Pool encryption with automatic detection

US 8,255,704 B1
Filed: 08/24/2006
Issued: 08/28/2012
Est. Priority Date: 08/24/2006
Status: Active Grant

First Claim

Patent Images

1. A method performed by a storage security appliance for securing one or more backup data sets, comprising:

receiving a first backup data set of the one or more backup data sets;

grouping, logically, the first backup data set into a first pool within the storage security appliance;

examining information of the first backup data set to determine whether the first backup data set is also logically grouped into a second pool;

in response to determining that the first backup data set is also logically grouped into the second pool, associating the first pool with the second pool, determining an encryption key assigned to the first pool, encrypting data of the first backup data set with the encryption key; and

storing persistently the encrypted first backup data set on a set of media, wherein the information of the first backup data set identifies the second pool.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides a mechanism for selectively encrypting media within a consolidation of storage devices into a shared configuration, i.e. a media pool. The invention also provides a mechanism by which more than one key can be used for encrypting media. The invention accomplishes tape encryption by media parsing. An encryption key is determined based on the backup application'"'"'s grouping of data sets. This is accomplished by examining the volume header of the tape and, from the header, deciding if pools are supported by the application. If they are, the invention auto-creates a pool key. In the case where the pools are known in advance, a user with appropriate administrative privileges can create the pools and assign keys to them. The invention thus allows mirroring of the logical groupings in the backup application with encryption keys.

Citations

22 Claims

1. A method performed by a storage security appliance for securing one or more backup data sets, comprising:
- receiving a first backup data set of the one or more backup data sets;
  
  grouping, logically, the first backup data set into a first pool within the storage security appliance;
  
  examining information of the first backup data set to determine whether the first backup data set is also logically grouped into a second pool;
  
  in response to determining that the first backup data set is also logically grouped into the second pool, associating the first pool with the second pool, determining an encryption key assigned to the first pool, encrypting data of the first backup data set with the encryption key; and
  
  storing persistently the encrypted first backup data set on a set of media, wherein the information of the first backup data set identifies the second pool.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 further comprising:
    - parsing the first backup data set to determine an identifier of a logical grouping of the set of media associated with the first backup data set, wherein the logical grouping of the set of media includes a media pool;
      
      retrieving an encryption key based on the identifier of the logical grouping of the set of media, wherein the first backup data set is encrypted using the encryption key; and
      
      storing persistently the encrypted first backup data set on the media pool.
  - 3. The method of claim 2, further comprising using more than one encryption key to encrypt the data.
  - 4. The method of claim 2, further comprising:
    - using a backup policy to assign a medium of the set of media to the media pool.
  - 5. The method of claim 2, further comprising using the encryption key for an off-site shipment of a first portion of the set of media and using a second encryption key for a remaining portion of the set of media that are not shipped off-site.
  - 6. The method of claim 2, further comprising assigning the encryption key to the media pool based at least in part on at least one of a customer basis, a volume basis, a folder basis, and a matter basis.
  - 7. The method of claim 2, further comprising assigning the encryption key to the media pool if the logical organization of the media pool is known in advance.
  - 8. The method of claim 7, further comprising tracking assignment of the encryption key using a key table.
  - 9. The method of claim 2, further comprising supporting pool keys in place of host keys.
  - 10. The method of claim 2, further comprising setting an expiration date on the encryption key.
  - 11. The method of claim 1, wherein the information comprises a volume header of a medium of the set of media.
  - 12. The method of claim 2, further comprising performing automatic pool detection by examining and parsing incoming data to identify a volume header of the first backup data set organized by a backup application.
  - 13. The method of claim 2, further comprising:
    - creating the media pool automatically; and
      
      assigning the media pool a unique encryption key.
  - 14. The method of claim 2, further comprising:
    - examining a volume header of the medium to determine if the media pool is supported by a backup application.
  - 15. The method of claim 2, wherein the medium comprises at least one tape storage device.

16. A system configured to encrypt data, comprising:
- a network port configured to receive a backup data set;
  
  a processor configured to execute an operating system, the operating system configured to group, logically, the backup data set into a first pool;
  
  examine information of the backup data set to determine whether the backup data set is logically also grouped into a second pool, in response to determining that the backup data set is also logically grouped into the second pool, associate the first pool with the second pool, determine an encryption key assigned to the first pool, encrypt data of the backup data set with the encryption key; and
  
  store persistently the encrypted backup data set on a set of media, wherein the information of the backup data set identifies the second pool.
- View Dependent Claims (17, 18, 19)
- - 17. The system of claim 16, wherein the operating system is further configured to auto-detect a media pool of the set of media, and wherein the operating system is further configured to assign a unique encryption key per medium of the set of media.
  - 18. The system of claim 16, wherein the operating system is further configured to examine a volume header of a medium of the set of media as the information of the backup data set.
  - 19. The system of claim 17, wherein the operating system is further configured to examine a volume header of a medium of the set of media to determine if the media pool is supported by a backup application.

20. A computer-readable non-transitory storage medium stored with executable program instructions for execution by a processor, the computer-readable storage medium comprising:
- program instructions that logically organize one or more data sets into a first pool within a storage security appliance cluster, the one or more data sets received from a backup application;
  
  program instructions that examine information of a first data set of the one or more data sets;
  
  program instructions that determine, in response to examining the information of the first data set, whether the backup application logically organizes the first data set into a second pool; and
  
  program instructions that in response to determining that the backup application logically organizes the first data set into the second pool, associating the first pool with the second pool, determining an encryption key assigned to the first pool, encrypting data of the first data set with the encryption key, andstoring persistently the encrypted first data set on a set of media, wherein the information of the first data set identifies the second pool.
- View Dependent Claims (21, 22)
- - 21. The computer-readable non-transitory storage medium of claim 20, further comprising:
    - program instructions that auto-detect a media pool of the set of media; and
      
      program instructions that assign a unique encryption key for at least one medium of the set of media.
  - 22. The computer-readable non-transitory storage medium of claim 20, further comprising:
    - program instructions that track at least one of a key table, a pool table, a tape table, a pool history, and a tape history.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Joh, Jennifer
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Woldemariam, Nega

Application Number

US11/467,103
Time in Patent Office

2,196 Days
Field of Search

None
US Class Current

713/193
CPC Class Codes

G06F 11/1458   Management of the backup or...

G06F 21/85   interconnection devices, e....

G06F 2221/2107   File encryption

Pool encryption with automatic detection

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Pool encryption with automatic detection

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links