which secures data on a set of storage drives of a data storage system. The technique involves encrypting data from a first tenant using a first tenant key to form first tenant encrypted data and storing the first tenant encrypted data on the set of storage drives. The technique further involves encrypting data from a second tenant using a second tenant key to form second tenant encrypted data and storing the second tenant encrypted data on the set of storage drives, the first tenant being different from the second tenant, and the first tenant key and the second tenant key being per tenant keys which are different from each other. The technique further involves destroying the first tenant key to prevent the first tenant encrypted data stored on the set of storage drives from being decrypted while maintaining the second tenant key to enable decryption of the second tenant encrypted data stored on the set of storage drives.

90 Citations

View as Search Results

16 Claims

1. In a data storage system, a method of securing data on a set of storage drives, the method comprising:
- encrypting data from a first tenant using a first tenant key to form first tenant encrypted data and storing the first tenant encrypted data on the set of storage drives;
  
  encrypting data from a second tenant using a second tenant key to form second tenant encrypted data and storing the second tenant encrypted data on the set of storage drives, each of the first tenant and the second tenant being one of a department within an enterprise, a host computer, and a virtual machine, the first tenant being different from the second tenant, and the first tenant key and the second tenant key being per tenant keys that are different from each other; and
  
  destroying the first tenant key to prevent the first tenant encrypted data stored on the set of storage drives from being decrypted while maintaining the second tenant key to enable decryption of the second tenant encrypted data stored on the set of storage drives,wherein the storing of the first tenant encrypted data on the set of storage drives includes;
  
  encrypting the first tenant encrypted data using per drive encryption keys that are different from the per tenant keys to form first tenant doubly-encrypted data; and
  
  storing the first tenant doubly-encrypted data on the set of storage drives, the data storage system including (i) processing circuitry configured to perform host input/output (I/O) operations on behalf of the first and second tenants, and (ii) I/O expansion circuitry, coupled to the processing circuitry, providing at least one additional input and output for the data storage system, andwherein the encrypting of the first tenant encrypted data using the per drive encryption keys includes;
  
  provisioning the I/O expansion circuitry with the per drive encryption keys;
  
  providing access to the first tenant encrypted data for the I/O expansion circuitry; and
  
  performing the encrypting of the first tenant encrypted data within the I/O expansion circuitry to form the first tenant doubly-encrypted data using the per drive encryption keys.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method as in claim 1 wherein the data storage system includes (i) the set of storage drives and (ii) other storage which together form computer memory to store tenant data in response to automated data placement operations;
    - andwherein storing the first tenant encrypted data on the set of storage drives includes performing an automated data placement operation which (i) selects a memory location on the set of storage drives over memory locations of the other storage and (ii) places the first tenant encrypted data in the selected memory location on the set of storage drives.
  - 3. A method as in claim 2 wherein the set of storage drives includes flash memory;
    - wherein the other storage includes volatile memory;
      
      wherein the computer memory which stores the tenant data is a host data cache formed by the flash memory and the volatile memory; and
      
      wherein performing the automated data placement operation includes caching the first tenant encrypted data in a flash memory location of the host data cache.
  - 4. A method as in claim 2 wherein the set of storage drives includes flash memory;
    - wherein the other storage includes magnetic disk drive memory;
      
      wherein the computer memory which stores the tenant data is tiered storage having a flash memory storage tier formed by the flash memory and a magnetic disk drive storage tier formed by the magnetic disk drive memory; and
      
