Techniques for protecting data using an electronic encryption endpoint device

US 8,010,810 B1
Filed: 12/27/2007
Issued: 08/30/2011
Est. Priority Date: 12/27/2007
Status: Active Grant

First Claim

Patent Images

1. A data storage array, comprising:

a storage processor device;

a set of storage devices; and

an electronic encryption endpoint device having (i) a management interface coupled to the storage processor device, (ii) a storage device interface coupled to the set of storage devices, and (iii) a controller interconnected between the management interface and the storage device interface, the controller being arranged to;

receive a key encryption key through the management interface,decrypt a portion of a key table entry of a key table using the key encryption key to extract a data encryption key from the portion of the key table entry, the data encryption key being initially encrypted within the portion of the key table entry prior to decrypting the key table entry, andencrypt data from the storage processor device using the data encryption key and store the encrypted data in the set of storage devices through the storage device interface.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An electronic encryption endpoint device includes a management interface, a storage device interface and a controller. The management interface is capable of operating as a control interface (e.g., connecting to an array controller). The storage device interface is arranged to communicate with a set of storage devices. The controller is arranged to (i) receive a key encryption key through the management interface, (ii) decrypt a portion of a key table entry of a key table using the key encryption key to extract a data encryption key from the portion of the key table entry, the data encryption key being initially encrypted within the portion of the key table entry prior to decrypting the portion of the key table entry, and (iii) encrypt data using the data encryption key and store the encrypted data in the set of storage devices through the storage device interface.

53 Citations

View as Search Results

25 Claims

1. A data storage array, comprising:
- a storage processor device;
  
  a set of storage devices; and
  
  an electronic encryption endpoint device having (i) a management interface coupled to the storage processor device, (ii) a storage device interface coupled to the set of storage devices, and (iii) a controller interconnected between the management interface and the storage device interface, the controller being arranged to;
  
  receive a key encryption key through the management interface,decrypt a portion of a key table entry of a key table using the key encryption key to extract a data encryption key from the portion of the key table entry, the data encryption key being initially encrypted within the portion of the key table entry prior to decrypting the key table entry, andencrypt data from the storage processor device using the data encryption key and store the encrypted data in the set of storage devices through the storage device interface.
- View Dependent Claims (2, 3, 4)
- - 2. A data storage array as in claim 1 wherein the key table is disposed within the storage processor device;
    - and wherein the controller of the electronic encryption endpoint device, when decrypting the portion of the key table entry of the key table using the key encryption key to extract the data encryption key from the portion of the key table entry, is arranged to;
      
      receive the portion of the key table entry from the storage processor device through the management interface while the data encryption key remains encrypted within the portion of the key table entry, andapply the key encryption key to the portion of the key table entry to obtain the data encryption key in non-encrypted form within the electronic encryption endpoint device.
  - 3. A data storage array as in claim 2 wherein the portion of the key table entry originates from a key server;
    - and wherein the controller of the electronic encryption endpoint device, when receiving the portion of the key table entry from the storage processor device while the data encryption key remains encrypted within the portion of the key table entry, is arranged to;
      
      acquire the portion of the key table entry with the data encryption key having been preserved in encrypted form until the portion of the key table entry reaches the electronic encryption endpoint device to provide a secure pathway for the data encryption key from the key server to the electronic encryption endpoint device through the storage processor device.
  - 4. A data storage array as in claim 2 wherein the electronic encryption endpoint device is an input/output (I/O) module which is interconnected between the storage processor device and the set of storage devices;
    - wherein the storage processor device is arranged to process data storage operations from an external host device; and
      
      wherein the controller of the electronic encryption endpoint device, when encrypting the data using the data encryption key and storing the encrypted data in the set of storage devices, is arranged to;
      
      in response to a host write instruction provided from the external host device, (i) encrypt host data provided by the external host device and (ii) write the encrypted host data from the I/O module to the set of storage devices.

