STORAGE SECURITY USING CRYPTOGRAPHIC SPLITTING
First Claim
1. A method of storing data securely in a secure data storage network, the method comprising:
- receiving at a secure storage appliance a block of data for storage on a volume, the volume associated with a plurality of shares distributed across a plurality of physical storage devices;
cryptographically splitting the block of data received by the secure storage appliance into a plurality of secondary data blocks;
encrypting each of the plurality of secondary data blocks with a different session key, each session key associated with at least one of the plurality of shares; and
storing each data block and associated session key at the corresponding share, remote from the secure storage appliance.
10 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for storing data securely in a secure data storage network are disclosed. One method includes receiving at a secure storage appliance a block of data for storage on a volume, the volume associated with a plurality of shares distributed across a plurality of physical storage devices. The method also includes cryptographically splitting the block of data received by the secure storage appliance into a plurality of secondary data blocks. The method further includes encrypting each of the plurality of secondary data blocks with a different session key, each session key associated with at least one of the plurality of shares. The method also includes storing each data block and associated session key at the corresponding share, remote from the secure storage appliance.
72 Citations
27 Claims
-
1. A method of storing data securely in a secure data storage network, the method comprising:
-
receiving at a secure storage appliance a block of data for storage on a volume, the volume associated with a plurality of shares distributed across a plurality of physical storage devices; cryptographically splitting the block of data received by the secure storage appliance into a plurality of secondary data blocks; encrypting each of the plurality of secondary data blocks with a different session key, each session key associated with at least one of the plurality of shares; and storing each data block and associated session key at the corresponding share, remote from the secure storage appliance. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of updating a session key in a secure data storage network, the method comprising:
-
generating a new header for a share on a physical disk in an available header location in the share, the header including a new session key; marking a previously existing header stored in the share as a stale header, the previously existing header including a stale session key; initiating a decryption process comprising decrypting data stored in the share using the stale session key; reencrypting the decrypted data with a new session key; storing the data encrypted with the new session key in the share; and releasing the previously existing header, thereby creating a new available header location in the share at the location of the previously existing header. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A method of updating a workgroup key in a secure data storage network, the method comprising:
-
generating a workgroup key associated with one or more users of the secure data storage network; identifying a previous workgroup key associated with the one or more users; identifying a plurality of shares including headers encrypted with the previous workgroup key, the headers each including a session key; decrypting the headers encrypted with the previous workgroup key in the plurality of shares, thereby decrypting the session key; reencrypting the headers using the workgroup key, thereby reencrypting the session key; storing the reencrypted headers in the plurality of shares; storing the workgroup key; and deleting the previous workgroup key. - View Dependent Claims (17, 18, 19)
-
-
20. A secure storage appliance comprising a programmable circuit configured to execute program instructions which, when executed, configure the secure storage appliance to:
-
receive a block of data for storage on a volume, the volume associated with a plurality of shares distributed across a plurality of physical storage devices; cryptographically split the block of data received by the secure storage appliance into a plurality of secondary data blocks; encrypt each of the plurality of secondary data blocks with a different session key, each session key associated with at least one of the plurality of shares; and transmit each data block and associated session key to the corresponding share, remote from the secure storage appliance. - View Dependent Claims (21, 22, 23)
-
-
24. A secure data storage network comprising:
a plurality of physical storage devices, each physical storage device configured to store a share from among a plurality of shares distributed across the plurality of physical storage devices, each share comprising; a plurality of headers encrypted with a workgroup key, each header including a session key; a plurality of data blocks, each data block encrypted by a session key included in one or more of the plurality of headers, each data block including an identifier of a session key used to encrypt the data in the data block. - View Dependent Claims (25, 26, 27)
Specification