      wherein performing the automated data placement operation includes saving the first tenant encrypted data in a flash memory location of the flash memory storage tier.
  - 5. A method as in claim 2 wherein the encrypting of the data from the first tenant using the first tenant key includes (i) provisioning the processing circuitry with the first tenant key, and (ii) inputting unencrypted first tenant data into the processing circuitry to form the first tenant encrypted data, andwherein the encrypting of the data from the second tenant using the second tenant key includes (i) provisioning the processing circuitry with the second tenant key, and (ii) inputting unencrypted second tenant data into the processing circuitry to form the second tenant encrypted data.
  - 6. A method as in claim 2 wherein the data storage system includes an offload cryptographic module coupled to the processing circuitry,wherein the encrypting of the data from the first tenant using the first tenant key includes (i) provisioning the offload cryptographic module with the first tenant key, and (ii) outputting unencrypted first tenant data from the processing circuitry into the offload cryptographic module to form the first tenant encrypted data, andwherein the encrypting of the data from the second tenant using the second tenant key includes (i) provisioning the offload cryptographic module with the second tenant key, and (ii) outputting unencrypted second tenant data from the processing circuitry into the offload cryptographic module to form the second tenant encrypted data.
  - 7. A method as in claim 2 wherein the set of storage drives includes a set of cryptographic drives,wherein the encrypting of the data from the first tenant using the first tenant key and the storing of the first tenant encrypted data include (i) provisioning the set of cryptographic drives with the first tenant key, and (ii) outputting unencrypted first tenant data from the processing circuitry into the set of cryptographic drives, andwherein the encrypting of the data from the second tenant using the second tenant key and the storing of the second tenant encrypted data include (i) provisioning the set of cryptographic drives with the second tenant key, and (ii) outputting unencrypted second tenant data from the processing circuitry into the set of cryptographic drives.
  - 8. A method as in claim 1 wherein the encrypting of the data from the first tenant using the first tenant key includes:
    - provisioning the processing circuitry with the first tenant key;
      
      inputting unencrypted first tenant data into the processing circuitry; and
      
      performing the encrypting of the data from the first tenant within the processing circuitry to form the first tenant encrypted data using the first tenant key.
  - 9. A method as in claim 1 wherein the encrypting of the data from the first tenant using the first tenant key includes:
    - provisioning the I/O expansion circuitry with the first tenant key;
      
      providing access to unencrypted first tenant data for the I/O expansion circuitry; and
      
      performing the encrypting of the data from the first tenant within the I/O expansion circuitry to form the first tenant encrypted data using the first tenant key.
  - 10. A method as in claim 9 wherein the encrypting of the data from the second tenant using the second tenant key includes:
    - provisioning the I/O expansion circuitry with the second tenant key;
      
      providing access to unencrypted second tenant data for the I/O expansion circuitry; and
      
      performing the encrypting of the data from the second tenant within the I/O expansion circuitry to form the second tenant encrypted data using the second tenant key.

11. Electronic data storage circuitry, comprising:
- a set of storage drives;
  
  memory;
  
  I/O expansion circuitry providing at least one additional input and output for the electronic data storage circuitry; and
  
  processing circuitry coupled to the set of storage drives, the memory, and the I/O expansion circuitry, the memory storing instructions that, when carried out by the processing circuitry, cause the processing circuitry to;
  
  encrypt data from a first tenant using a first tenant key to form first tenant encrypted data and store the first tenant encrypted data on the set of storage drives;
  
  encrypt data from a second tenant using a second tenant key to form second tenant encrypted data and store the second tenant encrypted data on the set of storage drives, each of the first tenant and the second tenant being one of a department within an enterprise, a host computer, and a virtual machine, the first tenant being different from the second tenant, and the first tenant key and the second tenant key being per tenant keys that are different from each other;
  
  destroy the first tenant key to prevent the first tenant encrypted data stored on the set of storage drives from being decrypted while maintaining the second tenant key to enable decryption of the second tenant encrypted data stored on the set of storage drives;
  
  encrypt the first tenant encrypted data using per drive encryption keys that are different from the per tenant keys to form first tenant doubly-encrypted data;
  
  store the first tenant doubly-encrypted data on the set of storage drives;
  
  provision the I/O expansion circuitry with the per drive encryption keys;
  
  output the first tenant encrypted data from the processing circuitry into the I/O expansion circuitry; and
  
