DATA ENCRYPTION KEY SHARING FOR A STORAGE SYSTEM

US 20180034787A1
Filed: 08/01/2016
Published: 02/01/2018
Est. Priority Date: 08/01/2016
Status: Abandoned Application

First Claim

Patent Images

1. A method for key sharing with a storage system, performed by a security manager, comprising:

sharing a first key with a host system; and

sharing the first key with a storage system, so that the host system encrypts a file or data with the first key and sends the encrypted file or data to the storage system, the storage system decrypts the encrypted file or data with the first key, compresses the decrypted file or data, and re-encrypts the decrypted file or data.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for key sharing with a storage system, performed by a network device or security manager is provided. The method includes sharing a first key with a host system and sharing the first key with a storage system. The host system encrypts a file or data with the first key and sends the encrypted file or data to the storage system. The storage system decrypts the encrypted file or data with the first key, compresses the decrypted file or data, and re-encrypts the decrypted file or data.

Citations

24 Claims

1. A method for key sharing with a storage system, performed by a security manager, comprising:
- sharing a first key with a host system; and
  
  sharing the first key with a storage system, so that the host system encrypts a file or data with the first key and sends the encrypted file or data to the storage system, the storage system decrypts the encrypted file or data with the first key, compresses the decrypted file or data, and re-encrypts the decrypted file or data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - sharing a second key with a further host system; and
      
      sharing the second key with a further storage system, so that the further host system encrypts a further file or data with the second key and sends the encrypted further file or data to the further storage system, the further storage system decrypts the encrypted further file or data with the third key, compresses the decrypted further file or data, re-encrypts the compressed decrypted further file or data, wherein the host, further host, storage system and the further storage system are key management interoperability protocol (KMIP) clients.
  - 3. The method of claim 1, wherein the sharing the first key with the storage system so that the host system encrypts metadata relating to the file or data with the first key and sends the encrypted metadata to the storage system, the storage system decrypts the encrypted metadata with the first key, compresses the decrypted metadata, re-encrypts the compressed metadata.
  - 4. The method of claim 1, further comprising:
    - tracking which key, of a plurality of keys including the first key, is shared by which of a plurality of host and storage systems.
  - 5. The method of claim 1, wherein sharing the first key with the host system and the storage system comprises:
    - host receiving the first key from the security manager; and
      
      storage system receiving the first key from the security manager
  - 6. The method of claim 1, further comprising:
    - sharing the first key with a plurality of storage systems.
  - 7. The method of claim 1, further comprising:
    - sharing a plurality of keys, including the first key, with the storage system, wherein the storage system uses each of the plurality of keys to decrypt one or more blocks or chunks of data received from the host system.
  - 8. The method of claim 1, wherein the storage system parses headers in network packets containing storage requests from the host system and extracts information regarding association of keys to blocks of data.

9. A security manager, comprising:
- a network device, connectable to a network and having at least one processor; and
  
  the at least one processor configured to share a first key with a host system and share the first key with a storage system that is configured to receive a file encrypted by the host system with the first key and decrypt the encrypted file with the first key.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The security manager of claim 9, further comprising:
    - the at least one processor further configured to share a second key with a further host system and share the second key with a further storage system, with the further host system configured to encrypt a further file or data with the second key and send the encrypted further file or data to the further storage system wherein the host, further host, storage system and the further storage system are key management interoperability protocol (KMIP) clients.
  - 11. The security manager of claim 9, wherein:
    - the host system is configured to encrypt metadata relating to the file or data with the first key and send the encrypted metadata to the storage system; and
      
      the storage system is configured to decrypt the encrypted metadata with the first key, compress the decrypted metadata, reencrypt the compressed.
  - 12. The security manager of claim 9, further comprising:
    - the at least one processor further configured to track a plurality of keys including the first key, including tracking which key of the plurality of keys is used by which storage system of a plurality of storage systems that includes the storage system, and share the plurality of keys among the plurality of storage systems in accordance with the tracking.
  - 13. The security manager of claim 9, further comprising:
    - the at least one processor further configured to track a plurality of keys including the first key, including tracking which key of the plurality of keys is used by which host system of a plurality of host systems that includes the host system, and share the plurality of keys among the plurality of host systems in accordance with the tracking.
  - 14. The security manager of claim 9, further comprising:
    - the at least one processor further configured to track a plurality of keys including the first key, wherein the storage system is configured to associate each of the plurality of keys with one or more blocks or chunks of data.
  - 15. The security manager of claim 9, wherein the at least one processor configured to share the first key with the host system and the storage system comprises:
    - the at least one processor configured to generate the first key and send the first key to the storage system and the host system.
  - 16. The security manager of claim 9, further comprising:
    - the at least one processor configured to share the first key with a plurality of storage systems, including the storage system.