5. An electronic encryption endpoint device, comprising:
- a management interface;
  
  a storage device interface arranged to communicate with a set of storage devices; and
  
  a controller interconnected between the management interface and the storage device interface, the controller being arranged to;
  
  receive a key encryption key through the management interface,decrypt a portion of a key table entry of a key table using the key encryption key to extract a data encryption key from the portion of the key table entry, the data encryption key being initially encrypted within the portion of the key table entry prior to decrypting the key table entry, andencrypt the data using the data encryption key and store the encrypted data in the set of storage devices through the storage device interface.
- View Dependent Claims (6, 7, 8)
- - 6. An electronic encryption endpoint device as in claim 5 wherein the key table is disposed within a storage processor device;
    - wherein the management interface is arranged to communicate with the storage processor device; and
      
      wherein the controller, when decrypting the portion of the key table entry of the key table using the key encryption key to extract the data encryption key from the portion of the key table entry, is arranged to;
      
      receive the portion of the key table entry from the storage processor device through the management interface while the data encryption key remains encrypted within the portion of the key table entry, andapply the key encryption key to the portion of the key table entry to obtain the data encryption key in non-encrypted form within the electronic encryption endpoint device.
  - 7. An electronic encryption endpoint device as in claim 6 wherein the portion of the key table entry originates from a key server;
    - and wherein the controller, when receiving the portion of the key table entry from the storage processor device while the data encryption key remains encrypted within the portion of the key table entry, is arranged to;
      
      acquire the portion of the key table entry with the data encryption key having been preserved in encrypted form until the portion of the key table entry reaches the electronic encryption endpoint device to provide a secure pathway for the data encryption key from the key server to the electronic encryption endpoint device through the storage processor device.
  - 8. An electronic encryption endpoint device as in claim 6 wherein the electronic encryption endpoint device is an input/output (I/O) module which is interconnected between the storage processor device and the set of storage devices;
    - and wherein the controller, when encrypting the data using the data encryption key and storing the encrypted data in the set of storage devices, is arranged to;
      
      in response to a host write instruction provided from an external host device, (i) encrypt host data provided by the external host device and (ii) write the encrypted host data from the I/O module to the set of storage devices.

9. A method of protecting data, the method comprising:
- at an electronic encryption endpoint device, receiving a key encryption key;
  
  at the electronic encryption endpoint device, decrypting a portion of a key table entry of a key table using the key encryption key to extract a data encryption key from the portion of the key table entry, the data encryption key being initially encrypted within the portion of the key table entry prior to decrypting the key table entry; and
  
  at the electronic encryption endpoint device, encrypting the data using the data encryption key and storing the encrypted data in a set of storage devices.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 10. A method as in claim 9 wherein the key table resides within a storage processor device coupled to the electronic encryption endpoint device;
    - and wherein decrypting the portion of the key table entry of the key table using the key encryption key to extract the data encryption key from the key table entry includes;
      
      receiving the portion of the key table entry from the storage processor device while the data encryption key remains encrypted within the portion of the key table entry, andapplying the key encryption key to the portion of the key table entry to obtain the data encryption key in non-encrypted form within the electronic encryption endpoint device.
  - 11. A method as in claim 10 wherein the portion of the key table entry originates from a key server;
    - and wherein receiving the portion of the key table entry from the storage processor device while the data encryption key remains encrypted within the key table entry includes;
      
      acquiring the portion of the key table entry with the data encryption key having been preserved in encrypted form until the portion of the key table entry reaches the electronic encryption endpoint device to provide a secure pathway for the data encryption key from the key server to the electronic encryption endpoint device through the storage processor device.
  - 12. A method as in claim 10 wherein the electronic encryption endpoint device is an input/output (I/O) module which is interconnected between the storage processor device and the set of storage devices;
    - and wherein encrypting the data using the data encryption key and storing the encrypted data in the set of storage devices includes;
      
      in response to a host write instruction from an external host device, (i) encrypting host data provided by the external host device and (ii) writing the encrypted host data from the I/O module to the set of storage devices.
  - 13. A method as in claim 12 wherein the set of storage devices include physical disk drive devices;
    - wherein key table entries of the key table contain data encryption keys corresponding to the physical disk drive devices; and
      
      wherein writing the encrypted host data from the I/O module to the set of storage devices includes;
      
      storing the host data to a particular physical disk drive device corresponding to the data encryption key used to encrypt the data.
  - 14. A method as in claim 12 wherein the set of storage devices include physical disk drive devices;
    - wherein key table entries of the key table contain data encryption keys corresponding to logical unit numbers mapped across the physical disk drive devices; and
      
      wherein writing the encrypted host data from the I/O module to the set of storage devices includes;
      
