Tape drive encryption in the data path

US 10,110,572 B2
Filed: 01/21/2015
Issued: 10/23/2018
Est. Priority Date: 01/21/2015
Status: Active Grant

First Claim

Patent Images

1. A method for providing data path encryption, the method comprising:

obtaining, by an encryption device, login parameters from a data source, wherein the login parameters are obtained from a request to store data of the data source that is intercepted by the encryption device, wherein the encryption device is located between the data source and a destination storage device in a firewall that contains both the encryption device and the data source;

extracting, by the encryption device, from the login parameters a descriptor of a destination storage device to which the request was directed by the data source;

matching, by the encryption device, the descriptor of the destination storage device to a storage device identifier in a table of discovered storage devices, the table of discovered storage devices comprising a plurality of discovered storage devices corresponding to a plurality of different encryption formats, where each discovered storage device of the plurality of discovered storage devices is configured to read data encoded in a respective encoding format of a plurality of different encoding formats that are different and distinct from the plurality of different encryption formats, the plurality of discovered storage devices comprising the destination storage device corresponding to a particular encryption format of the different encryption formats and configured to read data in a particular encoding format of the plurality of different encoding formats;

communicating, by the encryption device, with a first key manager appliance located within the firewall, to obtain an encryption key for the destination storage device from a key management cluster, the key management cluster comprising key manager appliances sharing encryption keys among the key manager appliances, the key manager appliances comprising the first key manager appliance;

consequent to the communicating, obtaining, by the encryption device, a shared encryption key from the key management cluster for the destination storage device, the shared encryption key to facilitate encryption in the particular encryption format of the plurality of different encryption formats that corresponds to the destination storage device;

receiving, by the encryption device, a write command from the data source, wherein the write command includes data for writing to the destination storage device;

encrypting, by the encryption device, the data using the shared encryption key so that the data is encrypted in the particular encryption format corresponding to the destination storage device in addition to being encoded in the particular encoding format readable by the destination storage device; and

routing, by the encryption device, the encrypted data over a data path from the encryption device to the destination storage device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Implementations described and claimed herein provide encryption in the data path. In one implementation, login parameters from a primary data center are obtained. The login parameters include an identification of a destination device. An encryption key corresponding to the destination device is received. A write command including data for writing to the destination device is received from the primary data center. The data is encrypted inside a firewall of the primary data center using the encryption key. The encrypted data is routed over a data path to the destination device. As such, the data is secure during transmission over the network to the destination device.

Citations

19 Claims

1. A method for providing data path encryption, the method comprising:
- obtaining, by an encryption device, login parameters from a data source, wherein the login parameters are obtained from a request to store data of the data source that is intercepted by the encryption device, wherein the encryption device is located between the data source and a destination storage device in a firewall that contains both the encryption device and the data source;
  
  extracting, by the encryption device, from the login parameters a descriptor of a destination storage device to which the request was directed by the data source;
  
  matching, by the encryption device, the descriptor of the destination storage device to a storage device identifier in a table of discovered storage devices, the table of discovered storage devices comprising a plurality of discovered storage devices corresponding to a plurality of different encryption formats, where each discovered storage device of the plurality of discovered storage devices is configured to read data encoded in a respective encoding format of a plurality of different encoding formats that are different and distinct from the plurality of different encryption formats, the plurality of discovered storage devices comprising the destination storage device corresponding to a particular encryption format of the different encryption formats and configured to read data in a particular encoding format of the plurality of different encoding formats;
  
  communicating, by the encryption device, with a first key manager appliance located within the firewall, to obtain an encryption key for the destination storage device from a key management cluster, the key management cluster comprising key manager appliances sharing encryption keys among the key manager appliances, the key manager appliances comprising the first key manager appliance;
  
  consequent to the communicating, obtaining, by the encryption device, a shared encryption key from the key management cluster for the destination storage device, the shared encryption key to facilitate encryption in the particular encryption format of the plurality of different encryption formats that corresponds to the destination storage device;
  