  performing the encrypting of the first tenant encrypted data within the I/O expansion circuitry using the per drive encryption keys.
- View Dependent Claims (12, 13, 14, 15)
- - 12. Electronic data storage circuitry as in claim 11, further comprising:
    - other storage which, with the set of storage drives, forms computer memory to store tenant data in response to automated data placement operations; and
      
      wherein the processing circuitry, when storing the first tenant encrypted data on the set of storage drives includes performing an automated data placement operation which (i) selects a memory location on the set of storage drives instead of memory locations of the other storage and (ii) places the first tenant encrypted data in the selected memory location on the set of storage drives.
  - 13. Electronic data storage circuitry as in claim 12 wherein the set of storage drives includes flash memory;
    - wherein the other storage includes volatile memory;
      
      wherein the computer memory which stores the tenant data is a host data cache formed by the flash memory and the volatile memory; and
      
      wherein processing circuitry, when performing the automated data placement operation, is constructed and arranged to cache the first tenant encrypted data in a flash memory location of the host data cache.
  - 14. Electronic data storage circuitry as in claim 12 wherein the set of storage drives includes flash memory;
    - wherein the other storage includes magnetic disk drive memory;
      
      wherein the computer memory which stores the tenant data is tiered storage having a flash memory storage tier formed by the flash memory and a magnetic disk drive storage tier formed by the magnetic disk drive memory; and
      
      wherein the processing circuitry, when performing the automated data placement operation, is constructed and arranged to save the first tenant encrypted data in a flash memory location of the flash memory storage tier.
  - 15. Electronic data storage circuitry as in claim 11 wherein, after the first tenant key is destroyed to prevent the first tenant encrypted data stored on the set of storage drives from being decrypted, at least some of the first tenant encrypted data and at least some of the second tenant encrypted data reside on a common storage drive of the set of storage drives for a period of time.

16. A computer program product having a non-transitory computer readable medium that stores a set of instructions to manage data on a set of storage drives of a data storage system, the set of instructions, when carried out by computerized circuitry, causing the computerized circuitry to perform a method of:
- encrypting data from a first tenant using a first tenant key to form first tenant encrypted data and storing the first tenant encrypted data on the set of storage drives;
  
  encrypting data from a second tenant using a second tenant key to form second tenant encrypted data and storing the second tenant encrypted data on the set of storage drives, each of the first tenant and the second tenant being one of a department within an enterprise, a host computer, and a virtual machine, the first tenant being different from the second tenant, and the first tenant key and the second tenant key being per tenant keys that are different from each other; and
  
  destroying the first tenant key to prevent the first tenant encrypted data stored on the set of storage drives from being decrypted while maintaining the second tenant key to enable decryption of the second tenant encrypted data stored on the set of storage drives,wherein the storing of the first tenant encrypted data on the set of storage drives includes;
  
  encrypting the first tenant encrypted data using per drive encryption keys that are different from the per tenant keys to form first tenant doubly-encrypted data; and
  
  storing the first tenant doubly-encrypted data on the set of storage drives, the data storage system including (i) processing circuitry configured to perform host input/output (I/O) operations on behalf of the first and second tenants, and (ii) I/O expansion circuitry, coupled to the processing circuitry, providing at least one additional input and output for the data storage system, andwherein the encrypting of the first tenant encrypted data using the per drive encryption keys includes;
  
  provisioning the I/O expansion circuitry with the per drive encryption keys;
  
  outputting the first tenant encrypted data from the processing circuitry into the I/O expansion circuitry; and
  
  performing the encrypting of the first tenant encrypted data within the I/O expansion circuitry using the per drive encryption keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
O'Brien, Walter, Lazar, Gregory W., Dibb, Thomas
Primary Examiner(s)
Colin, Carl G
Assistant Examiner(s)
Lavelle, Gary E

Application Number

US14/751,315
Time in Patent Office

1,103 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 16/13   File access structures, e.g...

G06F 21/6218   to a system of files or obj...

G06F 2212/1052   Security improvement

G06F 2221/2143   Clearing memory, e.g. to pr...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

Securing data using per tenant encryption keys

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Securing data using per tenant encryption keys

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others