Sub-volume level security for deduplicated data
First Claim
1. A network storage system comprising:
- a hardware-implemented processor;
a storage manager, operatively coupled to the processor, to service requests to access data stored in a persistent mass storage facility;
a duplicate detection unit to detect a duplicate block of a first logical container of data and to determine whether the duplicate block is also part of a second logical container of data; and
a cryptographic engine toencrypt a unique block of the first logical container of data by using a unique cryptographic key,encrypt the duplicate block by using a shared cryptographic key and the unique cryptographic key only if the duplicate block is determined also to be part of the second logical container of data, and otherwise to encrypt the duplicate block using the unique cryptographic key but not the shared cryptographic key if the duplicate block is determined not also to be part of the second logical container of data, andin conjunction with servicing a request to access the first logical container of data, decrypt the unique block of the first logical container of data by using the unique cryptographic key and decrypt the duplicate block of the first logical container of data by using the shared cryptographic key.
1 Assignment
0 Petitions
Accused Products
Abstract
A network storage server receives write requests from clients via a network and internally buffers data blocks written by the write requests. At a consistency point, the storage server commits the data blocks to nonvolatile mass storage. In the consistency point process, a storage operating system in the network storage server compresses the data blocks, encrypts selected data blocks, and stores the compressed and (possibly) encrypted data blocks in the nonvolatile mass storage facility. Data blocks can also be fingerprinted in parallel with compression and/or encryption, to facilitate deduplication. Data blocks can be indexed and classified according to content or attributes of the data. Encryption can be applied at different levels of logical container granularity, where a separate, unique cryptographic key is used for each encrypted data container. To facilitate deduplication, the system creates an additional, shared encryption key for each data block duplicated between two or more logical containers.
-
Citations
23 Claims
-
1. A network storage system comprising:
-
a hardware-implemented processor; a storage manager, operatively coupled to the processor, to service requests to access data stored in a persistent mass storage facility; a duplicate detection unit to detect a duplicate block of a first logical container of data and to determine whether the duplicate block is also part of a second logical container of data; and a cryptographic engine to encrypt a unique block of the first logical container of data by using a unique cryptographic key, encrypt the duplicate block by using a shared cryptographic key and the unique cryptographic key only if the duplicate block is determined also to be part of the second logical container of data, and otherwise to encrypt the duplicate block using the unique cryptographic key but not the shared cryptographic key if the duplicate block is determined not also to be part of the second logical container of data, and in conjunction with servicing a request to access the first logical container of data, decrypt the unique block of the first logical container of data by using the unique cryptographic key and decrypt the duplicate block of the first logical container of data by using the shared cryptographic key. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method comprising:
-
receiving a first logical container of data at a storage system, the first logical container of data including a first plurality of blocks; generating a fingerprint for each of the first plurality of blocks and storing results of said generating as a plurality of stored fingerprints; encrypting blocks of a first logical container of data with a unique first cryptographic key; storing the first logical container of data as an encrypted first plurality of blocks in a persistent storage facility; receiving a second logical container of data at the storage system, the second logical container of data including a second plurality of blocks; generating a fingerprint for a particular block of the second plurality of blocks; determining whether the particular block is a duplicate of a stored block, by comparing the fingerprint of the particular block with the stored fingerprints; determining whether the particular block belongs to a logical container to which the stored block belongs; if the particular block is a duplicate of the stored block and does not belong to a file to which the stored block belongs, then using a second cryptographic key that is shared by a plurality of files and a unique third cryptographic key that is not shared between files to encrypt the particular block, and otherwise using the unique third cryptographic key without using the second cryptographic key to encrypt the particular block; encrypting other blocks of the second logical container of data with the unique third cryptographic key; storing the encrypted other blocks of the second logical container in the persistent storage facility; in response to a request to access data in the first logical container including the particular block when the particular block is a duplicate block and belongs to both the first logical container and the second logical container, using the first cryptographic key and the shared second cryptographic key to access the particular block, and using the first cryptographic key without the shared second cryptographic key to access other blocks of the first logical container; and in response to a request to access data in the second logical container including the particular block when the particular block is a duplicate block and belongs to both the first logical container and the second logical container, using the shared second cryptographic key and the third cryptographic key to access said block, and using the third cryptographic key without the shared second cryptographic key to access other blocks of the second logical container. - View Dependent Claims (8, 9, 10)
-
-
11. A method comprising:
-
generating a fingerprint for each of a first plurality of blocks of data to be written to a persistent storage facility in a storage system; determining whether a first block of the first plurality of blocks is a duplicate of any block of a second plurality of blocks of data stored in the storage system, by comparing a fingerprint of the first block with a plurality of stored fingerprints, the stored fingerprints including a fingerprint for each block of the second plurality of blocks; if the first block is found to be a duplicate of a block of the second plurality of blocks, then determining whether the first block is part of a same logical container as said block of the second plurality of blocks; if the first block is found to be a duplicate of a block of the second plurality of blocks but is not part of the same logical container as said block of the second plurality of blocks, then using a shared cryptographic key that is shared by a plurality of logical containers that each include the first block to encrypt the first block;
but if the first block is a duplicate of a block of the second plurality of blocks and is part of the same logical container as said block of the second plurality of blocks, then using a second cryptographic key different from the shared cryptographic key, and not using the shared cryptographic key, to encrypt the first block; andstoring the encrypted first block in the persistent storage facility. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A network storage controller comprising:
-
a communication interface through which to receive a plurality of data access requests from a plurality of hosts; a storage interface through which to access a persistent storage facility; a hardware-implemented processor; and a storage medium storing code which, when executed by the processor, causes the storage controller to perform operations including generating a fingerprint for each of a first plurality of blocks of data to be written to a persistent storage facility in a storage system; determining whether a first block of the first plurality of blocks is a duplicate of any block of a second plurality of blocks of data stored in the storage system, by comparing a fingerprint of the first block with a plurality of stored fingerprints, the stored fingerprints including a fingerprint for each block of the second plurality of blocks; if the first block is found to be a duplicate of a block of the second plurality of blocks, then determining whether the first block is part of a same file as said block of the second plurality of blocks; if the first block is found to be a duplicate of a block of the second plurality of blocks but is not part of the same file as said block of the second plurality of blocks, then using a shared cryptographic key that is shared by a plurality of files that each include the first block and a second cryptographic key different from the shared cryptographic key, to encrypt the first block;
but if the first block is a duplicate of a block of the second plurality of blocks and is part of the same file as said block of the second plurality of blocks, then using the second cryptographic key and not using the shared cryptographic key, to encrypt the first block; andstoring the encrypted first block in the persistent storage facility. - View Dependent Claims (20, 21, 22, 23)
-
Specification