Filekey access to data
First Claim
1. A method for performing an operation for data objects associated with an owner in a computing system, the method comprising:
- generating a key from an unencrypted data object during the operation;
encrypting the unencrypted data object with the key to generate an encrypted data object;
generating a fingerprint of the encrypted data object;
encrypting the key with different access keys to generate access codes, wherein each of the access keys is a private key that that is associated a different public key, wherein each access code corresponds to one of the access keys and wherein the access codes are each associated with a different user and wherein the access codes are different and are configured to allow the owner of the data object to control which users associated with the owner are allowed to access the data object on an individual user basis, wherein the access codes are associated with the fingerprint and allow the encrypted data object to be accessed using the access code to be identified;
storing the encrypted data objects in a tree-type structure that includes multiple levels of blocks, wherein higher levels of the tree-type structure point to lower levels of the tree-type structure, wherein the higher levels include encrypted keys needed to unlock lower levels and fingerprints, wherein each of the access codes allow a chain of blocks in the tree-type structure to be decrypted, wherein each block in the chain is encrypted with a different key and, as each block in the chain is decrypted, the key to decrypt the next block in the chain is obtained, wherein each of the data objects is associated with a different key; and
allowing a group that is separate from the owner access to at least one of the data objects by generating an access code using a public key associated with the group, wherein members of the group access the at least one of the data objects using a private key associated with the group.
13 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for backing up data are provided. Data objects or blocks of data can be encrypted with individualized keys. The keys are generated from the unencrypted data objects or blocks. The encrypted data objects or blocks and fingerprints of the encrypted data objects or blocks can be uploaded to a datacenter. Even though the data objects or blocks are encrypted, deduplication can be performed by the datacenter or before the data object is uploaded to the datacenter. In addition, access can be controlled by encrypting the key used to encrypt the data object with access keys to generate one or more access codes. The key to decrypt the encrypted data object is obtained by decrypting the access code.
-
Citations
18 Claims
-
1. A method for performing an operation for data objects associated with an owner in a computing system, the method comprising:
-
generating a key from an unencrypted data object during the operation; encrypting the unencrypted data object with the key to generate an encrypted data object; generating a fingerprint of the encrypted data object; encrypting the key with different access keys to generate access codes, wherein each of the access keys is a private key that that is associated a different public key, wherein each access code corresponds to one of the access keys and wherein the access codes are each associated with a different user and wherein the access codes are different and are configured to allow the owner of the data object to control which users associated with the owner are allowed to access the data object on an individual user basis, wherein the access codes are associated with the fingerprint and allow the encrypted data object to be accessed using the access code to be identified; storing the encrypted data objects in a tree-type structure that includes multiple levels of blocks, wherein higher levels of the tree-type structure point to lower levels of the tree-type structure, wherein the higher levels include encrypted keys needed to unlock lower levels and fingerprints, wherein each of the access codes allow a chain of blocks in the tree-type structure to be decrypted, wherein each block in the chain is encrypted with a different key and, as each block in the chain is decrypted, the key to decrypt the next block in the chain is obtained, wherein each of the data objects is associated with a different key; and allowing a group that is separate from the owner access to at least one of the data objects by generating an access code using a public key associated with the group, wherein members of the group access the at least one of the data objects using a private key associated with the group. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for uploading data associated with an owner, the method comprising:
-
encrypting a plurality of data objects with different keys, wherein each key is deterministically derived from a corresponding data object and wherein each of the data objects is associated with a different key; determining a plurality of fingerprints deterministically from the encrypted data objects; generating one or more access codes using a different access key for each access code, wherein each of the access keys is a private key that that is associated a different public key, wherein each access code corresponds to a different encrypted key and wherein each of the access codes is different from the others and corresponds to a different user, wherein the access codes allow the owner of the data objects to control which of the data objects can be accessed by the different users associated with the owner on an individual basis; uploading the encrypted data objects, the one or more access codes and the fingerprints to a datacenter, wherein access to an encrypted data object is achieved by decrypting one of the access codes associated with the encrypted data object to obtain the corresponding key, wherein the datacenter is unable to view the unencrypted data objects in the clear; encrypting updates to the plurality of data objects with the same keys used to encrypt the plurality of data objects, wherein the access codes can be used to access the updates to the plurality of data objects, wherein the updates comprise data objects that include changes to the plurality of data objects; storing the encrypted data objects in a tree-type structure that includes multiple levels, wherein higher levels of the tree-type structure point to lower levels of the tree-type structure, wherein the higher levels include encrypted keys needed to unlock lower levels and a fingerprints, wherein each of the access codes allows a chain of blocks in the tree-type structure to be decrypted, wherein each block in the chain is encrypted with a different key and, as each block in the chain is decrypted, the key to decrypt the next block in the chain is obtained, wherein each of the data objects is associated with a different key; and allowing a group that is separate from the owner access to at least one of the data objects by generating an access code using a public key associated with the group, wherein members of the group access the at least one of the data objects using a private key associated with the group. - View Dependent Claims (9, 10, 11)
-
-
12. A non-transitory computer readable medium that includes computer readable instructions that, when executed by a processor, perform a method for uploading data objects associated with an owner, the method including:
-
generating a key from an unencrypted data object being uploaded during an operation; encrypting the unencrypted data object with the key to generate an encrypted data object; generating a fingerprint of the encrypted data object; encrypting the key with one or more different access keys to generate one or more different access codes, wherein each of the one or more different access keys is a private key that that is associated a different public key, wherein the access codes are each associated with a different user and wherein the access codes are all different from each other and are configured to allow the owner of the data object to control which users associated with the owner are allowed to access the data object on an individual user basis; controlling access to the unencrypted data object based on the access codes, wherein only users having both one of the access codes and a corresponding access key are able to decrypt the key necessary to decrypt the encrypted data object; generating a new key for an update to the unencrypted data object being uploaded during a subsequent operation, wherein the same access keys are used to encrypt the new key and result in new access codes, wherein accessing the updates and the unencrypted data object requires the access codes and the new access codes; storing the encrypted data objects in a tree-type structure that includes multiple levels, wherein higher levels of the tree-type structure point to lower levels of the tree-type structure, wherein the higher levels include encrypted keys needed to unlock lower levels and fingerprints or data objects, wherein a lowest level includes data blocks of at least the data object, wherein each of the access codes allow a chain of blocks in the tree-type structure to be decrypted, wherein each block in the chain is encrypted with a different key and, as each block in the chain is decrypted, the key to decrypt the next block in the chain is obtained, wherein each of the data objects is associated with a different key; and allowing a group that is separate from the owner access to at least one of the data objects by generating an access code using a public key associated with the group, wherein members of the group access the at least one of the data objects using a private key associated with the group. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
Specification