System and method for providing encryption in storage operations in a storage network, such as for use by application service providers that provide data storage services

US 7,739,381 B2
Filed: 08/22/2007
Issued: 06/15/2010
Est. Priority Date: 03/11/1998
Status: Expired due to Fees

First Claim

Patent Images

1. A method for storing data belonging to a customer of an application service provider, the method comprising:

when storing data belonging to the customer of the application service provider is requested;

generating an encryption key associated with the data belonging to the customer of the application service provider;

encrypting the data belonging to the customer of the application service provider using the generated encryption key to create encrypted data;

storing the encrypted data in a data center belonging to and controlled by the application service provider;

encrypting the encryption key to create an encrypted encryption key,wherein a password or other information set by the customer is required to decrypt the encrypted encryption key; and

storing the encrypted encryption key, wherein the encrypted encryption key is accessible to allow the encrypted data stored in the data center belonging to and controlled by the application service provider to be restored during a subsequent restore operation;

wherein the password or other information for decrypting the encrypted encryption key is set by the customer without the application service provider'"'"'s knowledge, and wherein the application service provider is unable to decrypt the encrypted data stored in the data center belonging to and controlled by the application service provider without first receiving the password or other information from the customer.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with embodiments of the invention, a method is provided for performing a storage operation in a pipeline storage system in which one or more data streams containing data to be stored are written into data chunks. The method includes generating an encryption key associated with a first archive file to be stored when encryption is requested for the storage operation, encrypting the archive data from the data stream using the encryption key to create an encrypted data chunk when a data stream containing the archive file is processed in the pipeline storage system, storing the encrypted data chunk on a storage medium, and storing the encryption key in a manner accessible during a restore operation of the encrypted data chunk.

144 Citations

View as Search Results

12 Claims

1. A method for storing data belonging to a customer of an application service provider, the method comprising:
- when storing data belonging to the customer of the application service provider is requested;
  
  generating an encryption key associated with the data belonging to the customer of the application service provider;
  
  encrypting the data belonging to the customer of the application service provider using the generated encryption key to create encrypted data;
  
  storing the encrypted data in a data center belonging to and controlled by the application service provider;
  
  encrypting the encryption key to create an encrypted encryption key,wherein a password or other information set by the customer is required to decrypt the encrypted encryption key; and
  
  storing the encrypted encryption key, wherein the encrypted encryption key is accessible to allow the encrypted data stored in the data center belonging to and controlled by the application service provider to be restored during a subsequent restore operation;
  
  wherein the password or other information for decrypting the encrypted encryption key is set by the customer without the application service provider'"'"'s knowledge, and wherein the application service provider is unable to decrypt the encrypted data stored in the data center belonging to and controlled by the application service provider without first receiving the password or other information from the customer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the method is performed in a pipeline storage system comprising a plurality of processes arranged in stages including an encryption process, and wherein encrypting the data is performed by the encryption process.
  - 3. The method of claim 1, further comprising restoring the encrypted data stored in the data center belonging to and controlled by the application service provider using the password or other information for decrypting the encrypted encryption key, wherein the password or other information for decrypting the encrypted encryption key is contained in a file kept on a data agent belonging to and controlled by the customer of the application service provider, and wherein restoring the encrypted data is performed by a restore process which uses the password or other information contained in the file to decrypt the encrypted encryption key.
  - 4. The method of claim 1, wherein storing the encrypted encryption key comprises storing the encrypted encryption key on a storage medium in the data center belonging to and controlled by the application service provider on which the encrypted data is stored.
  - 5. The method of claim 1, wherein the method is performed in a pipeline storage system, wherein the method comprises storing on a first storage device an index of storage media used by the pipeline storage system, and wherein storing the encrypted encryption key comprises storing the encrypted encryption key on the first storage device.
  - 6. The method of claim 1, wherein the method is performed in a pipeline storage system, wherein the pipeline storage system includes a storage management component, and wherein storing the encrypted encryption key comprises storing the encryption key on the storage management component.
  - 7. The method of claim 1, further comprising inserting a tag in the encrypted data indicating that the encrypted data is encrypted.
  - 8. The method of claim 7, further comprising inserting the encrypted encryption key in the tag in the encrypted data.

