Computer system, storage system, and data management method for updating encryption key
First Claim
1. A computer system comprising:
- a host computer system that processes data;
a storage system that comprises a volume accessible through specification of a series of block addresses from the host computer system via a network;
a host encryption controller that, on the host computer system end of the network on an access path leading from the host computer system to the volume via the network, controls encryption and decryption of data passing over the access path; and
a volume management controller that, in the storage system, manages data stored in the volume;
wherein the host encryption controller includes;
a host key data memory for storing key data to be used in encryption and decryption of data;
a host encryption unit that, when write-data to be written to the volume in response to a write command issued from the host computer system to the storage system is transferred from the host computer system to the volume via the network, encrypts the write-data using the key data stored in the host key data memory, before transferring the write-data over the network;
a host decryption unit that, when read-data to be read from the volume in response to a read command issued from the host computer system to the storage system is transferred from the volume to the host computer system via the network, decrypts the read-data using the key data stored in the host key data memory, after transferring the read-data over the network;
a rekeying unit that changes the key data stored in the host key data memory from first key data to second key data; and
a rekey command transmission unit that, when the rekeying unit changes the key data stored in the host key data memory to second key data, transmits to the volume management controller a rekey command containing the first and second key data; and
the volume management controller includes;
a rekey command reception unit that receives the rekey command transmitted by the rekey command transmission unit;
a volume key data memory for storing the first and second key data contained in the rekey command received by the rekey command reception unit;
a conversion read unit that, when the rekey command reception unit receives the transmitted rekey command, reads out data encrypted with the first key data from an original block address in the volume;
a conversion decryption unit that, using the first key data stored in the volume key data memory, decrypts the data read out by the conversion read unit;
a conversion encryption unit that, using the second key data stored in the volume key data memory, encrypts the data decrypted by the conversion decryption unit; and
a conversion write unit that writes the data encrypted with the second key data by the conversion encryption unit, to the original block address.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer system encrypts write-data to be written to the volume in response to a write command. The system transmits a rekey command from host computer system to the storage system when the key data stored in the host key data memory is changed to second key data. The storage system receives the rekey command transmitted from host computer system and stores the first and second key data contained in the received rekey command to a volume key data memory of the storage system. The storage system reads out data encrypted with the first key data from an original block address in the volume. The storage system decrypts the data read out from the volume using the first key data. The storage system encrypts the data decrypted by the first key data using the second key data, and writs the data encrypted with the second key data to the original block address.
-
Citations
15 Claims
-
1. A computer system comprising:
-
a host computer system that processes data; a storage system that comprises a volume accessible through specification of a series of block addresses from the host computer system via a network; a host encryption controller that, on the host computer system end of the network on an access path leading from the host computer system to the volume via the network, controls encryption and decryption of data passing over the access path; and a volume management controller that, in the storage system, manages data stored in the volume; wherein the host encryption controller includes; a host key data memory for storing key data to be used in encryption and decryption of data; a host encryption unit that, when write-data to be written to the volume in response to a write command issued from the host computer system to the storage system is transferred from the host computer system to the volume via the network, encrypts the write-data using the key data stored in the host key data memory, before transferring the write-data over the network; a host decryption unit that, when read-data to be read from the volume in response to a read command issued from the host computer system to the storage system is transferred from the volume to the host computer system via the network, decrypts the read-data using the key data stored in the host key data memory, after transferring the read-data over the network; a rekeying unit that changes the key data stored in the host key data memory from first key data to second key data; and a rekey command transmission unit that, when the rekeying unit changes the key data stored in the host key data memory to second key data, transmits to the volume management controller a rekey command containing the first and second key data; and the volume management controller includes; a rekey command reception unit that receives the rekey command transmitted by the rekey command transmission unit; a volume key data memory for storing the first and second key data contained in the rekey command received by the rekey command reception unit; a conversion read unit that, when the rekey command reception unit receives the transmitted rekey command, reads out data encrypted with the first key data from an original block address in the volume; a conversion decryption unit that, using the first key data stored in the volume key data memory, decrypts the data read out by the conversion read unit; a conversion encryption unit that, using the second key data stored in the volume key data memory, encrypts the data decrypted by the conversion decryption unit; and a conversion write unit that writes the data encrypted with the second key data by the conversion encryption unit, to the original block address. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A storage system coupled via a network with a host computer system,
the storage system comprising a volume accessible through specification of a series of block addresses from the host computer system via the network, wherein the host computer system includes: -
a host key data memory for storing key data to be used in encryption and decryption of data; a host encryption unit that, when write-data to be written to the volume in response to a write command issued from the host computer system to the storage system is transferred from the host computer system to the volume via the network, encrypts the write-data using the key data stored in the host key data memory, before transferring the write-data over the network; a host decryption unit that, when read-data to be read from the volume in response to a read command issued from the host computer system to the storage system is transferred from the volume to the host computer system via the network, decrypts the read-data using the key data stored in the host key data memory, after transferring the read-data over the network; a rekeying unit that changes the key data stored in the host key data memory from first key data to second key data; and a rekey command transmission unit that, when the rekeying unit changes the key data stored in the host key data memory to second key data, transmits to the volume management controller a rekey command containing the first and second key data, the storage system further comprising; a rekey command reception unit that receives the rekey command transmitted by the rekey command transmission unit; a volume key data memory for storing the first and second key data contained in the rekey command received by the rekey command reception unit; a conversion read unit that, when the rekey command reception unit receives the transmitted rekey command, reads out data encrypted with the first key data from an original block address in the volume; a conversion decryption unit that, using the first key data stored in the volume key data memory, decrypts the data read out by the conversion read unit; a conversion encryption unit that, using the second key data stored in the volume key data memory, encrypts the data decrypted by the conversion decryption unit; and a conversion write unit that writes the data encrypted with the second key data by the conversion encryption unit, to the original block address.
-
-
15. A data management method for managing data handled by a computer system that comprises a host computer system for processing data, and a storage system having a volume accessible through specification of a series of block addresses from the host computer system via a network, key data for use in encryption and decryption of data is stored in a host key data memory of the host computer system,
the method comprising: -
encrypting, on the host computer system, when write-data to be written to the volume in response to a write command issued from the host computer system to the storage system is transferred from the host computer system to the volume via the network, the write-data using the key data stored in the host key data memory, before transferring the write-data over the network; decrypting, on the host computer system, when read-data to be read from the volume in response to a read command issued from the host computer system to the storage system is transferred from the volume to the host computer system via the network, the read-data using the key data stored in the host key data memory, after transferring the read-data over the network; changing the key data stored in the host key data memory from first key data to second key data; transmitting, when the key data stored in the host key data memory is changed to second key data, a rekey command containing the first and second key data from host computer system to the storage system; receiving, on the storage system, the rekey command transmitted from host computer system; storing the first and second key data contained in the received rekey command to a volume key data memory of the storage system; reading out, when the transmitted rekey command is received, data encrypted with the first key data from an original block address in the volume; decrypting the data read out from the volume using the first key data stored in the volume key data memory; encrypting the data decrypted by the first key data using the second key data stored in the volume key data memory; and writing the data encrypted with the second key data to the original block address.
-
Specification