Methodology for vaulting data encryption keys with encrypted storage
First Claim
1. A method comprising:
- in response to a failure event;
copying an encrypted portion of data from system memory to a vault location of persistent storage, the encrypted portion of data including a set of cryptographic keys, each cryptographic key being encrypted with a key encryption key, each cryptographic key for encrypting a specific portion of persistent storage;
encrypting an unencrypted portion of data from system memory to create an encrypted version of the unencrypted portion of data, wherein encrypting the unencrypted portion of data includes encrypting the unencrypted portion of data with a plurality of cryptographic keys of the set of cryptographic keys, each of the plurality of cryptographic keys corresponding to a different portion of the vault location of persistent storage;
writing the encrypted version of the unencrypted portion of data to the vault location of persistent storage; and
performing a system restart;
wherein the unencrypted portion of data includes cached data and instructions for writing the cached data to persistent storage; and
in response to the system restart;
copying the encrypted portion of data from persistent storage to system memory; and
in response to copying the encrypted portion of data from persistent storage to system memory, decrypting the encrypted version of the unencrypted portion of data to recreate the unencrypted portion of data, and writing the recreated unencrypted portion of data to system memory, wherein decrypting the encrypted version of the unencrypted portion of data includes;
decrypting the plurality of cryptographic keys with the key encryption key; and
for each portion of the vault location, decrypting the encrypted version of the unencrypted portion of data with the cryptographic key of the plurality of cryptographic keys corresponding to the portion of the vault location.
9 Assignments
0 Petitions
Accused Products
Abstract
A method is provided to allow for encryption keys to be safely vaulted and for restarts after system failures, even when an external key server is not accessible. In one embodiment, the encryption keys are stored in memory in an encrypted format, the encryption keys being encrypted with a key encryption key (KEK). The data stored in a write cache may be encrypted and written to a vault, protecting it from unauthorized access, but the key table may be written directly to the data vault without need for any further encryption. Because the encryption keys are themselves encrypted, the encryption keys are protected from unauthorized access, ensuring the security of all the encrypted data stored on disk. This embodiment allows the data storage system to be restarted without accessing an external key server. In another embodiment, the KEK is stored in persistent storage within the data storage system, allowing for unattended restart. To enhance security, the KEK may be stored in ROM in a hardened location. Embodiments are also provided for apparatus for practicing the method.
44 Citations
9 Claims
-
1. A method comprising:
in response to a failure event; copying an encrypted portion of data from system memory to a vault location of persistent storage, the encrypted portion of data including a set of cryptographic keys, each cryptographic key being encrypted with a key encryption key, each cryptographic key for encrypting a specific portion of persistent storage; encrypting an unencrypted portion of data from system memory to create an encrypted version of the unencrypted portion of data, wherein encrypting the unencrypted portion of data includes encrypting the unencrypted portion of data with a plurality of cryptographic keys of the set of cryptographic keys, each of the plurality of cryptographic keys corresponding to a different portion of the vault location of persistent storage; writing the encrypted version of the unencrypted portion of data to the vault location of persistent storage; and performing a system restart; wherein the unencrypted portion of data includes cached data and instructions for writing the cached data to persistent storage; and
in response to the system restart;copying the encrypted portion of data from persistent storage to system memory; and in response to copying the encrypted portion of data from persistent storage to system memory, decrypting the encrypted version of the unencrypted portion of data to recreate the unencrypted portion of data, and writing the recreated unencrypted portion of data to system memory, wherein decrypting the encrypted version of the unencrypted portion of data includes; decrypting the plurality of cryptographic keys with the key encryption key; and for each portion of the vault location, decrypting the encrypted version of the unencrypted portion of data with the cryptographic key of the plurality of cryptographic keys corresponding to the portion of the vault location. - View Dependent Claims (2, 3, 4, 5)
-
6. A storage processor device comprising:
-
system memory, the system memory storing an unencrypted portion of data and an encrypted portion of data; a storage device interface arranged to communicate with a set of persistent storage devices; and a controller coupled to system memory and to the storage device interface, the controller being configured to; in response to a failure event; copy the encrypted portion of data to a vault location of persistent storage, the encrypted portion of data including a set of cryptographic keys, each cryptographic key being encrypted with a key encryption key, each cryptographic key for encrypting a specific portion of persistent storage; encrypt the unencrypted portion of data to create an encrypted version of the unencrypted portion of data, wherein encrypting the unencrypted portion of data includes encrypting the unencrypted portion of data with a plurality of cryptographic keys of the set of cryptographic keys, each of the plurality of cryptographic keys corresponding to a different portion of the vault location of persistent storage; and write the encrypted version of the unencrypted portion of data to the vault location of persistent storage; wherein the unencrypted portion of data includes cached data and instructions for writing the cached data to persistent storage; and in response to a system restart; copy the encrypted portion of data from persistent storage to system memory; and in response to copying the encrypted portion of data from persistent storage to system memory; decrypt the encrypted version of the unencrypted portion of data to recreate the unencrypted portion of data; and write the recreated unencrypted portion of data to system memory; wherein the controller, when decrypting the encrypted version of the unencrypted portion of data, is configured to; decrypt the plurality of cryptographic keys with the key encryption key; and for each portion of the vault location, decrypt the encrypted version of the unencrypted portion of data with the cryptographic key of the plurality of cryptographic keys corresponding to the portion of the vault location. - View Dependent Claims (7)
-
-
8. A storage processor device comprising:
-
system memory, the system memory storing an unencrypted portion of data and an encrypted portion of data; a plurality of storage device interface modules arranged to communicate with a set of persistent storage devices; and a controller coupled to system memory and to the storage device interface modules, the controller being configured to; in response to a failure event; copy, across one or more of the storage device interface modules, the encrypted portion of data to a vault location of persistent storage, the encrypted portion of data containing a set of cryptographic keys, each cryptographic key being encrypted with one key encryption key of a set of key encryption keys, each cryptographic key for encrypting a specific portion of persistent storage, each key encryption key corresponding to a different storage device interface module; direct one or more of the storage device interface modules to encrypt the unencrypted portion of data to create an encrypted version of the unencrypted portion of data, wherein encrypting the unencrypted portion of data includes encrypting the unencrypted portion of data with a plurality of cryptographic keys of the set of cryptographic keys, each of the plurality of cryptographic keys corresponding to a different portion of the vault location of persistent storage; and write, across one or more of the storage device interface modules, the encrypted version of the unencrypted portion of data to the vault location of persistent storage; wherein the unencrypted portion of data includes cached data and instructions for writing the cached data to persistent storage; and
in response to a system restart;copy, across one or more of the storage device interface modules, the encrypted portion of data from persistent storage to system memory; and in response to copying the encrypted portion of data from persistent storage to system memory; direct one or more of the storage device interface modules to decrypt the encrypted version of the unencrypted portion of data to recreate the unencrypted portion of data; and write the recreated unencrypted portion of data to system memory; wherein a storage device interface module of the plurality of storage device interface modules, when decrypting the encrypted version of the unencrypted portion of data, is configured to; decrypt the plurality of cryptographic keys with the key encryption key corresponding to that storage device interface module; and for each portion of the vault location, decrypt the encrypted version of the unencrypted portion of data with the cryptographic key of the plurality of cryptographic keys corresponding to the portion of the vault location. - View Dependent Claims (9)
-
Specification