Secure data replication in a storage grid

US 10,691,812 B2
Filed: 11/03/2017
Issued: 06/23/2020
Est. Priority Date: 07/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

twice-encrypting data, first by a first key that is generated from an external secret and a second key that is shared by a plurality of storage clusters of a storage grid to produce once encrypted data, and second by the second key to produce twice encrypted data;

storing the twice-encrypted data in one of the plurality of storage clusters;

replicating the twice-encrypted data from the once encrypted data; and

storing the replicated twice-encrypted data at a further one of the plurality of storage clusters.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for securing data in a storage grid is provided. The method includes generating a storage key from key shares of at least two storage clusters of a storage grid having at least three storage clusters and generating a grid key from the storage key and an external secret. The method includes encrypting data with the grid key to yield once encrypted data and encrypting the once encrypted data with the storage key to yield twice encrypted data. The method includes storing the twice encrypted data in a first storage cluster of the storage grid and storing the twice encrypted data in a second storage cluster of the storage grid, wherein at least one method operation is performed by a processor.

Citations

20 Claims

1. A method, comprising:
- twice-encrypting data, first by a first key that is generated from an external secret and a second key that is shared by a plurality of storage clusters of a storage grid to produce once encrypted data, and second by the second key to produce twice encrypted data;
  
  storing the twice-encrypted data in one of the plurality of storage clusters;
  
  replicating the twice-encrypted data from the once encrypted data; and
  
  storing the replicated twice-encrypted data at a further one of the plurality of storage clusters.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - generating the second key from key shares of two or more of the plurality of storage clusters, wherein the plurality of storage clusters comprises at least three storage clusters.
  - 3. The method of claim 1, further comprising:
    - sending the once-encrypted data from the one of the plurality of storage clusters to the further one of the plurality of storage clusters, wherein the replicating the twice-encrypted data is based on the once-encrypted data received by the further one of the plurality of storage clusters.
  - 4. The method of claim 1, wherein the replicating the twice-encrypted data comprises:
    - receiving, at the further one of the plurality of storage clusters, once-encrypted data comprising data encrypted by the first key;
      
      generating the second key from key shares obtained from at least two of the plurality of storage clusters; and
      
      encrypting the once-encrypted data with the second key, to produce the twice-encrypted data at the further one of the plurality of storage clusters.
  - 5. The method of claim 1, further comprising:
    - acknowledging, from the further one of the plurality of storage clusters, that the replicated twice-encrypted data is stored; and
      
      acknowledging, from the one of the plurality of storage clusters to a client, responsive to the storing the twice-encrypted data and the acknowledging that the replicated twice-encrypted data is stored.
  - 6. The method of claim 1, further comprising:
    - twice-decrypting the twice-encrypted data, first by the second key or a re-generated second key, and second by the first key or a re-generated grid key.
  - 7. The method of claim 1, further comprising:
    - twice-decrypting the twice-encrypted data, with a first decrypting at the further one of the plurality of storage clusters and a second decrypting at the one of the plurality of storage clusters.

8. A tangible, non-transitory, computer-readable media having instructions thereupon which, when executed by processors in a storage grid, cause the processors to perform a method comprising:
- encrypting data, with a first encryption by a first key that is generated from an external secret and a second key that is shared by a plurality of storage clusters of the storage grid to produce once encrypted data, and a second encryption by the second key to produce twice-encrypted data;
  
  storing, in a first one of a plurality of storage clusters of the storage grid, the twice-encrypted data;
  
  replicating the twice-encrypted data from the once encrypted data; and
  
  storing, in a second one of the plurality of storage clusters, the replicated twice-encrypted data.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer-readable media of claim 8, wherein the method further comprises:
    - obtaining key shares from two or more of the plurality of storage clusters, wherein the plurality of storage clusters of the storage grid comprises at least three storage clusters; and
      
