Computer system, storage system, and data management method for updating encryption key

US 20080260159A1
Filed: 01/18/2008
Published: 10/23/2008
Est. Priority Date: 04/18/2007
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising:

a host computer system that processes data;

a storage system that comprises a volume accessible through specification of a series of block addresses from the host computer system via a network;

a host encryption controller that, on the host computer system end of the network on an access path leading from the host computer system to the volume via the network, controls encryption and decryption of data passing over the access path; and

a volume management controller that, in the storage system, manages data stored in the volume;

wherein the host encryption controller includes;

a host key data memory for storing key data to be used in encryption and decryption of data;

a host encryption unit that, when write-data to be written to the volume in response to a write command issued from the host computer system to the storage system is transferred from the host computer system to the volume via the network, encrypts the write-data using the key data stored in the host key data memory, before transferring the write-data over the network;

a host decryption unit that, when read-data to be read from the volume in response to a read command issued from the host computer system to the storage system is transferred from the volume to the host computer system via the network, decrypts the read-data using the key data stored in the host key data memory, after transferring the read-data over the network;

a rekeying unit that changes the key data stored in the host key data memory from first key data to second key data; and

a rekey command transmission unit that, when the rekeying unit changes the key data stored in the host key data memory to second key data, transmits to the volume management controller a rekey command containing the first and second key data; and

the volume management controller includes;

a rekey command reception unit that receives the rekey command transmitted by the rekey command transmission unit;

a volume key data memory for storing the first and second key data contained in the rekey command received by the rekey command reception unit;

a conversion read unit that, when the rekey command reception unit receives the transmitted rekey command, reads out data encrypted with the first key data from an original block address in the volume;

a conversion decryption unit that, using the first key data stored in the volume key data memory, decrypts the data read out by the conversion read unit;

a conversion encryption unit that, using the second key data stored in the volume key data memory, encrypts the data decrypted by the conversion decryption unit; and

a conversion write unit that writes the data encrypted with the second key data by the conversion encryption unit, to the original block address.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system encrypts write-data to be written to the volume in response to a write command. The system transmits a rekey command from host computer system to the storage system when the key data stored in the host key data memory is changed to second key data. The storage system receives the rekey command transmitted from host computer system and stores the first and second key data contained in the received rekey command to a volume key data memory of the storage system. The storage system reads out data encrypted with the first key data from an original block address in the volume. The storage system decrypts the data read out from the volume using the first key data. The storage system encrypts the data decrypted by the first key data using the second key data, and writs the data encrypted with the second key data to the original block address.

Citations

15 Claims

1. A computer system comprising:
- a host computer system that processes data;
  
  a storage system that comprises a volume accessible through specification of a series of block addresses from the host computer system via a network;
  
  a host encryption controller that, on the host computer system end of the network on an access path leading from the host computer system to the volume via the network, controls encryption and decryption of data passing over the access path; and
  
  a volume management controller that, in the storage system, manages data stored in the volume;
  
  wherein the host encryption controller includes;
  
  a host key data memory for storing key data to be used in encryption and decryption of data;
  
  a host encryption unit that, when write-data to be written to the volume in response to a write command issued from the host computer system to the storage system is transferred from the host computer system to the volume via the network, encrypts the write-data using the key data stored in the host key data memory, before transferring the write-data over the network;
  
  a host decryption unit that, when read-data to be read from the volume in response to a read command issued from the host computer system to the storage system is transferred from the volume to the host computer system via the network, decrypts the read-data using the key data stored in the host key data memory, after transferring the read-data over the network;
  
  a rekeying unit that changes the key data stored in the host key data memory from first key data to second key data; and
  
  a rekey command transmission unit that, when the rekeying unit changes the key data stored in the host key data memory to second key data, transmits to the volume management controller a rekey command containing the first and second key data; and
  
  the volume management controller includes;
  
  a rekey command reception unit that receives the rekey command transmitted by the rekey command transmission unit;
  
  a volume key data memory for storing the first and second key data contained in the rekey command received by the rekey command reception unit;
  
  a conversion read unit that, when the rekey command reception unit receives the transmitted rekey command, reads out data encrypted with the first key data from an original block address in the volume;
  
  a conversion decryption unit that, using the first key data stored in the volume key data memory, decrypts the data read out by the conversion read unit;
  
  a conversion encryption unit that, using the second key data stored in the volume key data memory, encrypts the data decrypted by the conversion decryption unit; and
  
  a conversion write unit that writes the data encrypted with the second key data by the conversion encryption unit, to the original block address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer system according to claim 1,wherein the volume management controller further includes:
    - a write decryption unit that, when data stored at a block address specified by a write command sent after the rekey command reception unit receives the transmitted rekey command is data encrypted with the first key data, decrypts write-data requested by the write command received after the rekey command, using the second key data stored in the volume key data memory;
      
      a write encryption unit that, using the first key data stored in the volume key data memory, encrypts the write-data decrypted by the write decryption unit; and
      
      a non-conversion write unit that writes the write-data encrypted with the first key data by the write encryption unit, to the block address specified by the write command after the rekey command.
  - 3. The computer system according to claim 1,wherein the volume management controller further includes:
    - a non-conversion read unit that, when read-data stored at a block address specified by a read command sent after the rekey command reception unit receives the rekey command is data encrypted with the first key data, reads out the read-data stored at the block address specified by the read command received after the rekey command;
      
      a read decryption unit that, using the first key data stored in the volume key data memory, decrypts the read-data read out by the non-conversion read unit;
      
      a read encryption unit that, using the second key data stored in the volume key data memory, encrypts the read-data decrypted by the read decryption unit; and
      
      a read response unit that, in response to the read command after the rekey command, sends to the host computer system via the network the data encrypted with the second key data by the read encryption unit.
  - 4. The computer system according to claim 1, wherein the volume management controller further includes a key data deletion unit that, when all of the data stored in the volume is converted to data encrypted with the second key data after the rekey command reception unit receives the transmitted rekey command, deletes the first and second key data stored in the volume key data memory.
  - 5. The computer system according to claim 1, wherein the conversion read unit of the volume management controller reads the data encrypted with the first key data, from the volume sequentially in order of the series of block addresses assigned to the volume when the rekey command reception unit receives the transmitted rekey command.
  - 6. The computer system according to claim 1, wherein the host encryption controller is disposed to the host computer system.
  - 7. The computer system according to claim 1, wherein:
    - the network is a first network;
      
      the storage system includes,a virtualization device that is coupled with the host computer system via a second network different from the first network, and virtually constitutes a virtual volume associated with the volume to make the volume accessible indirectly from the host computer system via the second network, anda first storage system that is coupled with the virtualization device via the first network, and constitutes the volume accessible from the virtualization device via the first network;
      
      the host encryption controller is disposed to the virtualization device; and
      
      the volume management controller is disposed to the first storage system.
  - 8. The computer system according to claim 1,wherein:
    - the storage system includes,a base volume for storing a copy of data stored to the volume at a set time,a first journal volume for collecting a copy of data written to the volume subsequent to the set time, the copy of the written data being associated with write history of the written data, anda volume restore unit that, using the data stored in the base volume and the data collected in first journal volume, configures a restore volume for restoring the volume at an intended point in time subsequent to the set time; and
      
      the volume restore unit includes,a restore decryption unit that, after the rekey command reception unit receives the transmitted rekey command, selects, from the data of the base volume and the first journal volume, data encrypted using the first key data for use in configuring the restore volume, and decrypts selected data using the first key data stored in the volume key data memory,a restore encryption unit that, using the second key data stored in the volume key data memory, encrypts the data decrypted by the restore decryption unit, anda restore incorporation unit that incorporates the data encrypted by the restore encryption unit into the restore volume.
  - 9. The computer system according to claim 1, wherein:
    - the volume of the storage system includes,a first volume for storing data encrypted with the first key data, anda second volume assigned a series of block addresses shared with the first volume after the rekey command reception unit receives the transmitted rekey command, and utilized for storing data subsequently encrypted with the second key data from the data stored in the first volume;
      
      the conversion read unit of the volume management controller reads out data encrypted with the first key data from an original first block address in the first volume when the rekey command reception unit receives the transmitted rekey command; and
      
      the conversion write unit of the volume management controller writes the data encrypted with the second key data by the conversion encryption unit, to a block address of the second volume corresponding to the original first block address of the first volume.
  - 10. The computer system according to claim 9,wherein the volume management controller further includes:
    - a first write decryption unit that, when data of a block address specified by a write command sent after the rekey command reception unit receives the transmitted rekey command has not been taken over from the first volume by the second volume, decrypts write-data requested by the write command received after the rekey command, using the second key data stored in the volume key data memory;
      
      a first write encryption unit that, using first key data stored in the volume key data memory, encrypts the write-data decrypted by the first write decryption unit;
      
      a first takeover write unit that writes the write-data encrypted with the first key data by the first write encryption unit, to the specified block address in the first volume; and
      
      a second takeover write unit that, when data of a block address specified by a write command sent after the rekey command reception unit receives the transmitted rekey command has been taken over from the first volume by the second volume, writes the write-data requested by the write command received after the rekey command, to the specified block address in the second volume.
  - 11. The computer system according to claim 10,wherein the volume management controller further includes:
    - a second write decryption unit that, when data of a block address specified by a write command sent after the rekey command reception unit receives the transmitted rekey command has been taken over from the first volume by the second volume, decrypts write-data requested by the write command received after the rekey command, using the second key data stored in the volume key data memory;
      
      a second write encryption unit that, using first key data stored in the volume key data memory, encrypts the data decrypted by the second write decryption unit; and
      
      a third takeover write unit that writes the data encrypted with the first key data by the second write encryption unit, to the specified block address in the first volume.
  - 12. The computer system according to claim 9,wherein the volume management controller further includes:
    - a first takeover read unit that, when read-data stored at a block address specified by a read command sent after the rekey command reception unit receives the transmitted rekey command has not been taken over from the first volume by the second volume, reads out the read-data stored at the specified block address in the first volume;
      