  receiving, by the encryption device, a write command from the data source, wherein the write command includes data for writing to the destination storage device;
  
  encrypting, by the encryption device, the data using the shared encryption key so that the data is encrypted in the particular encryption format corresponding to the destination storage device in addition to being encoded in the particular encoding format readable by the destination storage device; and
  
  routing, by the encryption device, the encrypted data over a data path from the encryption device to the destination storage device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the data source is associated with a primary data center and the destination storage device is a tape drive.
  - 3. The method of claim 1, further comprising:
    - receiving a read command for the data from the data source;
      
      retrieving the encrypted data from the destination storage device;
      
      receiving the encryption key for the destination storage device; and
      
      decrypting the encrypted data inside the firewall of the data source.
  - 4. The method of claim 1, further comprising:
    - discovering the destination storage device; and
      
      listing the destination storage device in the table of discovered storage devices.
  - 5. The method of claim 1, wherein the data is cached prior to encryption.
  - 6. The method of claim 1, wherein the data is encrypted using an encrypting storage device.
  - 7. The method of claim 6, wherein the encrypting storage device is a tape drive.

8. One or more non-transitory, computer-readable storage media storing computer-executable instructions for performing a computer process on a computing system, the computer process comprising:
- obtaining login parameters by an encryption device from a data source wherein the login parameters are obtained from a request to store data of the data source that is intercepted by the encryption device, wherein the encryption device is located between the data source and a destination storage device in a firewall that contains both the encryption device and the data source;
  
  extracting from the login parameters including a descriptor of a destination storage device;
  
  matching the descriptor of the destination storage device to a storage device identifier in a table of discovered storage devices, the table of discovered storage devices comprising a plurality of discovered storage devices corresponding to a plurality of different encryption formats, where each discovered storage device of the plurality of discovered storage devices is configured to read data encoded in a respective encoding format of a plurality of different encoding formats that are different and distinct from the plurality of different encryption formats, the plurality of discovered storage devices comprising the destination storage device corresponding to a particular encryption format of the different encryption formats and configured to read data in a particular encoding format of the plurality of different encoding formats;
  
  communicating, with a first key manager appliance located within the firewall, to obtain an encryption key for the destination storage device from a key management cluster, the key management cluster comprising key manager appliances sharing encryption keys among the key manager appliances, the key manager appliances comprising the first key manager appliance;
  
  consequent to the communicating, obtaining a shared encryption key from the key management cluster for the destination storage device, the shared encryption key to facilitate encryption in the particular encryption format of the plurality of different encryption formats that corresponds to the destination storage device;
  
  receiving a write command at the encryption device from the data source, wherein the write command includes data for writing to the destination storage device;
  
  encrypting the data using the shared encryption key so that the data is encrypted in the particular encryption format corresponding to the destination storage device in addition to being encoded in the particular encoding format readable by the destination storage device; and
  
  routing the encrypted data over a data path to the destination storage device.
- View Dependent Claims (9, 10, 11)
- - 9. The one or more non-transitory, computer-readable storage media of claim 8, wherein the data is cached prior to encryption.
  - 10. The one or more non-transitory, computer-readable storage media of claim 8, wherein the destination storage device is a tape drive.
  - 11. The one or more non-transitory, computer-readable storage media of claim 8, wherein the data source is associated with a primary data center and the data is encrypted inside a firewall of the primary data center.

