Content aware hierarchical encryption for secure storage systems
First Claim
1. A computer-implemented method for accessing data objects of a storage system, the method comprising:
- in response to a request received from a client for retrieving a data object stored in a storage system, obtaining a root key from the request, the data object being represented by metadata in a hierarchical structure having a plurality of levels, each level having a plurality of nodes and each node being one of a root node, a leaf node and an intermediate node, wherein each intermediate node or leaf node is encrypted using an encryption key, wherein the encryption key is stored together with content of a parent node, and is further encrypted together with the content of the parent node by a parent key of the parent node;
traversing the hierarchical structure of metadata associated with the data object in a top-down approach to decrypt each of a plurality of nodes in the hierarchical structure using a key provided from its parent node, starting from the root node to the leaf nodes, including decrypting the root node using the root key; and
transmitting decrypted data associated with the plurality of nodes to the client.
6 Assignments
0 Petitions
Accused Products
Abstract
In one embodiment, in response to a request received from a client for retrieving a data object stored in a storage system, a root key is obtained from the request. The data object is represented by metadata in a hierarchical structure having a plurality of levels. Each level includes a plurality of nodes and each node being one of a root node, a leaf node and an intermediate node. The hierarchical structure of metadata associated with the data object is traversed in a top-down approach to decrypt each of a plurality of nodes in the hierarchical structure using a key provided from its parent node, starting from the root node to the leaf nodes, including decrypting the root node using the root key. Decrypted data associated with the plurality of nodes is transmitted to the client.
10 Citations
21 Claims
-
1. A computer-implemented method for accessing data objects of a storage system, the method comprising:
-
in response to a request received from a client for retrieving a data object stored in a storage system, obtaining a root key from the request, the data object being represented by metadata in a hierarchical structure having a plurality of levels, each level having a plurality of nodes and each node being one of a root node, a leaf node and an intermediate node, wherein each intermediate node or leaf node is encrypted using an encryption key, wherein the encryption key is stored together with content of a parent node, and is further encrypted together with the content of the parent node by a parent key of the parent node; traversing the hierarchical structure of metadata associated with the data object in a top-down approach to decrypt each of a plurality of nodes in the hierarchical structure using a key provided from its parent node, starting from the root node to the leaf nodes, including decrypting the root node using the root key; and transmitting decrypted data associated with the plurality of nodes to the client. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations of accessing data objects of a storage system, the operations comprising:
-
in response to a request received from a client for retrieving a data object stored in a storage system, obtaining a root key from the request, the data object being represented by metadata in a hierarchical structure having a plurality of levels, each level having a plurality of nodes and each node being one of a root node, a leaf node and an intermediate node, wherein each intermediate node or leaf node is encrypted using an encryption key, wherein the encryption key is stored together with content of a parent node, and is further encrypted together with the content of the parent node by a parent key of the parent node; traversing the hierarchical structure of metadata associated with the data object in a top-down approach to decrypt each of a plurality of nodes in the hierarchical structure using a key provided from its parent node, starting from the root node to the leaf nodes, including decrypting the root node using the root key; and transmitting decrypted data associated with the plurality of nodes to the client. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A storage system, comprising:
-
a processor; and a memory coupled to the processor for storing instructions, which when executed from the memory, cause the processor to perform operations of accessing data objects, the operations including in response to a request received from a client for retrieving a data object stored in the storage system, obtaining a root key from the request, the data object being represented by metadata in a hierarchical structure having a plurality of levels, each level having a plurality of nodes and each node being one of a root node, a leaf node and an intermediate node, wherein each intermediate node or leaf node is encrypted using an encryption key, wherein the encryption key is stored together with content of a parent node, and is further encrypted together with the content of the parent node by a parent key of the parent node, traversing the hierarchical structure of metadata associated with the data object in a top-down approach to decrypt each of a plurality of nodes in the hierarchical structure using a key provided from its parent node, starting from the root node to the leaf nodes, including decrypting the root node using the root key, and transmitting decrypted data associated with the plurality of nodes to the client. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification