Tape drive encryption in the data path
First Claim
1. A method for providing data path encryption, the method comprising:
- obtaining, by an encryption device, login parameters from a data source, wherein the login parameters are obtained from a request to store data of the data source that is intercepted by the encryption device, wherein the encryption device is located between the data source and a destination storage device in a firewall that contains both the encryption device and the data source;
extracting, by the encryption device, from the login parameters a descriptor of a destination storage device to which the request was directed by the data source;
matching, by the encryption device, the descriptor of the destination storage device to a storage device identifier in a table of discovered storage devices, the table of discovered storage devices comprising a plurality of discovered storage devices corresponding to a plurality of different encryption formats, where each discovered storage device of the plurality of discovered storage devices is configured to read data encoded in a respective encoding format of a plurality of different encoding formats that are different and distinct from the plurality of different encryption formats, the plurality of discovered storage devices comprising the destination storage device corresponding to a particular encryption format of the different encryption formats and configured to read data in a particular encoding format of the plurality of different encoding formats;
communicating, by the encryption device, with a first key manager appliance located within the firewall, to obtain an encryption key for the destination storage device from a key management cluster, the key management cluster comprising key manager appliances sharing encryption keys among the key manager appliances, the key manager appliances comprising the first key manager appliance;
consequent to the communicating, obtaining, by the encryption device, a shared encryption key from the key management cluster for the destination storage device, the shared encryption key to facilitate encryption in the particular encryption format of the plurality of different encryption formats that corresponds to the destination storage device;
receiving, by the encryption device, a write command from the data source, wherein the write command includes data for writing to the destination storage device;
encrypting, by the encryption device, the data using the shared encryption key so that the data is encrypted in the particular encryption format corresponding to the destination storage device in addition to being encoded in the particular encoding format readable by the destination storage device; and
routing, by the encryption device, the encrypted data over a data path from the encryption device to the destination storage device.
1 Assignment
0 Petitions
Accused Products
Abstract
Implementations described and claimed herein provide encryption in the data path. In one implementation, login parameters from a primary data center are obtained. The login parameters include an identification of a destination device. An encryption key corresponding to the destination device is received. A write command including data for writing to the destination device is received from the primary data center. The data is encrypted inside a firewall of the primary data center using the encryption key. The encrypted data is routed over a data path to the destination device. As such, the data is secure during transmission over the network to the destination device.
-
Citations
19 Claims
-
1. A method for providing data path encryption, the method comprising:
-
obtaining, by an encryption device, login parameters from a data source, wherein the login parameters are obtained from a request to store data of the data source that is intercepted by the encryption device, wherein the encryption device is located between the data source and a destination storage device in a firewall that contains both the encryption device and the data source; extracting, by the encryption device, from the login parameters a descriptor of a destination storage device to which the request was directed by the data source; matching, by the encryption device, the descriptor of the destination storage device to a storage device identifier in a table of discovered storage devices, the table of discovered storage devices comprising a plurality of discovered storage devices corresponding to a plurality of different encryption formats, where each discovered storage device of the plurality of discovered storage devices is configured to read data encoded in a respective encoding format of a plurality of different encoding formats that are different and distinct from the plurality of different encryption formats, the plurality of discovered storage devices comprising the destination storage device corresponding to a particular encryption format of the different encryption formats and configured to read data in a particular encoding format of the plurality of different encoding formats; communicating, by the encryption device, with a first key manager appliance located within the firewall, to obtain an encryption key for the destination storage device from a key management cluster, the key management cluster comprising key manager appliances sharing encryption keys among the key manager appliances, the key manager appliances comprising the first key manager appliance; consequent to the communicating, obtaining, by the encryption device, a shared encryption key from the key management cluster for the destination storage device, the shared encryption key to facilitate encryption in the particular encryption format of the plurality of different encryption formats that corresponds to the destination storage device; receiving, by the encryption device, a write command from the data source, wherein the write command includes data for writing to the destination storage device; encrypting, by the encryption device, the data using the shared encryption key so that the data is encrypted in the particular encryption format corresponding to the destination storage device in addition to being encoded in the particular encoding format readable by the destination storage device; and routing, by the encryption device, the encrypted data over a data path from the encryption device to the destination storage device. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. One or more non-transitory, computer-readable storage media storing computer-executable instructions for performing a computer process on a computing system, the computer process comprising:
-
