ENCRYPTED FILE BACKUP

US 20140281519A1
Filed: 09/30/2013
Published: 09/18/2014
Est. Priority Date: 03/12/2013
Status: Abandoned Application

First Claim

Patent Images

1. A method for backing up a primary storage system, the method comprising:

by a computing system comprising one or more processors;

identifying a file stored at a primary storage system for backup to a secondary storage system;

determining whether the file is an encrypted file; and

in response to determining that the file is an encrypted file;

extracting an encrypted data encryption key from the file;

decrypting the encrypted data encryption key to obtain a data encryption key;

decrypting the file using the data encryption key to obtain a decrypted file; and

providing the decrypted file to the secondary storage system for backup, thereby enabling the secondary storage system to more efficiently store files at the secondary storage system.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for automatically encrypting files is disclosed. In some cases, the method may be performed by computer hardware comprising one or more processors. The method can include detecting access to a first file, which may be stored in a primary storage system. Further, the method can include determining whether the access comprises a write access. In response to determining that the access comprises a write access, the method can include accessing file metadata associated with the first file and accessing a set of encryption rules. In addition, the method can include determining whether the file metadata satisfies the set of encryption rules. In response to determining that the file metadata satisfies the set of encryption rules, the method can include encrypting the first file to obtain a first encrypted file and modifying an extension of the first encrypted file to include an encryption extension.

Citations

21 Claims

1. A method for backing up a primary storage system, the method comprising:
- by a computing system comprising one or more processors;
  
  identifying a file stored at a primary storage system for backup to a secondary storage system;
  
  determining whether the file is an encrypted file; and
  
  in response to determining that the file is an encrypted file;
  
  extracting an encrypted data encryption key from the file;
  
  decrypting the encrypted data encryption key to obtain a data encryption key;
  
  decrypting the file using the data encryption key to obtain a decrypted file; and
  
  providing the decrypted file to the secondary storage system for backup, thereby enabling the secondary storage system to more efficiently store files at the secondary storage system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the encrypted data encryption key is associated with the computing system, and wherein decrypting the encrypted data encryption key comprises:
    - accessing an encrypted private key assigned to the computing system;
      
      providing the encrypted private key to a storage manager;
      
      in response to providing the encrypted private key to the storage manager, receiving a private key corresponding to the encrypted private key, the private key a decrypted version of the encrypted private key; and
      
      using the private key to decrypt the encrypted data encryption key to obtain the data encryption key.
  - 3. The method of claim 1, wherein the file includes a set of encrypted data encryption keys, each data encryption key associated with a different user from a set of users.
  - 4. The method of claim 3, wherein the encrypted data encryption key is associated with a first user from the set of users, and wherein decrypting the encrypted data encryption key comprises:
    - accessing an encrypted private key assigned to the first user;
      
      accessing a passphrase associated with the first user;
      
      using the passphrase to decrypt the encrypted private key to obtain a private key corresponding to the encrypted private key, the private key a decrypted version of the encrypted private key; and
      
      using the private key to decrypt the encrypted data encryption key to obtain the data encryption key.
  - 5. The method of claim 4, wherein using the passphrase to decrypt the encrypted private key comprises:
    - hashing the passphrase to obtain a modified passphrase; and
      
      decrypting the encrypted private key using the modified passphrase.
  - 6. The method of claim 5, wherein hashing the passphrase comprises hashing the passphrase a number of times equivalent to the number of times the passphrase was hashed when encrypting the private key.
  - 7. The method of claim 4, wherein the private key corresponds to a public key associated with the first user, the public key used to create the encrypted data encryption key.
  - 8. The method of claim 4, wherein accessing the encrypted private key assigned to the first user comprises accessing the encrypted private key from a secure storage area within the primary storage system.
  - 9. The method of claim 4, wherein accessing the encrypted private key assigned to the first user comprises extracting the encrypted private key from the encrypted file.
  - 10. The method of claim 4, wherein the passphrase is equivalent to a password used by the first user to access the computer system.
  - 11. The method of claim 1, wherein determining whether the file is the encrypted file occurs at a first time period, and wherein the encrypted file is encrypted for storage at the primary storage system as part of a backup operation performed at a second time period, the second time period earlier than the first time period.
  - 12. The method of claim 1, wherein determining whether the file is the encrypted file comprises determining whether the file includes an encryption extension.
  - 13. The method of claim 1, wherein determining whether the file is the encrypted file comprises analyzing the contents of the file.
  - 14. The method of claim 1, further comprising discarding the decrypted file after providing the decrypted file to the secondary storage system.