      writing the host data to a particular logical unit number mapped across the physical disk drive devices, the particular logical unit number corresponding to the data encryption key used to encrypt the data.
  - 15. A method as in claim 12 wherein the set of storage devices include physical disk drive devices;
    - wherein key table entries of the key table contain data encryption keys corresponding to hypervolumes mapped to portions of the physical disk drive devices; and
      
      wherein writing the encrypted host data from the I/O module to the set of storage devices includes;
      
      writing the host data to a particular hypervolume mapped to a portion of a particular physical disk drive device, the particular hypervolume corresponding to the data encryption key used to encrypt the data.
  - 16. A method as in claim 10, further comprising:
    - running a data storage application on the storage processor device, the data storage application being arranged to carry out data storage operations on behalf of a set of host devices; and
      
      running a dedicated key client on the storage processor device, the dedicated key client operating as an interface between the data storage application and a key server which is arranged to provide portions of key table entries which form the key table.
  - 17. A method as in claim 16 wherein running the data storage application on the storage processor device includes:
    - managing key table entries forming the key table, the key table entries containing data encryption keys in encrypted form.
  - 18. A method as in claim 17 wherein the key table entries have unique key identifier handles;
    - and wherein managing key table entries includes;
      
      accessing the key table entries based on requests from the electronic encryption endpoint device, the requests identifying the key table entries using the unique key identifier handles.
  - 19. A method as in claim 17 wherein the key table entries further contain integrity checking metadata in encrypted form;
    - and wherein applying the key encryption key to the portion of the key table entry to obtain the data encryption key in non-encrypted form within the electronic encryption endpoint device includes;
      
      decrypting integrity checking metadata from the portion of the key table entry and confirming integrity of the device encryption key obtained from the portion of the key table entry based on the decrypted integrity checking metadata.
  - 20. A method as in claim 10 wherein the electronic encrypting endpoint device initially includes memory which stores an initial key;
    - and wherein receiving the key encryption key includes;
      
      decrypting an encrypted transmission from the storage processor device to the electronic encrypting endpoint device using the initial key to obtain the key encryption key; and
      
      replacing the initial key in the memory with the key encryption key.
  - 21. A method as in claim 20 wherein the memory includes persistent storage;
    - and wherein replacing the initial key in the memory includes;
      
      overwriting the initial key with the key encryption key in the persistent storage.
  - 22. A method as in claim 10, further comprising:
    - managing the key table within the storage processor device, the key table including (i) the key table entry containing the data encryption key which is initially encrypted within the key table entry prior to decrypting the key table entry, the data encryption key being encrypted within the key table entry by the key encryption key, and (ii) another key table entry containing the data encryption key which is initially encrypted within the key table entry prior to decrypting the key table entry, the data encryption key being encrypted within the other key table entry by another key encryption key which is different than the key encryption key.
  - 23. A method as in claim 22 wherein the electronic encryption endpoint device locally stores the key encryption key;
    - wherein the other electronic encryption endpoint device locally stores the other key encryption key; and
      
      wherein the method further comprises;
      
      at the other electronic encryption endpoint device, decrypting a portion of the other key table entry using the other key encryption key to obtain the data encryption key.
  - 24. A method as in claim 9, further comprising:
    - applying a Redundant Array of Inexpensive Disks (RAID) level scheme to an initial portion of data to generate multiple RAID portions of the data; and
      
      wherein encrypting the data using the data encryption key and storing the encrypted data in the set of storage devices includes;
      
      after applying the RAID level scheme, encrypting a RAID portion of the data and writing the encrypted RAID portion of the data to the set of storage devices.
  - 25. A method as in claim 9 wherein, prior to decrypting the portion of the key table entry at the electronic encryption endpoint device, circuitry which is external to the electronic encryption endpoint device stores the key table entry in the key table during an operation which is performed out-of-band with respect to the electronic encryption endpoint device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Harwood, Jack S., Linnell, Thomas E., Fitzgerald, John T.
Primary Examiner(s)
CHEA, PHILIP J

Application Number

US11/965,244
Time in Patent Office

1,342 Days
Field of Search

380/273, 380277-279
US Class Current

713/193
CPC Class Codes

G06F 21/6209   to a single file or object,...

H04L 9/0822   using key encryption key

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

Techniques for protecting data using an electronic encryption endpoint device

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for protecting data using an electronic encryption endpoint device

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links