Pool encryption with automatic detection
First Claim
1. A method performed by a storage security appliance for securing one or more backup data sets, comprising:
- receiving a first backup data set of the one or more backup data sets;
grouping, logically, the first backup data set into a first pool within the storage security appliance;
examining information of the first backup data set to determine whether the first backup data set is also logically grouped into a second pool;
in response to determining that the first backup data set is also logically grouped into the second pool, associating the first pool with the second pool, determining an encryption key assigned to the first pool, encrypting data of the first backup data set with the encryption key; and
storing persistently the encrypted first backup data set on a set of media, wherein the information of the first backup data set identifies the second pool.
3 Assignments
0 Petitions
Accused Products
Abstract
The invention provides a mechanism for selectively encrypting media within a consolidation of storage devices into a shared configuration, i.e. a media pool. The invention also provides a mechanism by which more than one key can be used for encrypting media. The invention accomplishes tape encryption by media parsing. An encryption key is determined based on the backup application'"'"'s grouping of data sets. This is accomplished by examining the volume header of the tape and, from the header, deciding if pools are supported by the application. If they are, the invention auto-creates a pool key. In the case where the pools are known in advance, a user with appropriate administrative privileges can create the pools and assign keys to them. The invention thus allows mirroring of the logical groupings in the backup application with encryption keys.
-
Citations
22 Claims
-
1. A method performed by a storage security appliance for securing one or more backup data sets, comprising:
-
receiving a first backup data set of the one or more backup data sets; grouping, logically, the first backup data set into a first pool within the storage security appliance; examining information of the first backup data set to determine whether the first backup data set is also logically grouped into a second pool; in response to determining that the first backup data set is also logically grouped into the second pool, associating the first pool with the second pool, determining an encryption key assigned to the first pool, encrypting data of the first backup data set with the encryption key; and storing persistently the encrypted first backup data set on a set of media, wherein the information of the first backup data set identifies the second pool. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system configured to encrypt data, comprising:
-
a network port configured to receive a backup data set; a processor configured to execute an operating system, the operating system configured to group, logically, the backup data set into a first pool; examine information of the backup data set to determine whether the backup data set is logically also grouped into a second pool, in response to determining that the backup data set is also logically grouped into the second pool, associate the first pool with the second pool, determine an encryption key assigned to the first pool, encrypt data of the backup data set with the encryption key; and store persistently the encrypted backup data set on a set of media, wherein the information of the backup data set identifies the second pool. - View Dependent Claims (17, 18, 19)
-
-
20. A computer-readable non-transitory storage medium stored with executable program instructions for execution by a processor, the computer-readable storage medium comprising:
-
program instructions that logically organize one or more data sets into a first pool within a storage security appliance cluster, the one or more data sets received from a backup application; program instructions that examine information of a first data set of the one or more data sets; program instructions that determine, in response to examining the information of the first data set, whether the backup application logically organizes the first data set into a second pool; and program instructions that in response to determining that the backup application logically organizes the first data set into the second pool, associating the first pool with the second pool, determining an encryption key assigned to the first pool, encrypting data of the first data set with the encryption key, and storing persistently the encrypted first data set on a set of media, wherein the information of the first data set identifies the second pool. - View Dependent Claims (21, 22)
-
Specification