Encryption/decryption management method in computer system having storage hierarchy
First Claim
1. An encryption/decryption management method for a computer system, the computer system having:
- one or more computers;
a data storage apparatus having at least one data storage area for said computer to store data; and
a first encryption/decryption section closer to said data storage area and a second encryption/decryption section closer to said computer, the first encryption/decryption section and the second encryption/decryption section being located on a path for said computer to access said storage area and having an encryption/decryption algorithm for encrypting data to be stored in said data storage area and decrypting encrypted data from said data storage area, and there being an interoperability between the first encryption/decryption section and the second encryption/decryption section, the encryption/decryption management method comprising;
a step of said computer accessing said data storage area using the second encryption/decryption section, rather than the first encryption/decryption section, if said computer is to write encrypted data to the data storage area; and
a step of said computer accessing said data storage area via the second encryption/decryption section, without using the first encryption/decryption section, if data encrypted by said first encryption/decryption section is stored in said data storage area and said computer is to access the encrypted data in said data storage area.
1 Assignment
0 Petitions
Accused Products
Abstract
When a computer system including a data storage apparatus having a data storage area storing encrypted data is modified to have plural encryption/decryption units, a computer cannot appropriately use the encrypted data storage area if a path including the encryption/decryption means is not adequately determined.
In a computer system having a computer 10, two or more data storage apparatuses 100 and 200 arranged hierarchically, plural encryption/decryption modules 199 and 299 on a path between the computer 10 and a data storage area 101, and a management computer 500 for managing the data storage apparatuses and the like, if there is an interoperability between the encryption/decryption modules 199 and 299 and the data storage area 101 is encrypted by the first encryption/decryption module 199, the computer 10 accesses the data storage area 101 using the second encryption/decryption module 299 (or an n-th encryption/decryption module closer to the computer than the second encryption/decryption module), rather than the first encryption/decryption module.
62 Citations
18 Claims
-
1. An encryption/decryption management method for a computer system, the computer system having:
- one or more computers;
a data storage apparatus having at least one data storage area for said computer to store data; and
a first encryption/decryption section closer to said data storage area and a second encryption/decryption section closer to said computer, the first encryption/decryption section and the second encryption/decryption section being located on a path for said computer to access said storage area and having an encryption/decryption algorithm for encrypting data to be stored in said data storage area and decrypting encrypted data from said data storage area, and there being an interoperability between the first encryption/decryption section and the second encryption/decryption section, the encryption/decryption management method comprising;
a step of said computer accessing said data storage area using the second encryption/decryption section, rather than the first encryption/decryption section, if said computer is to write encrypted data to the data storage area; and
a step of said computer accessing said data storage area via the second encryption/decryption section, without using the first encryption/decryption section, if data encrypted by said first encryption/decryption section is stored in said data storage area and said computer is to access the encrypted data in said data storage area. - View Dependent Claims (2, 3, 4, 5)
- one or more computers;
-
6. A computer system, comprising:
-
one or more computers;
a first data storage apparatus that has at least one data storage area for said computer to store data; and
a second data storage apparatus that is located between said computer and said first data storage apparatus, said computer, said first data storage apparatus and said second data storage apparatus being connected to each other via a network, wherein said second data storage apparatus provides a data storage area of said first data storage apparatus as an area to be accessed by the computer as if the area of the first data storage apparatus is a data storage area of the second data storage apparatus, said first data storage apparatus has a first encryption/decryption section, and said second data storage apparatus has a second encryption/decryption section, and if there is an interoperability between the first encryption/decryption section and the second encryption/decryption section, said computer accesses said data storage area using the second encryption/decryption section, rather than the first encryption/decryption section, if said computer is to write encrypted data to the data storage area; and
said computer accesses the data storage area of said first data storage apparatus via the second encryption/decryption section, rather than the first encryption/decryption section, if data encrypted by said first encryption/decryption section is stored in the data storage area of the first data storage apparatus and said computer is to access the encrypted data in the data storage area of the first data storage apparatus. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A second data storage apparatus that is located between one or more computers and a first data storage apparatus that that has at least one data storage area for said computers to store data,
wherein said second data storage apparatus provides a data storage area of said first data storage apparatus as an area to be accessed by the computer as if the area of the first data storage apparatus is a data storage area of the second data storage apparatus, said first data storage apparatus has a first encryption/decryption section, and said second data storage apparatus has a second encryption/decryption section, and if there is no interoperability between the first encryption/decryption section and the second encryption/decryption section, said second data storage apparatus selects a data storage area that stores data encrypted by the first encryption/decryption section from the first data storage apparatus, said second data storage apparatus reads the data from the selected data storage area by decrypting the data using the first encryption/decryption section, and said second data storage apparatus encrypts the read data using the second encryption/decryption section.
-
15. A management computer in a computer system that comprises a computer, a first data storage apparatus, a first encryption/decryption section, a second data storage apparatus, a second encryption/decryption section, and the management computer, in which said second data storage apparatus is connected to said computer and is hierarchically connected to said first data storage apparatus,
wherein said management computer has: -
a path information acquisition section that acquires path information about a data storage area used by said computer;
a data storage area encrypted status acquisition section that acquires information about the encryption/decryption algorithm used for a data storage area of an end data storage apparatus (data storage area encrypted status information);
an encryption/decryption algorithm acquisition section that acquires information about the encrypted/decryption algorithm supported by the encryption/decryption section of each data storage apparatus (supported encryption/decryption algorithm information); and
an encryption/decryption configuration section that makes a choice of whether to use or not the encryption/decryption section of each data storage apparatus based on the acquired path information, data storage area encrypted status information, and supported encryption/decryption algorithm information.
-
-
16. A management computer in a computer system that comprises one or more computers, a first data storage apparatus that has at least one data storage area for said computer to store data and a first encryption/decryption section, a second data storage apparatus that has a second encryption/decryption section and is located between said computer and said first data storage apparatus, and a management computer that manages said first data storage apparatus and said second data storage apparatus,
wherein said second data storage apparatus provides a data storage area of said first data storage apparatus as an area to be accessed by the computer as if the area of the first data storage apparatus is a data storage area of the second data storage apparatus, and if there is no interoperability between said first encryption/decryption section and said second encryption/decryption section, said management computer performs management in such a manner that a data storage area that stores data encrypted by the first encryption/decryption section is selected from the first data storage apparatus, the data is read from the selected data storage area by decrypting the data using the first encryption/decryption section and the read data is encrypted using the second encryption/decryption section.
Specification