Encryption/decryption management method in computer system having storage hierarchy

US 7,716,496 B2
Filed: 11/16/2004
Issued: 05/11/2010
Est. Priority Date: 09/21/2004
Status: Expired due to Fees

First Claim

Patent Images

1. An encryption/decryption management method of a computer system, the computer system having:

one or more computers;

a data storage system including a first data storage apparatus, and a second data storage apparatus provided in a path between said one or more computers and said first data storage apparatus;

a management computer connected to the first data storage apparatus and the second data storage apparatus, a first encryption/decryption section provided with said first data storage apparatus, and a second encryption/decryption section provided with said second data storage apparatus, the first encryption/decryption section and the second encryption/decryption section having an encryption/decryption algorithm for both encrypting data to be stored in said data storage system and decrypting encrypted data from said data storage system, the encryption/decryption management method comprising;

said second data storage apparatus providing a data storage area of said first data storage apparatus as an area to be accessed by the computer as if the area of the first data storage apparatus is a data storage area of the second data storage apparatus,acquiring a first information which indicates a type of encryption algorithm used for encrypting data stored in data storage area which the first data storage apparatus has;

acquiring a second information which indicates an encryption algorithm supported by the second encryption/decryption section which the second data storage apparatus has;

determining, based on the first information and the second information, whether or not the second encryption/decryption section supports the encryption algorithm used for encrypting data stored in the data storage area which the first data storage apparatus has; and

if it is determined that the second encryption/decryption section supports the encryption algorithm,setting the first encryption/decryption section not to encrypt write data and not to decrypt read data, andsetting the second encryption/decryption section to encrypt write data and to decrypt read data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

When a computer system including a data storage apparatus having a data storage area storing encrypted data is modified to have plural encryption/decryption units, a computer cannot appropriately use the encrypted data storage area if a path including the encryption/decryption means is not adequately determined.

In a computer system having a computer 10, two or more data storage apparatuses 100 and 200 arranged hierarchically, plural encryption/decryption modules 199 and 299 on a path between the computer 10 and a data storage area 101, and a management computer 500 for managing the data storage apparatuses and the like, if there is an interoperability between the encryption/decryption modules 199 and 299 and the data storage area 101 is encrypted by the first encryption/decryption module 199, the computer 10 accesses the data storage area 101 using the second encryption/decryption module 299 (or an n-th encryption/decryption module closer to the computer than the second encryption/decryption module), rather than the first encryption/decryption module.

11 Citations

View as Search Results

10 Claims

1. An encryption/decryption management method of a computer system, the computer system having:
- one or more computers;
  
  a data storage system including a first data storage apparatus, and a second data storage apparatus provided in a path between said one or more computers and said first data storage apparatus;
  
  a management computer connected to the first data storage apparatus and the second data storage apparatus, a first encryption/decryption section provided with said first data storage apparatus, and a second encryption/decryption section provided with said second data storage apparatus, the first encryption/decryption section and the second encryption/decryption section having an encryption/decryption algorithm for both encrypting data to be stored in said data storage system and decrypting encrypted data from said data storage system, the encryption/decryption management method comprising;
  
  said second data storage apparatus providing a data storage area of said first data storage apparatus as an area to be accessed by the computer as if the area of the first data storage apparatus is a data storage area of the second data storage apparatus,acquiring a first information which indicates a type of encryption algorithm used for encrypting data stored in data storage area which the first data storage apparatus has;
  
  acquiring a second information which indicates an encryption algorithm supported by the second encryption/decryption section which the second data storage apparatus has;
  
  determining, based on the first information and the second information, whether or not the second encryption/decryption section supports the encryption algorithm used for encrypting data stored in the data storage area which the first data storage apparatus has; and
  
  if it is determined that the second encryption/decryption section supports the encryption algorithm,setting the first encryption/decryption section not to encrypt write data and not to decrypt read data, andsetting the second encryption/decryption section to encrypt write data and to decrypt read data.
- View Dependent Claims (2, 3, 4)
- - 2. The encryption/decryption management method according to claim 1, wherein the management computer comprises operations of:
    - setting a path including the first and second encryption/decryption sections for said computer to access said data storage system;
      
      performing configuration of encryption/decryption of the data storage system; and
      
      performing configurations of the first encryption/decryption section and the second encryption/decryption section according to an encryption/decryption algorithm of the first encryption/decryption section and an encryption/decryption algorithm of the second encryption/decryption section.
  - 3. The encryption/decryption management method according to claim 2, wherein the configurations of the first encryption/decryption section and the second encryption/decryption section include:
    - selecting whether or not to use the encryption/decryption algorithm of the first encryption/decryption section; and
      
      configuring the second encryption/decryption section so that the second encryption/decryption has an interoperability with the first encryption/decryption section.
  - 4. The encryption/decryption management method according to claim 1, comprising said first encryption/decryption section and said second encryption/decryption section performing encryption or decryption according to a same encryption/decryption algorithm.