17. A method for key sharing with a plurality of storage systems, performed by a security manager, comprising:
- generating a plurality of keys;
  
  determining which storage system, of the plurality of storage systems, or which host system, of a plurality of host systems, uses which key or keys, of the plurality of keys; and
  
  distributing the plurality of keys, in accordance with the determining, so that each storage system, of the plurality of storage systems, can receive a file or data encrypted with a first key by a host system, decrypt the encrypted file or data with the first key, compress the decrypted file or data, reencrypt the compressed decrypted file or data.
- View Dependent Claims (18, 19)
- - 18. The method of claim 17, wherein the determining comprises:
    - communicating with the plurality of host systems which have a plurality of file systems.
  - 19. The method of claim 17, wherein each of the plurality of storage systems and host systems is a key management interoperability protocol (KMIP) client.

20. A method for encryption, performed by a secure data system, comprising:
- passing a write request from an application layer to a secure file system layer;
  
  determining that the write request is approved by access control, at the secure file system layer;
  
  passing a request to write a secure file, from the secure file system layer through a file system layer to a secure volume manager layer;
  
  encrypting data and encrypting metadata relating to the data, at the secure volume manager layer; and
  
  sending the encrypted data and the encrypted metadata from the secure volume manager layer to storage.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The method of claim 20, further comprising:
    - passing a read request from the application layer to the secure file system layer;
      
      determining that the read request is approved by the access control, at the secure file system layer;
      
      passing a request to read the secure file, from the secure file system layer through the file system layer to the secure volume manager layer;
      
      reading the encrypted data and the encrypted metadata from the storage;
      
      decrypting the encrypted data and decrypting the encrypted metadata, at the secure volume manager layer; and
      
      passing the decrypted data and the decrypted metadata, from the secure volume manager layer through the file system layer and through the secure file system layer to the application layer.
  - 22. The method of claim 20, wherein the determining that the write request is approved by access control, at the secure file system layer, is based on the metadata relating to the data, with the metadata in unencrypted form.
  - 23. The method of claim 20, further comprising:
    - receiving a plurality of keys from a plurality of host systems, with one of the host systems hosting an application at the application layer and the application generating the data and the metadata relating to the data; and
      
      determining and sending a key, of the plurality of keys, to the storage system for use in decrypting the encrypted data and decrypting the encrypted metadata, wherein the encrypting the data and the encrypting the metadata use the key at the secure volume manager layer.
  - 24. The method of claim 20, further comprising:
    - sharing a key with a host system that generates the data and the metadata relating to the data; and
      
      sharing the key with the storage, in accordance with one or more policies, wherein the encrypting the data and the encrypting the metadata relating to the data, at the secure volume manager layer, uses the shared key, and wherein the storage uses the shared key to decrypt the encrypted data and decrypt the encrypted metadata.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Thales DIS CPL USA, Inc. (Thales SA)
Original Assignee
Vormetric, Inc. (Thales SA)
Inventors
Kamaraju, Ashvin, Sadrolashrafi, Masoud, Sudarsan, Sridharan, Wang, I-Ching

Application Number

US15/225,674
Publication Number

US 20180034787A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

H04L 63/0435   wherein the sending and rec...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/168   above the transport layer

H04L 67/1097   for distributed storage of ...

H04L 69/04   Protocols for data compress...

H04W 4/70   Services for machine-to-mac...

DATA ENCRYPTION KEY SHARING FOR A STORAGE SYSTEM

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

DATA ENCRYPTION KEY SHARING FOR A STORAGE SYSTEM

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links