12. A system for providing data path encryption, the system comprising:
- a destination storage device in communication with a data source over a network;
  
  a key management cluster having a plurality of key management appliances configured to generate and share encryption keys among the key management appliances, the key manager appliances comprising a first key management appliance; and
  
  an encryption device deployed along a data path between the destination storage device and the data source and in communication with the key management cluster, wherein the encryption device is located in a firewall that contains both the encryption device and the data source, the encryption device configured to;
  
  communicate with a first key manager appliance located within the firewall to obtain a shared encryption key for the destination storage device from the key management cluster, the shared encryption key to facilitate encryption in a particular encryption format that corresponds to the destination storage device, wherein the destination storage device is identified in a table of discovered storage devices comprising a plurality of discovered storage devices corresponding to a plurality of different encryption formats, where each discovered storage device of the plurality of discovered storage devices is configured to read data encoded in a respective encoding format of a plurality of different encoding formats that are different and distinct from the plurality of different encryption formats, and the destination storage device is configured to read data in a particular encoding format of the plurality of different encoding formats;
  
  encrypt, using the shared encryption key, data corresponding to a command to write the data to the destination storage device so that the data is encrypted in the particular encryption format corresponding to the destination storage device in addition to being encoded in the particular encoding format readable by the destination storage device;
  
  intercept the write command from the data source intended for the destination storage device;
  
  obtain login parameters from the intercepted write command to login to the destination storage device; and
  
  send the data encrypted in the particular encryption format securely over the data path to the destination storage device.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The system of claim 12, wherein the destination storage device is a tape drive.
  - 14. The system of claim 12, wherein the encryption device is an encrypting storage device.
  - 15. The system of claim 14, wherein the encrypting storage device is a tape drive.
  - 16. The system of claim 12, wherein the data source is associated with a primary data center and the encryption device is deployed along the data path inside a firewall of the primary data center.
  - 17. The system of claim 12, wherein the destination storage device is a remote storage device hosted in a cloud computing infrastructure.

18. A method for providing data path encryption in a computer system, the method comprising:
- intercepting an archive request from a host application of a data center of the computer system, wherein the archive request is a communication from the host application to a destination storage device for storing data at the destination storage device and the interception occurs by an encryption device of the data center, wherein the encryption device is located between the host application and the destination storage device in a firewall that contains both the encryption device and the computer system;
  
  extracting, by the encryption device, login information from the archive request that enables the encryption device to login to the destination storage device;
  
  communicating, by the encryption device with a first key manager appliance located within the firewall, to obtain an encryption key for the destination storage device from a key management cluster, the key management cluster comprising key manager appliances sharing encryption keys among the key manager appliances, the key manager appliances comprising a first key manager appliance;
  
  consequent to the communicating, obtaining, by the encryption device, a shared encryption key from the key management cluster for the destination storage device, the shared encryption key to facilitate encryption in a particular encryption format of a set of different encryption formats that corresponds to the destination storage device, wherein the destination storage device is identified in a table of discovered storage devices comprising a plurality of discovered storage devices corresponding to a plurality of different encryption formats, where each discovered storage device of the plurality of discovered storage devices is configured to read data encoded in a respective encoding format of a plurality of different encoding formats that are different and distinct from the plurality of different encryption formats, and the destination storage device is configured to read data in a particular encoding format of the plurality of different encoding formats;
  
  encrypting, by the encryption device, the data from the host application using the shared encryption key so that the data is encrypted in the particular encryption format corresponding to the destination storage device in addition to being encoded in a particular format readable by the destination storage device; and
  
  routing, by the encryption device, the encrypted data from the data center to the host application of the destination storage device.
- View Dependent Claims (19)
- - 19. The method of claim 18, wherein the computer system includes multiple data centers and at least one destination storage device, and wherein each data center and the destination storage device includes a respective host application and a respective encryption device such that the respective encryption devices communicate with each other and share the encryption keys for each respective host application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Hostetter, David
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Baum, Ronald

Application Number

US14/601,479
Publication Number

US 20160212107A1
Time in Patent Office

1,371 Days
Field of Search

713153
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

H04L 63/02   for separating internal fro...

H04L 63/0471   applying encryption by an i...

H04L 63/06   for supporting key manageme...

H04L 63/062   for key distribution, e.g. ...

Tape drive encryption in the data path

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Tape drive encryption in the data path

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links