9. A storage management system for storing data belonging to a customer of an application service provider, the system comprising:
- means for generating an encryption key associated with data belonging to the customer of the application service provider;
  
  means for encrypting the data belonging to the customer of the application service provider using the generated encryption key to create encrypted data;
  
  means for storing the encrypted data in a data center belonging to and controlled by the application service provider;
  
  means for encrypting the encryption key to create an encrypted encryption key such that a password or other information set by the customer is required to decrypt the encrypted encryption key; and
  
  means for storing the encrypted encryption key such that the encrypted encryption key is accessible to allow the encrypted data stored in the data center belonging to and controlled by the application service provider to be restored during a subsequent restore operation;
  
  wherein the system is configured such that the password or other information for decrypting the encrypted encryption key is set by the customer without the application service provider'"'"'s knowledge, so that the application service provider is unable to decrypt the encrypted data stored in the data center belonging to and controlled by the application service provider without receiving the password or other information from the customer.
- View Dependent Claims (10)
- - 10. The system of claim 9, further comprising means for restoring the encrypted data stored in the data center belonging to and controlled by the application service provider using the password or other information for decrypting the encrypted encryption key, wherein the password or other information for decrypting the encrypted encryption key is contained in a file kept on a data agent belonging to and controlled by the customer of the application service provider, and wherein the means for restoring the encrypted data includes a restore process which uses the password or other information contained in the file to decrypt the encrypted encryption key.

11. A computer-readable medium whose contents cause a data storage system to perform a method for storing data belonging to a customer of a service provider, wherein services of the service provider are provided via a computer network, the method comprising:
- generating an encryption key associated with data belonging to the customer of the service provider;
  
  encrypting the data belonging to the customer of the service provider using the generated encryption key to create encrypted data;
  
  storing the encrypted data in a data center belonging to and controlled by the service provider;
  
  encrypting the encryption key to create an encrypted encryption key, wherein a password or other information set by the customer is required to decrypt the encrypted encryption key; and
  
  storing the encrypted encryption key, wherein the encrypted encryption key is accessible to allow the encrypted data stored in the data center belonging to and controlled by the service provider to be restored during a subsequent restore operation;
  
  wherein the password or other information for decrypting the encrypted encryption key is set by the customer without the service provider'"'"'s knowledge, and wherein the service provider is unable to decrypt the encrypted data stored in the data center belonging to and controlled by the service provider without first receiving the password or other information from the customer.
- View Dependent Claims (12)
- - 12. The computer-readable medium of claim 11, wherein the method further comprises restoring the encrypted data stored in the data center belonging to and controlled by the service provider using the password or other information for decrypting the encrypted encryption key, wherein the password or other information for decrypting the encrypted encryption key is contained in a file kept on a data agent belonging to and controlled by the customer of the service provider, and wherein restoring the encrypted data is performed by a restore process which uses the password or other information contained in the file to decrypt the encrypted encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CommVault Systems Incorporated
Original Assignee
CommVault Systems Incorporated
Inventors
Amarendran, Arun, Ignatius, Paul, Prahlad, Anand, Kottomtharayil, Rajiv, Retnamma, Manoj Vijayan, Tyagarajan, Mahesh
Primary Examiner(s)
Kang; Paul H

Application Number

US11/843,453
Publication Number

US 20080037777A1
Time in Patent Office

1,028 Days
Field of Search

709/225, 709/229, 713/171
US Class Current

709/225
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

H04L 2209/125   Parallelization or pipelini...

H04L 9/0625   with splitting of the data ...

H04L 9/0894   Escrow, recovery or storing...

System and method for providing encryption in storage operations in a storage network, such as for use by application service providers that provide data storage services

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

144 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing encryption in storage operations in a storage network, such as for use by application service providers that provide data storage services

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

144 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links