ENCRYPTION/DECRYPTION FOR DATA STORAGE SYSTEM WITH SNAPSHOT CAPABILITY
First Claim
1. A method for managing access to encrypted data of a data storage system storing snapshot data to a computer-readable storage medium, a snapshot or combination of snapshots providing a previous point-in-time copy of data in a volume of the data storage system, wherein the data storage system utilizes changing encryption keys to store write data to the computer-readable storage medium, the method comprising:
- for each snapshot, storing in the computer-readable storage medium, at least one decryption key identifier for each decryption key corresponding to an encryption key utilized to encrypt data written to a volume since a previous snapshot was committed to disk;
associating the at least one decryption key identifier with the snapshot;
providing a key table associating decryption key identifiers with corresponding decryption keys; and
based on the key table and the at least one decryption key identifier associated with the snapshot, determining one or more decryption keys required for accessing encrypted data associated with the snapshot.
15 Assignments
0 Petitions
Accused Products
Abstract
A method for managing access to encrypted data of a data storage system storing snapshot data, a snapshot providing a previous point-in-time copy of data in a volume of the data storage system, wherein the data storage system utilizes changing encryption keys for write data. For each snapshot, the method stores at least one decryption key identifier for each decryption key corresponding to an encryption key utilized to encrypt data written to a volume since a previous snapshot was committed to disk, and associates the at least one decryption key identifier with the snapshot. A key table associating decryption key identifiers with corresponding decryption keys is provided, and based on the key table and the at least one decryption key identifier associated with the snapshot, one or more decryption keys required for accessing encrypted data associated with the snapshot are determined. Decryption key identifiers may be stored in snapshot metadata.
6 Citations
18 Claims
-
1. A method for managing access to encrypted data of a data storage system storing snapshot data to a computer-readable storage medium, a snapshot or combination of snapshots providing a previous point-in-time copy of data in a volume of the data storage system, wherein the data storage system utilizes changing encryption keys to store write data to the computer-readable storage medium, the method comprising:
-
for each snapshot, storing in the computer-readable storage medium, at least one decryption key identifier for each decryption key corresponding to an encryption key utilized to encrypt data written to a volume since a previous snapshot was committed to disk; associating the at least one decryption key identifier with the snapshot; providing a key table associating decryption key identifiers with corresponding decryption keys; and based on the key table and the at least one decryption key identifier associated with the snapshot, determining one or more decryption keys required for accessing encrypted data associated with the snapshot. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A data storage system comprising:
-
a computer-readable storage medium storing snapshot data, wherein one or more snapshots provide a read-only previous point-in-time copy of data in a volume of the data storage system, and each snapshot is associated with at least one decryption key identifier identifying each decryption key corresponding to an encryption key utilized to encrypt data written to the volume since a previous snapshot was committed to disk; an encryption module for encrypting write data stored to the volume utilizing changing encryption keys; and a key table associating decryption key identifiers with corresponding decryption keys, from which one or more decryption keys required for accessing encrypted data associated with a given snapshot can be determined based on the decryption key identifiers associated with the given snapshot. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A method for managing access to encrypted data of a data storage system storing snapshot data to a computer-readable storage medium, the data storage system utilizing changing encryption keys to store write data to the computer-readable storage medium, the method comprising:
-
managing data writes to a data storage device of the data storage system using point-in-time copies (PITCs), an active PITC being a PITC handling all writes to the data storage device; managing all decryption key identifiers for each decryption key corresponding to an encryption key utilized to encrypt data written to the data storage device while a PITC is active; upon committing an active PITC to disk as read-only and demoting the PITC from active status, associating all of the managed decryption key identifiers with the demoted PITC; providing a key table associating decryption key identifiers with corresponding decryption keys; and based on the key table and at least one decryption key identifier associated with a given demoted PITC, determining one or more decryption keys required for accessing encrypted data associated with the given demoted PITC. - View Dependent Claims (18)
-
Specification