15. A system for backing up a primary storage system, the system comprising:
- a primary storage device configured to store a set of files; and
  
  a data agent comprising computer hardware and configured to;
  
  identify a file from the set of files for backup to a secondary storage system; and
  
  determine whether the file is an encrypted file; and
  
  in response to determining that the file is an encrypted file, the data agent is further configured to;
  
  extract an encrypted data encryption key from the file;
  
  decrypt the encrypted data encryption key to obtain a data encryption key;
  
  decrypt the file using the data encryption key to obtain a decrypted file; and
  
  provide the decrypted file to the secondary storage system for backup, thereby enabling the secondary storage system to more efficiently store files at the secondary storage system.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The system of claim 15, wherein the encrypted data encryption key is associated with the system, and wherein the data agent is further configured to decrypt the encrypted data encryption key by:
    - accessing an encrypted private key assigned to the system;
      
      providing the encrypted private key to a storage manager;
      
      in response to providing the encrypted private key to the storage manager, receiving a private key corresponding to the encrypted private key, the private key a decrypted version of the encrypted private key; and
      
      using the private key to decrypt the encrypted data encryption key to obtain the data encryption key.
  - 17. The system of claim 15, wherein the encrypted data encryption key is associated with a first user from a set of users, each user associated with a different encrypted data encryption key, and wherein the data agent is further configured to decrypt the encrypted data encryption key by:
    - accessing an encrypted private key assigned to the first user;
      
      accessing a passphrase associated with the first user;
      
      using the passphrase to decrypt the encrypted private key to obtain a private key corresponding to the encrypted private key, the private key a decrypted version of the encrypted private key; and
      
      using the private key to decrypt the encrypted data encryption key to obtain the data encryption key.
  - 18. The system of claim 17, wherein the data agent is further configured to use the passphrase to decrypt the encrypted private key by:
    - hashing the passphrase to obtain a modified passphrase; and
      
      decrypting the encrypted private key using the modified passphrase.
  - 19. The system of claim 17, wherein the primary storage system comprises a secure storage area configured to store the encrypted private key, and wherein the data agent is further configured to access the encrypted private key from the secure storage area of the primary storage system.
  - 20. The system of claim 17, wherein the data agent is further configured to access the encrypted private key by extracting the encrypted private key from the encrypted file.
  - 21. The system of claim 15, wherein the data agent is further configured to identify the file from the set of files for backup to the secondary storage system based on the location of the file in the primary storage system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CommVault Systems Incorporated
Original Assignee
CommVault Systems Incorporated
Inventors
Erofeev, Andrei, Pawar, Rahul S.

Application Number

US14/042,173
Publication Number

US 20140281519A1
Time in Patent Office

Days
Field of Search
US Class Current

713/165
CPC Class Codes

G06F 11/1402   Saving, restoring, recoveri...

G06F 11/1458   Management of the backup or...

G06F 21/60   Protecting data

G06F 21/602   Providing cryptographic fac...

G06F 21/62   Protecting access to data v...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 21/70   Protecting specific interna...

G06F 21/78   to assure secure storage of...

G06F 2201/84   Using snapshots, i.e. a log...

G06F 2221/2107   File encryption

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/088   Usage controlling of secret...

H04L 9/0891   Revocation or update of sec...

H04L 9/0897   involving additional device...

H04L 9/14   using a plurality of keys o...

ENCRYPTED FILE BACKUP

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

ENCRYPTED FILE BACKUP

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links