×

Computer system, storage system, and data management method for updating encryption key

  • US 20080260159A1
  • Filed: 01/18/2008
  • Published: 10/23/2008
  • Est. Priority Date: 04/18/2007
  • Status: Active Grant
First Claim
Patent Images

1. A computer system comprising:

  • a host computer system that processes data;

    a storage system that comprises a volume accessible through specification of a series of block addresses from the host computer system via a network;

    a host encryption controller that, on the host computer system end of the network on an access path leading from the host computer system to the volume via the network, controls encryption and decryption of data passing over the access path; and

    a volume management controller that, in the storage system, manages data stored in the volume;

    wherein the host encryption controller includes;

    a host key data memory for storing key data to be used in encryption and decryption of data;

    a host encryption unit that, when write-data to be written to the volume in response to a write command issued from the host computer system to the storage system is transferred from the host computer system to the volume via the network, encrypts the write-data using the key data stored in the host key data memory, before transferring the write-data over the network;

    a host decryption unit that, when read-data to be read from the volume in response to a read command issued from the host computer system to the storage system is transferred from the volume to the host computer system via the network, decrypts the read-data using the key data stored in the host key data memory, after transferring the read-data over the network;

    a rekeying unit that changes the key data stored in the host key data memory from first key data to second key data; and

    a rekey command transmission unit that, when the rekeying unit changes the key data stored in the host key data memory to second key data, transmits to the volume management controller a rekey command containing the first and second key data; and

    the volume management controller includes;

    a rekey command reception unit that receives the rekey command transmitted by the rekey command transmission unit;

    a volume key data memory for storing the first and second key data contained in the rekey command received by the rekey command reception unit;

    a conversion read unit that, when the rekey command reception unit receives the transmitted rekey command, reads out data encrypted with the first key data from an original block address in the volume;

    a conversion decryption unit that, using the first key data stored in the volume key data memory, decrypts the data read out by the conversion read unit;

    a conversion encryption unit that, using the second key data stored in the volume key data memory, encrypts the data decrypted by the conversion decryption unit; and

    a conversion write unit that writes the data encrypted with the second key data by the conversion encryption unit, to the original block address.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×