obtaining login parameters by an encryption device from a data source wherein the login parameters are obtained from a request to store data of the data source that is intercepted by the encryption device, wherein the encryption device is located between the data source and a destination storage device in a firewall that contains both the encryption device and the data source; extracting from the login parameters including a descriptor of a destination storage device; matching the descriptor of the destination storage device to a storage device identifier in a table of discovered storage devices, the table of discovered storage devices comprising a plurality of discovered storage devices corresponding to a plurality of different encryption formats, where each discovered storage device of the plurality of discovered storage devices is configured to read data encoded in a respective encoding format of a plurality of different encoding formats that are different and distinct from the plurality of different encryption formats, the plurality of discovered storage devices comprising the destination storage device corresponding to a particular encryption format of the different encryption formats and configured to read data in a particular encoding format of the plurality of different encoding formats; communicating, with a first key manager appliance located within the firewall, to obtain an encryption key for the destination storage device from a key management cluster, the key management cluster comprising key manager appliances sharing encryption keys among the key manager appliances, the key manager appliances comprising the first key manager appliance; consequent to the communicating, obtaining a shared encryption key from the key management cluster for the destination storage device, the shared encryption key to facilitate encryption in the particular encryption format of the plurality of different encryption formats that corresponds to the destination storage device; receiving a write command at the encryption device from the data source, wherein the write command includes data for writing to the destination storage device; encrypting the data using the shared encryption key so that the data is encrypted in the particular encryption format corresponding to the destination storage device in addition to being encoded in the particular encoding format readable by the destination storage device; and routing the encrypted data over a data path to the destination storage device. - View Dependent Claims (9, 10, 11)
-
-
12. A system for providing data path encryption, the system comprising:
-
a destination storage device in communication with a data source over a network; a key management cluster having a plurality of key management appliances configured to generate and share encryption keys among the key management appliances, the key manager appliances comprising a first key management appliance; and an encryption device deployed along a data path between the destination storage device and the data source and in communication with the key management cluster, wherein the encryption device is located in a firewall that contains both the encryption device and the data source, the encryption device configured to; communicate with a first key manager appliance located within the firewall to obtain a shared encryption key for the destination storage device from the key management cluster, the shared encryption key to facilitate encryption in a particular encryption format that corresponds to the destination storage device, wherein the destination storage device is identified in a table of discovered storage devices comprising a plurality of discovered storage devices corresponding to a plurality of different encryption formats, where each discovered storage device of the plurality of discovered storage devices is configured to read data encoded in a respective encoding format of a plurality of different encoding formats that are different and distinct from the plurality of different encryption formats, and the destination storage device is configured to read data in a particular encoding format of the plurality of different encoding formats; encrypt, using the shared encryption key, data corresponding to a command to write the data to the destination storage device so that the data is encrypted in the particular encryption format corresponding to the destination storage device in addition to being encoded in the particular encoding format readable by the destination storage device; intercept the write command from the data source intended for the destination storage device; obtain login parameters from the intercepted write command to login to the destination storage device; and send the data encrypted in the particular encryption format securely over the data path to the destination storage device. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A method for providing data path encryption in a computer system, the method comprising:
-
intercepting an archive request from a host application of a data center of the computer system, wherein the archive request is a communication from the host application to a destination storage device for storing data at the destination storage device and the interception occurs by an encryption device of the data center, wherein the encryption device is located between the host application and the destination storage device in a firewall that contains both the encryption device and the computer system; extracting, by the encryption device, login information from the archive request that enables the encryption device to login to the destination storage device; communicating, by the encryption device with a first key manager appliance located within the firewall, to obtain an encryption key for the destination storage device from a key management cluster, the key management cluster comprising key manager appliances sharing encryption keys among the key manager appliances, the key manager appliances comprising a first key manager appliance; consequent to the communicating, obtaining, by the encryption device, a shared encryption key from the key management cluster for the destination storage device, the shared encryption key to facilitate encryption in a particular encryption format of a set of different encryption formats that corresponds to the destination storage device, wherein the destination storage device is identified in a table of discovered storage devices comprising a plurality of discovered storage devices corresponding to a plurality of different encryption formats, where each discovered storage device of the plurality of discovered storage devices is configured to read data encoded in a respective encoding format of a plurality of different encoding formats that are different and distinct from the plurality of different encryption formats, and the destination storage device is configured to read data in a particular encoding format of the plurality of different encoding formats; encrypting, by the encryption device, the data from the host application using the shared encryption key so that the data is encrypted in the particular encryption format corresponding to the destination storage device in addition to being encoded in a particular format readable by the destination storage device; and routing, by the encryption device, the encrypted data from the data center to the host application of the destination storage device. - View Dependent Claims (19)
-
Specification