SECURE AND PRIVATE BACKUP STORAGE AND PROCESSING FOR TRUSTED COMPUTING AND DATA SERVICES
First Claim
1. A method for publishing backup data, comprising:
- encrypting modification data to form encrypted modification data representing a set of modifications to a data set of at least one computing device in a first region of control according to at least one searchable encryption algorithm based on cryptographic key information received from a key generator that generates the cryptographic key information;
transmitting the encrypted modification data to at least one computing device in a second region of control for update of synthetic full backup data stored by the at least one computing device in the second region of control; and
proving that the at least one computing device in the second region of control applied the set of modifications to the synthetic full backup data to update the synthetic full backup data.
2 Assignments
0 Petitions
Accused Products
Abstract
A digital escrow pattern is provided for backup data services including searchable encryption techniques for backup data, such as synthetic full backup data, stored at remote site or in a cloud service, distributing trust across multiple entities to avoid a single point of data compromise. In one embodiment, an operational synthetic full is maintained with encrypted data as a data service in a cryptographically secure manner that addresses integrity and privacy requirements for external or remote storage of potentially sensitive data. The storage techniques supported include backup, data protection, disaster recovery, and analytics on second copies of primary device data. Some examples of cost-effective cryptographic techniques that can be applied to facilitate establishing a high level of trust over security and privacy of backup data include, but are not limited to, size-preserving encryption, searchable-encryption, or Proof of Application, blind fingerprints, Proof of Retrievability, and others.
187 Citations
20 Claims
-
1. A method for publishing backup data, comprising:
-
encrypting modification data to form encrypted modification data representing a set of modifications to a data set of at least one computing device in a first region of control according to at least one searchable encryption algorithm based on cryptographic key information received from a key generator that generates the cryptographic key information; transmitting the encrypted modification data to at least one computing device in a second region of control for update of synthetic full backup data stored by the at least one computing device in the second region of control; and proving that the at least one computing device in the second region of control applied the set of modifications to the synthetic full backup data to update the synthetic full backup data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for publishing backup data, comprising:
-
encrypting modification data to form encrypted modification data representing a set of modifications to a data set of at least one computing device in a first region of control according to at least one searchable encryption algorithm based on cryptographic key information received from a key generator that generates the cryptographic key information; and transmitting the encrypted modification data to at least one computing device in a second region of control for update of synthetic full backup data stored by the at least one computing device in the second region of control, wherein to reduce transmitting redundant data, the transmitting includes fingerprinting at least one data segment represented in the data set to form at least one fingerprint for replacing actual modification data where the corresponding at least one data segment is determined to be represented in a local set of fingerprints representing data segments of the data set. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A method for subscribing to backup data, comprising:
-
after a failure of data of a data set of at least one subscribing device, requesting a restore of at least one data item of the data set from a backup data service accessible via at least one network that maintains synthetic full data corresponding to the data set in a searchably encrypted format for synthetic full backup service by the backup data service; receiving at least some or a portion of the at least one data item in an encrypted format from the backup data service and restarting an application of the at least one subscribing device based on use of the at least some or the portion of the at least one data item; and subsequent to restarting the application, receiving any remaining data of the at least one data item not yet received by the at least one subscribing device.
-
Specification