Encryption of data in storage systems

US 7,752,676 B2
Filed: 04/18/2006
Issued: 07/06/2010
Est. Priority Date: 04/18/2006
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, by a computational device, a request to access data from a requestor, wherein the data is legacy data that is stored in a storage unit, wherein the legacy data is pre-existing data, wherein the legacy data is stored in the storage unit in an unencrypted state at least until the time an attempt is made to access the legacy data, and wherein data that is not legacy data is stored in the storage unit in an encrypted state;

determining, by the computational device, that the requestor is authorized to access the data;

determining, by the computational device, that the data is not encrypted, in response to determining that the requestor is authorized to access the data;

requesting, by the computational device, an encryption key from the requestor, in response to determining that the data is not encrypted;

receiving the encryption key from the requestor;

encrypting the data by using the encryption key; and

migrating all legacy data stored in the storage unit to encrypted data stored in the storage unit over an extended period of time.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are a method, system and article of manufacture, wherein a request to access data is received from a requestor. A determination is made as to whether the requestor is authorized to access the data. In response to determining that the requestor is authorized to access the data, a determination is made as to whether the data is encrypted. An encryption key is requested from the requester, in response to determining that the data is not encrypted.

Citations

18 Claims

1. A method, comprising:
- receiving, by a computational device, a request to access data from a requestor, wherein the data is legacy data that is stored in a storage unit, wherein the legacy data is pre-existing data, wherein the legacy data is stored in the storage unit in an unencrypted state at least until the time an attempt is made to access the legacy data, and wherein data that is not legacy data is stored in the storage unit in an encrypted state;
  
  determining, by the computational device, that the requestor is authorized to access the data;
  
  determining, by the computational device, that the data is not encrypted, in response to determining that the requestor is authorized to access the data;
  
  requesting, by the computational device, an encryption key from the requestor, in response to determining that the data is not encrypted;
  
  receiving the encryption key from the requestor;
  
  encrypting the data by using the encryption key; and
  
  migrating all legacy data stored in the storage unit to encrypted data stored in the storage unit over an extended period of time.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, further comprising:
    - requesting a decryption key from the requester, in response to subsequent requests for accessing the data, wherein the requestor is a host application that executes in a host that is coupled to the computational device, and wherein the host has both the encryption key and the decryption key.
  - 3. The method of claim 1, wherein the request to access the data is made by addressing a logical unit, a file, a byte, a record, a block, a volume or an entire subsystem that includes the data.

4. A system, comprising:
- memory; and
  
  processor coupled to the memory, wherein the processor executes;
  
  receiving, from a requestor, a request to access data, wherein the data is legacy data that is stored in a storage unit, wherein the legacy data is pre-existing data, wherein the legacy data is stored in the storage unit in an unencrypted state at least until the time an attempt is made to access the legacy data, and wherein data that is not legacy data is stored in the storage unit in an encrypted state;
  
  determining that the requestor is authorized to access the data;
  
  determining that the data is not encrypted, in response to determining that the requestor is authorized to access the data;
  
  requesting an encryption key from the requestor, in response to determining that the data is not encrypted;
  
  receiving the encryption key from the requestor;
  
  encrypting the data by using the encryption key; and
  
  migrating all legacy data stored in the storage unit to encrypted data stored in the storage unit over an extended period of time.
- View Dependent Claims (5, 6)
- - 5. The system of claim 4, wherein the processor further executes:
    - requesting a decryption key from the requestor, in response to subsequent requests for accessing the data, wherein the requestor is a host application that executes in a host that is coupled to the computational device, and wherein the host has both the encryption key and the decryption key.
  - 6. The system of claim 4, wherein the request to access the data is made by addressing a logical unit, a file, a byte, a record, a block, a volume or an entire subsystem that includes the data.

7. A system, comprising:
- a processor;
  
  a host; and
  
  a storage subsystem having the processor, wherein the storage subsystem receives from the host a request to access data, wherein the data is legacy data that is stored in a storage unit, wherein the legacy data is pre-existing data, wherein the legacy data is stored in the storage unit in an unencrypted state at least until the time an attempt is made to access the legacy data, and wherein data that is not legacy data is stored in the storage unit in an encrypted state, wherein the storage subsystem determines that the host is authorized to access the data, wherein the storage subsystem determines that the data is not encrypted, in response to determining that the host is authorized to access the data, wherein the storage subsystem requests an encryption key, in response to determining that the data is not encrypted, wherein the storage subsystem receives the encryption key from the host, wherein the storage subsystem encrypts the data by using the encryption key, and wherein the storage subsystem migrates all legacy data stored in the storage unit to encrypted data stored in the storage unit over an extended period of time.
- View Dependent Claims (8, 9)
- - 8. The system of claim 7, wherein the storage system further performs:
    - requesting a decryption key from the host, in response to subsequent requests for accessing the data, and wherein the host has both the encryption key and the decryption key.
  - 9. The system of claim 7, wherein the request to access the data is made by addressing a logical unit, a file, a byte, a record, a block or a volume.

