Security for RAID systems
First Claim
Patent Images
1. A machine implemented method comprising:
- accessing a redundant array of independent drives (RAID) storage device, comprising a first drive and a second drive;
segmenting a file data buffer into a plurality of segments including at least a first unencrypted segment, a second unencrypted segment, and a third unencrypted segment;
performing a cryptographic operation on the first unencrypted segment to generate a first encrypted segment;
computing a second parity syndrome between the second unencrypted segment and at least the third unencrypted segment concurrent with the cryptographic operation on the first unencrypted segment;
computing a first parity syndrome between the first encrypted segment and the second parity syndrome; and
striping the first encrypted segment and the second unencrypted segment on said first and said second drive respectively, the first drive being different from the second drive.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus for accessing a redundant array of independent drives (RAID) storage device are disclosed. In some embodiments file data is broken into multiple segments. A cryptographic operation is performed on one or more segments to generate encrypted segment(s). One or more parity syndrome is computed from the encrypted segment(s) and the unencrypted segment(s). The encrypted segment(s), the unencrypted segment(s) and the parity syndrome(s) are striped onto different individual drives. Since the cryptographic operation is not performed on all the segments, it may also be performed concurrently with computing of parity syndrome(s) from other unencrypted segments.
-
Citations
14 Claims
-
1. A machine implemented method comprising:
-
accessing a redundant array of independent drives (RAID) storage device, comprising a first drive and a second drive; segmenting a file data buffer into a plurality of segments including at least a first unencrypted segment, a second unencrypted segment, and a third unencrypted segment; performing a cryptographic operation on the first unencrypted segment to generate a first encrypted segment; computing a second parity syndrome between the second unencrypted segment and at least the third unencrypted segment concurrent with the cryptographic operation on the first unencrypted segment; computing a first parity syndrome between the first encrypted segment and the second parity syndrome; and striping the first encrypted segment and the second unencrypted segment on said first and said second drive respectively, the first drive being different from the second drive. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An apparatus comprising:
-
a RAID descriptor processing engine to segment a file data buffer into a plurality of segments including at least a first unencrypted segment, a second unencrypted segment, and a third unencrypted segment, and to direct memory access (DMA) transfer the plurality of segments from the file data buffer for processing; a cryptographic unit to receive a DMA transfer of the first unencrypted segment by the RAID descriptor processing engine and to perform a cryptographic operation on the first unencrypted segment to generate a first encrypted segment; a RAID processing engine to receive at least a DMA transfer of the second unencrypted segment by the RAID descriptor processing engine and to compute a second parity syndrome between the second unencrypted segment and at least the third unencrypted segment concurrent with the cryptographic operation on the first unencrypted segment, the RAID processing engine further configured to compute a first parity syndrome between the first encrypted segment and the second parity syndrome; and a destination storage having a plurality of drives including a first drive and a second drive different from the first drive, said RAID descriptor processing engine to stripe the first encrypted segment and the second unencrypted segment onto the first and the second drive respectively. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A RAID storage system comprising:
-
a plurality of distinct drives including a first drive, a second drive, a third drive and a fourth drive; a RAID descriptor processing logic to segment a file data buffer into a plurality of segments including at least a first unencrypted segment A1, a second unencrypted segment A2 and a third unencrypted segment A3, and to transfer the plurality of segments from the file data buffer for processing; a cryptographic logic to receive a transfer of the segment A1 by the RAID descriptor processing logic and to perform a cryptographic operation on the unencrypted segment A1 to generate a first encrypted segment A1′
;a parity logic to receive transfers of the segment A2 and the segment A3 by the RAID descriptor processing logic, and to compute a second parity syndrome between the segment A2 and at least the segment A3 concurrent with said cryptographic operation on the segment A1, and to compute a first parity syndrome Ap′
between the encrypted segment A1′ and
the second parity syndrome; andsaid RAID descriptor processing logic to stripe the segment A1′
, the segment A2, the segment A3 and the first parity syndrome Ap′
onto the first drive, the second drive, the third drive and the fourth drive, respectively. - View Dependent Claims (13, 14)
-
Specification