Encryption/decryption management method in computer system having storage hierarchy
First Claim
1. An encryption/decryption management method of a computer system, the computer system having:
- one or more computers;
a data storage system including a first data storage apparatus, and a second data storage apparatus provided in a path between said one or more computers and said first data storage apparatus;
a management computer connected to the first data storage apparatus and the second data storage apparatus, a first encryption/decryption section provided with said first data storage apparatus, and a second encryption/decryption section provided with said second data storage apparatus, the first encryption/decryption section and the second encryption/decryption section having an encryption/decryption algorithm for both encrypting data to be stored in said data storage system and decrypting encrypted data from said data storage system, the encryption/decryption management method comprising;
said second data storage apparatus providing a data storage area of said first data storage apparatus as an area to be accessed by the computer as if the area of the first data storage apparatus is a data storage area of the second data storage apparatus,acquiring a first information which indicates a type of encryption algorithm used for encrypting data stored in data storage area which the first data storage apparatus has;
acquiring a second information which indicates an encryption algorithm supported by the second encryption/decryption section which the second data storage apparatus has;
determining, based on the first information and the second information, whether or not the second encryption/decryption section supports the encryption algorithm used for encrypting data stored in the data storage area which the first data storage apparatus has; and
if it is determined that the second encryption/decryption section supports the encryption algorithm,setting the first encryption/decryption section not to encrypt write data and not to decrypt read data, andsetting the second encryption/decryption section to encrypt write data and to decrypt read data.
1 Assignment
0 Petitions
Accused Products
Abstract
When a computer system including a data storage apparatus having a data storage area storing encrypted data is modified to have plural encryption/decryption units, a computer cannot appropriately use the encrypted data storage area if a path including the encryption/decryption means is not adequately determined.
In a computer system having a computer 10, two or more data storage apparatuses 100 and 200 arranged hierarchically, plural encryption/decryption modules 199 and 299 on a path between the computer 10 and a data storage area 101, and a management computer 500 for managing the data storage apparatuses and the like, if there is an interoperability between the encryption/decryption modules 199 and 299 and the data storage area 101 is encrypted by the first encryption/decryption module 199, the computer 10 accesses the data storage area 101 using the second encryption/decryption module 299 (or an n-th encryption/decryption module closer to the computer than the second encryption/decryption module), rather than the first encryption/decryption module.
11 Citations
10 Claims
-
1. An encryption/decryption management method of a computer system, the computer system having:
- one or more computers;
a data storage system including a first data storage apparatus, and a second data storage apparatus provided in a path between said one or more computers and said first data storage apparatus;
a management computer connected to the first data storage apparatus and the second data storage apparatus, a first encryption/decryption section provided with said first data storage apparatus, and a second encryption/decryption section provided with said second data storage apparatus, the first encryption/decryption section and the second encryption/decryption section having an encryption/decryption algorithm for both encrypting data to be stored in said data storage system and decrypting encrypted data from said data storage system, the encryption/decryption management method comprising;said second data storage apparatus providing a data storage area of said first data storage apparatus as an area to be accessed by the computer as if the area of the first data storage apparatus is a data storage area of the second data storage apparatus, acquiring a first information which indicates a type of encryption algorithm used for encrypting data stored in data storage area which the first data storage apparatus has; acquiring a second information which indicates an encryption algorithm supported by the second encryption/decryption section which the second data storage apparatus has; determining, based on the first information and the second information, whether or not the second encryption/decryption section supports the encryption algorithm used for encrypting data stored in the data storage area which the first data storage apparatus has; and if it is determined that the second encryption/decryption section supports the encryption algorithm, setting the first encryption/decryption section not to encrypt write data and not to decrypt read data, and setting the second encryption/decryption section to encrypt write data and to decrypt read data. - View Dependent Claims (2, 3, 4)
- one or more computers;
-
5. A computer system, comprising:
-
one or more computers; a first data storage apparatus that has at least one data storage area for any computer of said one or more computers to store data; a second data storage apparatus that is provided between said computer and said first data storage apparatus, with said computer, said first data storage apparatus and said second data storage apparatus being connected to each other via a network, and a management computer connected to the first data storage apparatus and the second data storage apparatus, wherein; said second data storage apparatus provides a data storage area of said first data storage apparatus as an area to be accessed by the computer as if the area of the first data storage apparatus is a data storage area of the second data storage apparatus, said first data storage apparatus has a first encryption/decryption section, and said second data storage apparatus has a second encryption/decryption section, and data stored in data storage area which the first data storage apparatus has is encrypted by the first encryption/decryption section, and wherein the management computer; acquires a first information which indicates a type of encryption algorithm used for encrypting data stored in data storage area which the first data storage apparatus has; acquires a second information which indicates encryption algorithm supported by a second encryption/decryption section which the second data storage apparatus has; determines, based on the first information and the second information, whether or not the second encryption/decryption section supports the encryption algorithm used for encrypting data stored in the data storage area which the first data storage apparatus has; and if it is determined that the second encryption/decryption section supports the encryption algorithm, sets the first encryption/decryption section not to encrypt write data and not to decrypt read data, and sets the second encryption/decryption section to encrypt write data and to decrypt read data. - View Dependent Claims (6, 7)
-
-
8. A management computer in a computer system that includes one or more computers, a first data storage apparatus that has at least one data storage area for said computer to store data and a first encryption/decryption section, a second data storage apparatus that has a second encryption/decryption section and is located between said computer and said first data storage apparatus, wherein said second data storage apparatus provides a data storage area of said first data storage apparatus as an area to be accessed by the computer as if the area of the first data storage apparatus is a data storage area of the second data storage apparatus, and
wherein the management computer: -
acquires a first information which indicates a type of encryption algorithm used for encrypting data stored in data storage area which the first data storage apparatus has; acquires a second information which indicates encryption algorithm supported by a second encryption/decryption section which the second data storage apparatus has; determines, based on the first information and the second information, whether or not the second encryption/decryption section supports the encryption algorithm used for encrypting data stored in the data storage area which the first data storage apparatus has; and if it is determined that the second encryption/decryption section supports the encryption algorithm, sets the first encryption/decryption section not to encrypt write data and not to decrypt read data, and sets the second encryption/decryption section to encrypt write data and to decrypt read data. - View Dependent Claims (9, 10)
-
Specification