10. A computer readable storage medium, wherein code stored in the computer readable storage medium when executed by a machine causes operations, the operations comprising:
- receiving, from a requestor, a request to access data, wherein the data is legacy data that is stored in a storage unit, wherein the legacy data is pre-existing data, wherein the legacy data is stored in the storage unit in an unencrypted state at least until the time an attempt is made to access the legacy data, and wherein data that is not legacy data is stored in the storage unit in an encrypted state;
  
  determining that the requestor is authorized to access the data;
  
  determining that the data is not encrypted, in response to determining that the requestor is authorized to access the data;
  
  requesting an encryption key from the requestor, in response to determining that the data is not encrypted;
  
  receiving the encryption key from the requestor;
  
  encrypting the data by using the encryption key; and
  
  migrating all legacy data stored in the storage unit to encrypted data stored in the storage unit over an extended period of time.
- View Dependent Claims (11, 12)
- - 11. The computer readable storage medium of claim 10, the operations further comprising:
    - requesting a decryption key from the requestor, in response to subsequent requests for accessing the data, wherein the requestor is a host application that executes in a host that is coupled to the computational device, and wherein the host has both the encryption key and the decryption key.
  - 12. The computer readable storage medium of claim 10, wherein the request to access the data is made by addressing a logical unit, a file, a byte, a record, a block, a volume or an entire subsystem that includes the data.

13. A method for deploying computer infrastructure, comprising integrating computer-readable code into a controller, wherein the code in combination with the controller performs:
- receiving, by the controller, a request to access data from a requestor, wherein the data is legacy data that is stored in a storage unit, wherein the legacy data is pre-existing data, wherein the legacy data is stored in the storage unit in an unencrypted state at least until the time an attempt is made to access the legacy data, and wherein data that is not legacy data is stored in the storage unit in an encrypted state;
  
  determining, by the controller, that the requestor is authorized to access the data;
  
  determining, by the controller, that the data is not encrypted, in response to determining that the requestor is authorized to access the data;
  
  requesting, by the controller, an encryption key from the requestor, in response to determining that the data is not encrypted;
  
  receiving the encryption key from the requestor;
  
  encrypting the data by using the encryption key; and
  
  migrating all legacy data stored in the storage unit to encrypted data stored in the storage unit over an extended period of time.
- View Dependent Claims (14, 15)
- - 14. The method of claim 13, wherein the code in combination with the controller performs:
    - requesting a decryption key from the requestor, in response to subsequent requests for accessing the data, wherein the requestor is a host application that executes in a host that is coupled to the computational device, and wherein the host has both the encryption key and the decryption key.
  - 15. The method of claim 13, wherein the request to access the data is made by addressing a logical unit, a file, a byte, a record, a block, a volume or an entire subsystem that includes the data.

16. A system, comprising:
- a processor;
  
  means for receiving, by the processor, a request to access data from a requestor, wherein the data is legacy data that is stored in a storage unit, wherein the legacy data is pre-existing data, wherein the legacy data is stored in the storage unit in an unencrypted state at least until the time an attempt is made to access the legacy data, and wherein data that is not legacy data is stored in the storage unit in an encrypted state;
  
  means for determining, by the processor, that the requestor is authorized to access the data;
  
  means for determining, by the processor, that the data is not encrypted, in response to determining that the requestor is authorized to access the data;
  
  means for requesting, by the processor, an encryption key from the requestor, in response to determining that the data is not encrypted;
  
  means for receiving the encryption key from the requestor;
  
  means for encrypting the data by using the encryption key; and
  
  means for migrating all legacy data stored in the storage unit to encrypted data stored in the storage unit over an extended period of time.
- View Dependent Claims (17, 18)
- - 17. The system of claim 16, further comprising:
    - means for requesting a decryption key from the requestor, in response to subsequent requests for accessing the data, wherein the requestor is a host application that executes in a host that is coupled to the computational device, and wherein the host has both the encryption key and the decryption key.
  - 18. The system of claim 16, wherein the request to access the data is made by addressing a logical unit, a file, a byte, a record, a block, a volume or an entire subsystem that includes the data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hsu, Yu-Cheng, Hartung, Michael Howard, Kern, Robert Frederic
Primary Examiner(s)
Simitoski; Michael J

Application Number

US11/406,661
Publication Number

US 20070256142A1
Time in Patent Office

1,540 Days
Field of Search

726/28, 726/26, 713/165, 713/191, 713/193
US Class Current

726/28
CPC Class Codes

G06F 21/604 Tools and structures for ma...

G06F 2221/2107 File encryption

Encryption of data in storage systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption of data in storage systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links