REPLICATION OF AN ENCRYPTED VOLUME

US 20200137156A1
Filed: 10/26/2018
Published: 04/30/2020
Est. Priority Date: 10/26/2018
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

setting up a replication partnership between a first storage node and a second storage node, wherein setting up the replication partnership comprises;

establishing a secure connection between the first storage node and the second storage node using a remote internet protocol address, a base port number, and an identifying key pair;

creating a port forwarding configuration relative to the secure connection, in part, by adding one of a set of pre-established port offsets to the base port number;

exchanging encryption keys between the first storage node and the second storage node using the port forwarding configuration; and

repeating creation of the port forwarding configuration for each remaining instance of the set of pre-established port offsets.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique includes setting up a replication partnership between a first storage node and a second storage node. The replication partnership includes establishment of a secure connection between the first storage node and the second storage node using a remote internet protocol address, a base port, and an identifying key pair. A port forwarding configuration may then be created, in part, by adding a pre-established port offset relative to a base port (e.g., a well-known TCP/IP port) for a first of a set of one or more pre-established port offsets. This process may be repeated for each remaining instance of the one or more pre-established port offsets. Encryption keys may be exchanged between the first storage node and the second storage node using at least one of the base port or the pre-established port offsets. Replication between the first storage node and the second storage node may be performed securely using the established communication channels.

5 Citations

20 Claims

1. A method comprising:
- setting up a replication partnership between a first storage node and a second storage node, wherein setting up the replication partnership comprises;
  
  establishing a secure connection between the first storage node and the second storage node using a remote internet protocol address, a base port number, and an identifying key pair;
  
  creating a port forwarding configuration relative to the secure connection, in part, by adding one of a set of pre-established port offsets to the base port number;
  
  exchanging encryption keys between the first storage node and the second storage node using the port forwarding configuration; and
  
  repeating creation of the port forwarding configuration for each remaining instance of the set of pre-established port offsets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein one or more ports, of the port forwarding configuration that is forwarded from the secure connection, are used for key exchange prior to allowing replication of an encrypted volume on that port.
  - 3. The method of claim 1, further comprising negotiating additional port mappings from the first storage node to a third storage node.
  - 4. The method of claim 1, further comprising configuring a proxy server that is associated with the second storage node to establish the secure communication channel for the replication partnership over a public network.
  - 5. The method of claim 4, wherein configuring the proxy server comprises:
    - storing in the proxy server credentials for authenticating the first storage node to use the secure communication channel; and
      
      establishing port translations to be used in the secure communication channel in communicating replication data between the first storage node and the second storage node; and
      
      communicating replication partnership information to the second storage node.
  - 6. The method of claim 4, wherein configuring the proxy server further comprises:
    - communicating a key associated with the first storage node to the proxy server.
  - 7. The method of claim 4, wherein configuring the proxy server further comprises communicating data to the proxy server representing a replication partnership identification associated with the first storage node and a replication partnership credential associated with the first storage node.
  - 8. The method of claim 1, further comprising commencing replication between the first storage node and the second storage node for an encrypted volume.
  - 9. The method of claim 1, wherein creating the port forwarding configuration comprises configuring local tunnel and reverse tunnel port translations associated with a public Internet Protocol (IP) address of the second storage node.
  - 10. The method of claim 1, further comprising providing a portal accessible through a public network to receive data representing credentials of the first storage node.

11. An apparatus comprising:
- at least one processor; and
  
  a memory that stores instructions that, when executed by the at least one processor, cause the at least one processor to;
  
  set up a replication partnership between a first storage node and a second storage node, wherein the instructions to cause that at least one processor to set up the replication partnership comprise instructions to cause the at least one processor to;
  
  establish a secure connection between the first storage node and the second storage node using a remote internet protocol address, a base port number, and an identifying key pair;
  
  create a port forwarding configuration, in part, by adding a pre-established port offset relative to the secure connection for a set of pre-established port offsets;
  
  repeat creation of the port forwarding configuration for each remaining instance of the set of pre-established port offsets; and
  
  exchange encryption keys between the first storage node and the second storage node using at least one communication channel associated with at least one pre-established port offset.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The apparatus of claim 11, wherein one or more ports, of the port forwarding configuration that is forwarded from the secure connection, are used for key exchange prior to allowing replication of an encrypted volume on that port.
  - 13. The apparatus of claim 11, wherein the instructions, when executed by the at least one processor, cause the at least one processor to:
    - negotiate additional port mappings from the first storage node to a third storage node.
  - 14. The apparatus of claim 11, wherein the instructions, when executed by the at least one processor, cause the at least one processor to:
    - configure a proxy server that is associated with the second storage node to establish the secure communication channel for the replication partnership over a public network.
  - 15. The apparatus of claim 11, wherein the instructions, when executed by the at least one processor, cause the at least one processor to:
    - provide a portal accessible through a public network to receive data representing a credential of the first storage node.

16. A non-transitory storage medium storing instructions that, when executed by a machine, cause the machine to:
- set up a replication partnership between a first storage node and a second storage node, wherein the instructions to set up the replication partnership comprise instructions to;
  
  establish a secure connection between the first storage node and the second storage node using a remote internet protocol address, a base port number, and an identifying key pair;
  
  create a port forwarding configuration, in part, by adding a pre-established port offset relative to the base port for a set of one or more pre-established port offsets;
  
  repeat creation of the port forwarding configuration for each remaining instance of the set; and
  
  exchange encryption keys between the first storage node and the second storage node using the port forwarding configuration.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory storage medium of claim 16, wherein one or more ports, of the port forwarding configuration that is forwarded from the secure connection, are used for key exchange prior to allowing replication of an encrypted volume on that port.
  - 18. The non-transitory storage medium of claim 16, wherein the instructions, when executed by the machine, cause the machine to negotiate additional port mappings from the first storage node to a third storage node.
  - 19. The non-transitory storage medium of claim 16, wherein the instructions, when executed by the machine, cause the machine to configure a proxy server that is associated with the second storage node to establish the secure communication channel for the replication partnership over a public network.
  - 20. The non-transitory storage medium of claim 16, wherein the instructions, when executed by the machine, cause the machine to:
    - provide a portal accessible through a public network to receive data representing a credential of the first storage node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Kauffman, Kevin, Truong, Nguyen, Abkarian, Cristian Medina

Granted Patent

US 10,944,819 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/2094   Redundant storage or storag...

G06F 11/2097   maintaining the standby con...

G06F 3/0623   in relation to content

G06F 3/065   Replication mechanisms

G06F 3/067   Distributed or networked st...

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 67/1095   Replication or mirroring of...

H04L 67/56   Provisioning of proxy servi...

REPLICATION OF AN ENCRYPTED VOLUME

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

5 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

REPLICATION OF AN ENCRYPTED VOLUME

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

5 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others