      a read decryption unit that, using first key data stored in the volume key data memory, decrypts the read-data read out by the first takeover read unit;
      
      a read encryption unit that, using second key data stored in the volume key data memory, encrypts the read-data decrypted by the read decryption unit;
      
      a first takeover read response unit that, in response to the read command, sends the read-data encrypted with the second key data by the read encryption unit, to the host computer system via the network;
      
      a second takeover read unit that, when read-data stored at a block address specified by a read command sent after the rekey command reception unit receives the transmitted rekey command has been taken over from the first volume by the second volume, reads out the read-data stored at the specified block address in the second volume; and
      
      a second takeover read response unit that, in response to the read command, sends the read-data read out by the second takeover read unit and encrypted with the second key data, to the host computer system via the network.
  - 13. The computer system according to claim 1,wherein the storage system further includes:
    - a secondary volume assigned a series of block addresses associated with the volume, for storing a copy of data stored to the volume;
      
      a second journal volume that temporarily collects a copy of data written to the volume subsequent to the write command, the copy of the written data being associated with write history of the written data;
      
      a first journal decryption unit that, when the data collected in the second journal volume is encrypted with the first key data, decrypts the data collected in the second journal volume, using the first key data stored in the volume key data memory;
      
      a first journal transfer unit that transfers to the secondary volume the data decrypted by the first journal decryption unit;
      
      a second journal decryption unit that, when the data collected in the second journal volume is encrypted with the second key data, decrypts the data collected in the second journal volume, using the second key data stored in the volume key data memory;
      
      a second journal transfer unit that transfers to the secondary volume the data decrypted by the second journal decryption unit.

14. A storage system coupled via a network with a host computer system,the storage system comprising a volume accessible through specification of a series of block addresses from the host computer system via the network,wherein the host computer system includes:
- a host key data memory for storing key data to be used in encryption and decryption of data;
  
  a host encryption unit that, when write-data to be written to the volume in response to a write command issued from the host computer system to the storage system is transferred from the host computer system to the volume via the network, encrypts the write-data using the key data stored in the host key data memory, before transferring the write-data over the network;
  
  a host decryption unit that, when read-data to be read from the volume in response to a read command issued from the host computer system to the storage system is transferred from the volume to the host computer system via the network, decrypts the read-data using the key data stored in the host key data memory, after transferring the read-data over the network;
  
  a rekeying unit that changes the key data stored in the host key data memory from first key data to second key data; and
  
  a rekey command transmission unit that, when the rekeying unit changes the key data stored in the host key data memory to second key data, transmits to the volume management controller a rekey command containing the first and second key data,the storage system further comprising;
  
  a rekey command reception unit that receives the rekey command transmitted by the rekey command transmission unit;
  
  a volume key data memory for storing the first and second key data contained in the rekey command received by the rekey command reception unit;
  
  a conversion read unit that, when the rekey command reception unit receives the transmitted rekey command, reads out data encrypted with the first key data from an original block address in the volume;
  
  a conversion decryption unit that, using the first key data stored in the volume key data memory, decrypts the data read out by the conversion read unit;
  
  a conversion encryption unit that, using the second key data stored in the volume key data memory, encrypts the data decrypted by the conversion decryption unit; and
  
  a conversion write unit that writes the data encrypted with the second key data by the conversion encryption unit, to the original block address.

15. A data management method for managing data handled by a computer system that comprises a host computer system for processing data, and a storage system having a volume accessible through specification of a series of block addresses from the host computer system via a network, key data for use in encryption and decryption of data is stored in a host key data memory of the host computer system,the method comprising:
- encrypting, on the host computer system, when write-data to be written to the volume in response to a write command issued from the host computer system to the storage system is transferred from the host computer system to the volume via the network, the write-data using the key data stored in the host key data memory, before transferring the write-data over the network;
  
  decrypting, on the host computer system, when read-data to be read from the volume in response to a read command issued from the host computer system to the storage system is transferred from the volume to the host computer system via the network, the read-data using the key data stored in the host key data memory, after transferring the read-data over the network;
  
  changing the key data stored in the host key data memory from first key data to second key data;
  
  transmitting, when the key data stored in the host key data memory is changed to second key data, a rekey command containing the first and second key data from host computer system to the storage system;
  
  receiving, on the storage system, the rekey command transmitted from host computer system;
  
  storing the first and second key data contained in the received rekey command to a volume key data memory of the storage system;
  
  reading out, when the transmitted rekey command is received, data encrypted with the first key data from an original block address in the volume;
  
  decrypting the data read out from the volume using the first key data stored in the volume key data memory;
  
  encrypting the data decrypted by the first key data using the second key data stored in the volume key data memory; and
  
  writing the data encrypted with the second key data to the original block address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Osaki, Nobuyuki

Granted Patent

US 8,140,864 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/277
CPC Class Codes

G06F 21/80   in storage media based on m...

H04L 63/0464   using hop-by-hop encryption...

H04L 9/0891   Revocation or update of sec...

Computer system, storage system, and data management method for updating encryption key

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Computer system, storage system, and data management method for updating encryption key

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links