5. A computer system, comprising:
- one or more computers;
  
  a first data storage apparatus that has at least one data storage area for any computer of said one or more computers to store data;
  
  a second data storage apparatus that is provided between said computer and said first data storage apparatus, with said computer, said first data storage apparatus and said second data storage apparatus being connected to each other via a network, anda management computer connected to the first data storage apparatus and the second data storage apparatus,wherein;
  
  said second data storage apparatus provides a data storage area of said first data storage apparatus as an area to be accessed by the computer as if the area of the first data storage apparatus is a data storage area of the second data storage apparatus,said first data storage apparatus has a first encryption/decryption section, and said second data storage apparatus has a second encryption/decryption section, anddata stored in data storage area which the first data storage apparatus has is encrypted by the first encryption/decryption section, andwherein the management computer;
  
  acquires a first information which indicates a type of encryption algorithm used for encrypting data stored in data storage area which the first data storage apparatus has;
  
  acquires a second information which indicates encryption algorithm supported by a second encryption/decryption section which the second data storage apparatus has;
  
  determines, based on the first information and the second information, whether or not the second encryption/decryption section supports the encryption algorithm used for encrypting data stored in the data storage area which the first data storage apparatus has; and
  
  if it is determined that the second encryption/decryption section supports the encryption algorithm,sets the first encryption/decryption section not to encrypt write data and not to decrypt read data, andsets the second encryption/decryption section to encrypt write data and to decrypt read data.
- View Dependent Claims (6, 7)
- - 6. The computer system according to claim 5, wherein said management computer makes a choice of whether to use the encryption/decryption algorithm of the encryption/decryption section for said first encryption/decryption section of said first data storage apparatus and/or said second encryption/decryption section of said second data storage apparatus.
  - 7. The computer system according to claim 5,wherein the management computer for managing encryption/decryption configurations of the data storage areas at least sets a path including the second data storage apparatus and the encryption/decryption section for said computer to access said data storage area, performs configurations of encryption/decryption of the data storage area, and performs configurations of the first encryption/decryption section and the second encryption/decryption section according to an encryption/decryption algorithm of the first encryption/decryption section and an encryption/decryption algorithm of the second encryption/decryption section.

8. A management computer in a computer system that includes one or more computers, a first data storage apparatus that has at least one data storage area for said computer to store data and a first encryption/decryption section, a second data storage apparatus that has a second encryption/decryption section and is located between said computer and said first data storage apparatus, wherein said second data storage apparatus provides a data storage area of said first data storage apparatus as an area to be accessed by the computer as if the area of the first data storage apparatus is a data storage area of the second data storage apparatus, andwherein the management computer:
- acquires a first information which indicates a type of encryption algorithm used for encrypting data stored in data storage area which the first data storage apparatus has;
  
  acquires a second information which indicates encryption algorithm supported by a second encryption/decryption section which the second data storage apparatus has;
  
  determines, based on the first information and the second information, whether or not the second encryption/decryption section supports the encryption algorithm used for encrypting data stored in the data storage area which the first data storage apparatus has; and
  
  if it is determined that the second encryption/decryption section supports the encryption algorithm,sets the first encryption/decryption section not to encrypt write data and not to decrypt read data, andsets the second encryption/decryption section to encrypt write data and to decrypt read data.
- View Dependent Claims (9, 10)
- - 9. The management computer in a computer system according to claim 8, wherein the management computer performs management in such a manner that the data encrypted by said second encryption/decryption section is written to said data storage area without using the first encryption/decryption section.
  - 10. The management computer in a computer system according to claim 8, wherein said management computer performs management in such a manner that a new data storage area is prepared in the second data storage apparatus, the data in said selected data storage area is read by decrypting the data using the first encryption/decryption section, the read data is encrypted by the second encryption/decryption section, and the data encrypted by the second encryption/decryption section is written to the data storage area prepared in the second data storage apparatus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Miyazaki, Fumi, Kaneda, Yasunori, Taguchi, Yuichi
Primary Examiner(s)
Shiferaw; Eleni A
Assistant Examiner(s)
Louie; Oscar A

Application Number

US10/988,538
Publication Number

US 20060062383A1
Time in Patent Office

2,002 Days
Field of Search

None
US Class Current

713/193
CPC Class Codes

G06F 21/805   using a security table for ...

G06F 3/0622   in relation to access

G06F 3/0635   by changing the path, e.g. ...

G06F 3/0637   Permissions

G06F 3/067   Distributed or networked st...

H04L 2209/60   Digital content management,...

H04L 9/0836   using tree structure or hie...

Encryption/decryption management method in computer system having storage hierarchy

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

11 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption/decryption management method in computer system having storage hierarchy

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links