Background encryption of disks in a large cluster
First Claim
Patent Images
1. A method for encrypting a disk, the disk accessible by a plurality of storage security appliances, and the disk accessed via a storage system, comprising:
- selecting one of the storage security appliances as a master, and designating all the other storage security appliances as slaves;
sending, by the master, a first message to each slave, the first message comprising;
(i) a location of a first area of the disk, and(ii) an instruction to block access to the first area; and
receiving, by the master, in response to the first message, a second message comprising a location of a second area of the disk designated as blocked from access by a slave, where the second area extends past the first area, and where the slave permits access to unblocked areas of the disk;
encrypting, by the master, the contents of the disk, starting with the first area and proceeding on an area-by-area basis, until the entire disk is encrypted;
sending, by the master, a third message to each slave, the third message comprising an instruction to block access to a rekey recovery area of the disk;
decrypting and then re-encrypting, by the master, a backup of the rekey recovery area of the disk;
overwriting, by the master, the rekey recovery area of the disk;
sending a fourth message, by the master, to each slave, the fourth message comprising a notice that encryption of the disk is terminated.
2 Assignments
0 Petitions
Accused Products
Abstract
The invention provides for rekeying a large cluster of storage security appliances which allows more than two of the storage security appliances to proxy a single storage medium while encrypting the storage medium in a manner that is transparent to any attached server. The invention provides a method for synchronizing encryption of the disk among a large cluster of storage security appliances, while allowing all of the storage security appliances involved to access the storage device being rekeyed in a secure fashion.
73 Citations
20 Claims
-
1. A method for encrypting a disk, the disk accessible by a plurality of storage security appliances, and the disk accessed via a storage system, comprising:
-
selecting one of the storage security appliances as a master, and designating all the other storage security appliances as slaves; sending, by the master, a first message to each slave, the first message comprising; (i) a location of a first area of the disk, and (ii) an instruction to block access to the first area; and receiving, by the master, in response to the first message, a second message comprising a location of a second area of the disk designated as blocked from access by a slave, where the second area extends past the first area, and where the slave permits access to unblocked areas of the disk; encrypting, by the master, the contents of the disk, starting with the first area and proceeding on an area-by-area basis, until the entire disk is encrypted; sending, by the master, a third message to each slave, the third message comprising an instruction to block access to a rekey recovery area of the disk; decrypting and then re-encrypting, by the master, a backup of the rekey recovery area of the disk; overwriting, by the master, the rekey recovery area of the disk; sending a fourth message, by the master, to each slave, the fourth message comprising a notice that encryption of the disk is terminated. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A cluster of storage security appliances for encrypting a disk, the disk accessed via a storage system the cluster comprising:
-
a plurality of slave storage security appliances (slaves); a master storage security appliance (master), the master configured to; send a first message to each slave, the first message comprising; (i) a location of a first area of the disk, and (ii) an instruction to block access to the first area; receive a second message in response to the first message, the second message comprising a location of a second area of the disk designated as blocked from access by a slave, where the second area extends past the first area, and where the slave permits access to unblocked areas of the disk; and encrypt the contents of the disk, starting with the first area and proceeding on an area-by-area basis, until the entire disk is encrypted; send a third message to each slave, the third message comprising an instruction to block access to a rekey recovery area of the disk; decrypt and then re-encrypt a backup of the rekey recovery area of the disk; overwrite the rekey recovery area of the disk; send a fourth message to each slave, the fourth message comprising a notice that encryption of the disk is terminated. - View Dependent Claims (9, 10, 11)
-
-
12. An apparatus for encrypting a disk, the disk accessible by a plurality of systems, and the disk accessed via a storage system, the apparatus comprising a memory and configured to:
-
send a first message to each system, the first message comprising; (i) a location of a first area of the disk, and (ii) an instruction to block access to the first area; receive a second message in response to the first message, the second message comprising a location of a second area of the disk designated as blocked from access by the system, where the second area extends past the first area, and where the system providing access to unblocked areas of the disk; encrypt the contents of the disk, starting with the first area and proceeding on an area-by-area basis, until the disk is encrypted; send a third message to each system, the third message comprising an instruction to block access to a rekey recovery area of the disk; decrypt and then re-encrypt a backup of the rekey recovery area of the disk; overwrite the rekey recovery area of the disk; send a fourth message to each system, the fourth message comprising a notice that encryption of the disk is terminated. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
-
19. An apparatus for disk encryption, comprising a memory and configured to:
-
designate the apparatus as a master; send a first message to a plurality of slave systems, the message instructing the plurality of slave systems to block access to a rekey recovery area of the disk, the disk accessed via a storage system; in response to a second message received from all the slaves, broadcast the contents of the rekey recovery area to all the slaves; and encrypt the contents of the disk, starting with a first area and proceeding on an area-by-area basis, until said entire disk is encrypted, where a backup of each area is written to the rekey recovery area prior to encryption of each area; send a third message to each slave, the third message comprising an instruction to block access to a rekey recovery area of the disk; decrypt and then re-encrypt a backup of the rekey recovery area of the disk; overwrite the rekey recovery area of the disk; send a fourth message to each slave, the fourth message comprising a notice that encryption of the disk is terminated. - View Dependent Claims (20)
-
Specification