DISTRIBUTION OF STORAGE AREA NETWORK ENCRYPTION KEYS ACROSS DATA CENTERS

US 20090252330A1
Filed: 04/02/2008
Published: 10/08/2009
Est. Priority Date: 04/02/2008
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a request to transfer a source data center key object from a source data center to a destination data center, the source data center key object corresponding to a data block maintained in a storage area network (SAN), wherein the source data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier;

decrypting the encrypted key using a source data center key hierarchy;

transmitting key information from the source data center to the destination data center;

generating a destination data center key object using a destination data center key hierarchy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Efficient mechanisms are provided for transferring key objects associated with disk logical unit numbers and tape cartridges from one data center to another data center. A request is received to transfer a source data center key object from a source data center to a destination data center. The source data center key object corresponds to a data block, such as a disk logical unit number (LUN) or a tape cartridge, maintained in a storage area network (SAN) and includes a unique identifier, an encrypted key, and a wrapper unique identifier. The encrypted key is decrypted using a source data center key hierarchy. Key information is transmitted from the source data center to the destination data center. A destination data center key object is generated using a destination data center key hierarchy.

Citations

23 Claims

1. A method, comprising:
- receiving a request to transfer a source data center key object from a source data center to a destination data center, the source data center key object corresponding to a data block maintained in a storage area network (SAN), wherein the source data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier;
  
  decrypting the encrypted key using a source data center key hierarchy;
  
  transmitting key information from the source data center to the destination data center;
  
  generating a destination data center key object using a destination data center key hierarchy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the source data center key object corresponds to a disk logical unit number (LUN).
  - 3. The method of claim 2, wherein the destination data center key object allows decryption of the disk LUN when the disk LUN is moved form the source data center to the destination data center.
  - 4. The method of claim 1, wherein the source data center key object corresponds to a tape cartridge.
  - 5. The method of claim 4, wherein the destination data center key object allows decryption of the tape cartridge when the tape cartridge is moved form the source data center to the destination data center.
  - 6. The method of claim 1, wherein decrypting the encrypted key comprises using keying material accessed using the wrapper unique identifier, the wrapper unique identifier referencing another key object at a key management center in the source data center.
  - 7. The method of claim 1, wherein encrypting the decrypted key comprises using key material accessed from the destination data center.
  - 8. The method of claim 1, wherein the key information is transmitted using public key private key encryption.
  - 9. The method of claim 1, wherein the key information is transmitted using password protected key export.
  - 10. The method of claim 1, wherein the unique identifier is a globally unique identifier.
  - 11. The method of claim 10, wherein the globally unique identifier is written to the storage area network medium.
  - 12. The method of claim 11, wherein the storage area network medium is tape.
  - 13. The method of claim 11, wherein the storage area network medium is a disk logical unit number.
  - 14. The method of claim 1, wherein the key entity identifies the storage area network medium.
  - 15. The method of claim 1, wherein the wrapper unique identifier is a wrapper globally unique identifier that points to another key object having information for decrypting the encrypted key.
  - 16. The method of claim 15, wherein another key object further includes an additional wrapper unique identifier.
  - 17. The method of claim 1, wherein the key object further comprises key state information.

18. A system, comprising:
- an interface operable to receive a request to transfer a source data center key object from a source data center to a destination data center, the source data center key object corresponding to a data block maintained in a storage area network (SAN), wherein the source data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier;
  
  a processor operable to decrypt the encrypted key using a source data center key hierarchy and provide the key information from the source data center to the destination data center;
  
  wherein the destination data center generates a destination data center key object using a destination data center key hierarchy.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The system of claim 18, wherein the source data center key object corresponds to a disk logical unit number (LUN).
  - 20. The system of claim 19, wherein the destination data center key object allows decryption of the disk LUN when the disk LUN is moved form the source data center to the destination data center.
  - 21. The system of claim 18, wherein the source data center key object corresponds to a tape cartridge.
  - 22. The system of claim 21, wherein the destination data center key object allows decryption of the tape cartridge when the tape cartridge is moved form the source data center to the destination data center.

23. A system, comprising:
- means for receiving a request to transfer a source data center key object from a source data center to a destination data center, the source data center key object corresponding to a data block maintained in a storage area network (SAN), wherein the source data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier;
  
  means for decrypting the encrypted key using a source data center key hierarchy;
  
  means for transmitting key information from the source data center to the destination data center;
  
  means for generating a destination data center key object using a destination data center key hierarchy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Patnala, Praveen, Deshmukh, Makarand, Kondamuri, Chandra Sekhar, Parthasarathy, Anand

Granted Patent

US 8,989,388 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/279
CPC Class Codes

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0836   using tree structure or hie...

H04L 9/0894   Escrow, recovery or storing...

DISTRIBUTION OF STORAGE AREA NETWORK ENCRYPTION KEYS ACROSS DATA CENTERS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

DISTRIBUTION OF STORAGE AREA NETWORK ENCRYPTION KEYS ACROSS DATA CENTERS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links