      generating the second key from the key shares, at the first one of the plurality of storage clusters.
  - 10. The computer-readable media of claim 8, wherein the method further comprises:
    - sending once-encrypted data, produced by the first encryption by the first key, from the first one of the plurality of storage clusters to the second one of the plurality of storage clusters, wherein the replicating the twice-encrypted data is based on the once-encrypted data received by the second one of the plurality of storage clusters.
  - 11. The computer-readable media of claim 8, wherein the replicating the twice-encrypted data comprises:
    - sending once-encrypted data from the first encryption by the first key, from the first one of the plurality of storage clusters to the second one of the plurality of storage clusters;
      
      generating, at the second one of the plurality of storage clusters, the second key from key shares obtained from at least two of the plurality of storage clusters; and
      
      encrypting, at the second one of the plurality of storage clusters, the once-encrypted data with the second key, to produce the twice-encrypted data.
  - 12. The computer-readable media of claim 8, wherein the method further comprises:
    - sending acknowledgment, from the second one of the plurality of storage clusters to the first one of the plurality of storage clusters, that the replicated twice-encrypted data is stored; and
      
      sending acknowledgment, from the first one of the plurality of storage clusters to a client, responsive to having stored the twice-encrypted data and the acknowledgment that the replicated twice-encrypted data is stored.
  - 13. The computer-readable media of claim 8, wherein the method further comprises:
    - decrypting the twice-encrypted data, with a first decryption by the second key or a re-generated second key, and a second decryption by the first key or a re-generated first key, to produce unencrypted data.

14. A storage grid, comprising:
- three or more storage clusters configurable to cooperate as the storage grid and to share a second key;
  
  one of the storage clusters configurable to twice-encrypt data, with first encryption by a first key that is based on an external secret and the second key to produce once encrypted data, and second encryption by the second key, and store the twice-encrypted data; and
  
  a further one of the storage clusters configurable to replicate the twice-encrypted data from the once encrypted data, in cooperation with the one of the storage clusters, and store the replicated twice-encrypted data.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The storage grid of claim 14, wherein the three or more storage clusters configurable to share a storage key comprises:
    - each of the three or more storage clusters configurable hold a key share and to generate the second key from key shares of two or more of the storage clusters.
  - 16. The storage grid of claim 14, further comprising:
    - the one of the storage clusters configurable to send once-encrypted data to the further one of the storage clusters, wherein the once-encrypted data is produced by the first encryption by the first key, and wherein to replicate the twice-encrypted data in cooperation with the one of the storage clusters is based on the once-encrypted data received by the further one of the storage clusters.
  - 17. The storage grid of claim 14, wherein the further one of the storage clusters configurable to replicate the twice-encrypted data comprises:
    - the further one of the storage clusters configurable to generate the second key from key shares of at least two of the storage clusters; and
      
      the further one of the storage clusters configurable to encrypt once-encrypted data, received from the one of the storage clusters, with the second key, to produce the twice-encrypted data.
  - 18. The storage grid of claim 14, further comprising:
    - the further one of the storage clusters configurable to acknowledge, to the one of the storage clusters, that the replicated twice-encrypted data is stored; and
      
      the one of the storage clusters configurable to acknowledge to a client, responsive to the twice-encrypted data and the replicated twice-encrypted data being stored.
  - 19. The storage grid of claim 14, further comprising:
    - at least the one of the storage clusters configurable to twice-decrypt the twice-encrypted data, with a first decryption by the second key or a re-generated second key, and a second decryption by the first key or a re-generated first key.
  - 20. The storage grid of claim 14, further comprising:
    - the further one of the storage clusters configurable to perform a first decrypting of the replicated twice-encrypted data, using the second key or a re-generated second key, to reproduce first-encrypted data; and
      
      the one of the storage clusters configurable to perform a second decrypting of the replicated twice-encrypted data, using the first key or a re-generated first key on the first-encrypted data, to produce unencrypted data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Pure Storage, Inc.
Inventors
Botes, Par, Hayes, John, Miller, Ethan
Primary Examiner(s)
Tran, Tri M

Application Number

US15/803,613
Publication Number

US 20180144143A1
Time in Patent Office

963 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 21/78   to assure secure storage of...

H04L 9/0861   Generation of secret inform...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

Secure data replication in a storage grid

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure data replication in a storage grid

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links