ENCRYPTION/DECRYPTION FOR DATA STORAGE SYSTEM WITH SNAPSHOT CAPABILITY

US 20150193640A1
Filed: 03/18/2015
Published: 07/09/2015
Est. Priority Date: 07/16/2012
Status: Active Grant

First Claim

Patent Images

1. A method for managing access to encrypted data of a data storage system storing snapshot data to a computer-readable storage medium, a snapshot or combination of snapshots providing a previous point-in-time copy of data in a volume of the data storage system, wherein the data storage system utilizes changing encryption keys to store write data to the computer-readable storage medium, the method comprising:

for each snapshot, storing in the computer-readable storage medium, at least one decryption key identifier for each decryption key corresponding to an encryption key utilized to encrypt data written to a volume since a previous snapshot was committed to disk;

associating the at least one decryption key identifier with the snapshot;

providing a key table associating decryption key identifiers with corresponding decryption keys; and

based on the key table and the at least one decryption key identifier associated with the snapshot, determining one or more decryption keys required for accessing encrypted data associated with the snapshot.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for managing access to encrypted data of a data storage system storing snapshot data, a snapshot providing a previous point-in-time copy of data in a volume of the data storage system, wherein the data storage system utilizes changing encryption keys for write data. For each snapshot, the method stores at least one decryption key identifier for each decryption key corresponding to an encryption key utilized to encrypt data written to a volume since a previous snapshot was committed to disk, and associates the at least one decryption key identifier with the snapshot. A key table associating decryption key identifiers with corresponding decryption keys is provided, and based on the key table and the at least one decryption key identifier associated with the snapshot, one or more decryption keys required for accessing encrypted data associated with the snapshot are determined. Decryption key identifiers may be stored in snapshot metadata.

6 Citations

18 Claims

1. A method for managing access to encrypted data of a data storage system storing snapshot data to a computer-readable storage medium, a snapshot or combination of snapshots providing a previous point-in-time copy of data in a volume of the data storage system, wherein the data storage system utilizes changing encryption keys to store write data to the computer-readable storage medium, the method comprising:
- for each snapshot, storing in the computer-readable storage medium, at least one decryption key identifier for each decryption key corresponding to an encryption key utilized to encrypt data written to a volume since a previous snapshot was committed to disk;
  
  associating the at least one decryption key identifier with the snapshot;
  
  providing a key table associating decryption key identifiers with corresponding decryption keys; and
  
  based on the key table and the at least one decryption key identifier associated with the snapshot, determining one or more decryption keys required for accessing encrypted data associated with the snapshot.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the at least one decryption key identifier is stored in metadata for the snapshot.
  - 3. The method of claim 2, further comprising providing the one or more decryption keys determined as required for accessing the encrypted data associated with the snapshot to a requester of the encrypted data such that the requester can decrypt the encrypted data.
  - 4. The method of claim 2, further comprising decrypting the encrypted data using the one or more decryption keys determined as required for accessing the encrypted data associated with the snapshot such that decrypted data can be provided to a requester of the encrypted data.
  - 5. The method of claim 2, wherein each decryption key and corresponding encryption key are symmetric.
  - 6. The method of claim 2, wherein each decryption key and corresponding encryption key are asymmetric.
  - 7. The method of claim 1, wherein the snapshot identifies only the write data for a volume between the times when it is committed to disk as read-only and when a previous snapshot was committed to disk as read-only.
  - 8. The method of claim 7, wherein the encryption key is changed each time a snapshot is committed to disk as read-only, such that each snapshot is associated with a corresponding different decryption key identifier.

9. A data storage system comprising:
- a computer-readable storage medium storing snapshot data, wherein one or more snapshots provide a read-only previous point-in-time copy of data in a volume of the data storage system, and each snapshot is associated with at least one decryption key identifier identifying each decryption key corresponding to an encryption key utilized to encrypt data written to the volume since a previous snapshot was committed to disk;
  
  an encryption module for encrypting write data stored to the volume utilizing changing encryption keys; and
  
  a key table associating decryption key identifiers with corresponding decryption keys, from which one or more decryption keys required for accessing encrypted data associated with a given snapshot can be determined based on the decryption key identifiers associated with the given snapshot.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the snapshots comprise metadata and the at least one decryption key identifier for a snapshot is stored in the metadata for that snapshot.
  - 11. The system of claim 9, further comprising a decryption module for providing the one or more decryption keys determined as required for accessing the encrypted data associated with the given snapshot to a requester of the encrypted data such that the requester can decrypt the encrypted data.
  - 12. The system of claim 9, further comprising a decryption module for decrypting the encrypted data associated with the given snapshot using the one or more decryption keys determined as required for accessing the encrypted data such that decrypted data can be provided to a requester of the encrypted data.
  - 13. The system of claim 10, wherein each decryption key and corresponding encryption key are symmetric.
  - 14. The system of claim 10, wherein each decryption key and corresponding encryption key are asymmetric.
  - 15. The system of claim 9, wherein a snapshot identifies only the write data for a volume between the times when it is committed to disk as read-only and when a previous snapshot was committed to disk as read-only.
  - 16. The system of claim 9, wherein the encryption key is changed each time a snapshot is committed to disk as read-only, such that each snapshot is associated with a corresponding different decryption key identifier.

17. A method for managing access to encrypted data of a data storage system storing snapshot data to a computer-readable storage medium, the data storage system utilizing changing encryption keys to store write data to the computer-readable storage medium, the method comprising:
- managing data writes to a data storage device of the data storage system using point-in-time copies (PITCs), an active PITC being a PITC handling all writes to the data storage device;
  
  managing all decryption key identifiers for each decryption key corresponding to an encryption key utilized to encrypt data written to the data storage device while a PITC is active;
  
  upon committing an active PITC to disk as read-only and demoting the PITC from active status, associating all of the managed decryption key identifiers with the demoted PITC;
  
  providing a key table associating decryption key identifiers with corresponding decryption keys; and
  
  based on the key table and at least one decryption key identifier associated with a given demoted PITC, determining one or more decryption keys required for accessing encrypted data associated with the given demoted PITC.
- View Dependent Claims (18)
- - 18. The method of claim 17, wherein all decryption key identifiers associated with a demoted PITC are stored in metadata for that PITC.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dell International LLC (Dell Technologies Inc.)
Original Assignee
Compellent Technologies Incorporated (Dell Technologies Inc.)
Inventors
Pittelko, Michael H.

Granted Patent

US 9,679,165 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/1446   Point-in-time backing up or...

G06F 11/1448   Management of the data invo...

G06F 21/6218   to a system of files or obj...

G06F 21/78   to assure secure storage of...

G06F 21/805   using a security table for ...

G06F 2201/84   Using snapshots, i.e. a log...

G06F 2221/2107   File encryption

H04L 63/0428   wherein the data content is...

H04L 67/1097   for distributed storage of ...

ENCRYPTION/DECRYPTION FOR DATA STORAGE SYSTEM WITH SNAPSHOT CAPABILITY

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

6 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

ENCRYPTION/DECRYPTION FOR DATA STORAGE SYSTEM WITH SNAPSHOT CAPABILITY

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others