Storage system for data encryption
First Claim
1. A storage system, comprising:
- a host interface connected via a network to a host computer;
a disk interface connected to a disk drive;
a memory module that stores control information of the storage system and that functions as a cache memory;
a processor that controls the storage system;
a mature network that interconnects the host interface, the disk interface, the memory module, and the processor; and
an encryption module that encrypts data read/written by the host computer,wherein the processor;
reads data from a given area of the disk drive or of the memory module,decrypts the read data with an encryption key corresponding to this data,encrypts the decrypted data with an encryption key different from the one that has just been used to decrypt the data, andwrites the encrypted data in an area different from the given area;
wherein, the processor;
reads data from the first logical volume,decrypts the read data with an encryption key assigned to the first logical volume,encrypts the decrypted data with an encryption key assigned to the second logical volume, andcopies data in the first logical volume to the second logical volume by writing the encrypted data in the second logical volume;
wherein the first logical volume and the second logical volume are paired with each other as a copy pair,wherein the processor;
when the host computer makes a request for write data in the first logical volume, encrypts the data to be written to the disk drive with an encryption key assigned to the first logical volume, and writes the encrypted data in the first logical volume and in the second logical volume, andwhen there is a change in copy pair state, changes the encryption key assigned to the first logical volume to another encryption key, encrypts the write data with the replacement encryption key, and writes the encrypted data in the first logical volume.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided is a storage system including: a host interface connected via a network to a host computer; a disk interface connected to a disk drive; a memory module that stores control information of a cache memory for an access to the disk drive and the storage system; a processor that controls the storage system; a mature network that interconnects the host interface, the disk interface, the memory module, and the processor; and an encryption module that encrypts data read/written by the host computer, in which the processor reads data from a given area of the disk drive from the memory module, decrypts the read data with an encryption key corresponding to this data, encrypts the decrypted data with an encryption key different from the one that has just been used to decrypt the data, and writes the encrypted data in an area different from the given area. Accordingly, customers can be provided with a secure, highly reliable storage system with its confidentiality preserving capability enhanced.
48 Citations
2 Claims
-
1. A storage system, comprising:
-
a host interface connected via a network to a host computer; a disk interface connected to a disk drive; a memory module that stores control information of the storage system and that functions as a cache memory; a processor that controls the storage system; a mature network that interconnects the host interface, the disk interface, the memory module, and the processor; and an encryption module that encrypts data read/written by the host computer, wherein the processor; reads data from a given area of the disk drive or of the memory module, decrypts the read data with an encryption key corresponding to this data, encrypts the decrypted data with an encryption key different from the one that has just been used to decrypt the data, and writes the encrypted data in an area different from the given area; wherein, the processor; reads data from the first logical volume, decrypts the read data with an encryption key assigned to the first logical volume, encrypts the decrypted data with an encryption key assigned to the second logical volume, and copies data in the first logical volume to the second logical volume by writing the encrypted data in the second logical volume; wherein the first logical volume and the second logical volume are paired with each other as a copy pair, wherein the processor; when the host computer makes a request for write data in the first logical volume, encrypts the data to be written to the disk drive with an encryption key assigned to the first logical volume, and writes the encrypted data in the first logical volume and in the second logical volume, and when there is a change in copy pair state, changes the encryption key assigned to the first logical volume to another encryption key, encrypts the write data with the replacement encryption key, and writes the encrypted data in the first logical volume.
-
-
2. A storage system comprising:
-
a host interface connected via a network to a host computer; a disk interface connected to a disk drive; a memory module that stores control information of the storage system and that functions as a cache memory; a processor that controls the storage system; a mature network that interconnects the host interface, the disk interface, the memory module, and the processor; and an encryption module that encrypts data read/written by the host computer, wherein the processor; reads data from a given area of the disk drive or of the memory decrypts the read data with an encryption key corresponding to this data, encrypts the decrypted data with an encryption key different from the one that has just been used to decrypt the data, and writes the encrypted data in an area different from the given area; wherein, when the host computer makes a request for update data, the processor module; encrypts differential data, which represents a difference between data requested to be updated and updated data, with an encryption key corresponding to the differential data, writes the encrypted data in the given area, upon reception of a request for restore data from the host computer, obtains differential data corresponding to the request for restore data, decrypts the obtained differential data, restores, from the decrypted differential data, data corresponding to the request for restore data, encrypts the restored data with an encryption key different from one corresponding to the differential data, and writes the encrypted data in an area different from one where the differential data has been stored.
-
Specification