System and method for efficiently deleting a file from secure storage served by a storage system
First Claim
1. A method for efficiently deleting a data container from a cryptainer configured to store a plurality of data containers served by a storage system having a processor, the method comprising:
- designating a region of storage space of the storage system as the cryptainer configured to store the plurality of data containers;
storing, by a security appliance, a data container encryption key associated with each data container of the plurality of data containers within a metadata portion of each data container, wherein the data container includes the metadata portion and a data portion;
encrypting, by the security appliance, the data portion of each data container with the associated data container encryption key stored within the metadata portion of each data container of the plurality of data containers;
encrypting, by the security appliance, each data container encryption key stored within the metadata portion of each data container with a first secure storage key, stored in a lifetime key management server, associated with the cryptainer that stores the plurality of data containers;
initiating deletion of a specified data container of the plurality of data containers stored on the cryptainer;
deleting, by the security appliance, a first data container encryption key associated with the specified data container;
re-keying, by the security appliance, each metadata portion of all other data containers stored in the cryptainer using a second secure storage key associated with the cryptainer; and
deleting, by the security appliance and lifetime key management server, the first secure storage key to thereby delete the specified data container from the cryptainer.
4 Assignments
0 Petitions
Accused Products
Abstract
A system and method efficiently deletes a file from secure storage, i.e., a cryptainer, served by a storage system. The cryptainer is configured to store a plurality of files, each of which stores an associated file key within a special metadata portion of the file. Notably, special metadata is created by a security appliance coupled to the storage system and attached to each file to thereby create two portions of the file: the special metadata portion and the main, “file data” portion. The security appliance then stores the file key within the specially-created metadata portion of the file. A cryptainer key is associated with the cryptainer. Each file key is used to encrypt the file data portion within its associated file and the cryptainer key is used to encrypt the part of the special metadata portion of each file. To delete the file from the cryptainer, the file key of the file is deleted and the special metadata portions of all other files stored in the cryptainer are re-keyed using a new cryptainer key. Thereafter, the “old” cryptainer key is deleted.
101 Citations
17 Claims
-
1. A method for efficiently deleting a data container from a cryptainer configured to store a plurality of data containers served by a storage system having a processor, the method comprising:
-
designating a region of storage space of the storage system as the cryptainer configured to store the plurality of data containers; storing, by a security appliance, a data container encryption key associated with each data container of the plurality of data containers within a metadata portion of each data container, wherein the data container includes the metadata portion and a data portion; encrypting, by the security appliance, the data portion of each data container with the associated data container encryption key stored within the metadata portion of each data container of the plurality of data containers; encrypting, by the security appliance, each data container encryption key stored within the metadata portion of each data container with a first secure storage key, stored in a lifetime key management server, associated with the cryptainer that stores the plurality of data containers; initiating deletion of a specified data container of the plurality of data containers stored on the cryptainer; deleting, by the security appliance, a first data container encryption key associated with the specified data container; re-keying, by the security appliance, each metadata portion of all other data containers stored in the cryptainer using a second secure storage key associated with the cryptainer; and deleting, by the security appliance and lifetime key management server, the first secure storage key to thereby delete the specified data container from the cryptainer. - View Dependent Claims (2, 3, 4)
-
-
5. A system configured to efficiently delete a data container from a cryptainer configured to store a plurality of data containers served by a storage system having a processor, the system comprising:
-
a key management server configured to manage keys used to encrypt and decrypt data stored on the cryptainer of a region of storage space configured to store a plurality of data containers, the key management server having a key database configured to store a first secure storage key associated with the cryptainer; and a security appliance coupled to the key management server and the storage system, the security appliance configured to store a data container encryption key associated with each data container of the plurality of data containers within a metadata portion of each data container, encrypt a data portion of each data container with the associated data container encryption key stored in the metadata portion, and encrypt the metadata portion of each data container using the first secure storage key, the security appliance further configured to delete a first data container encryption key associated with a specified data container, re-key the metadata portion of all other data containers stored within the cryptainer using a second secure storage key associated with the cryptainer, and cooperate with the key management server to delete the first secure storage key to thereby delete the specified data container from the cryptainer. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A non-transitory computer readable medium containing executable program instructions executed by a processor, comprising:
-
program instructions that designate a region of storage space of a storage system as a cryptainer to store a plurality of data container; program instructions that store a data container encryption key associated with each data container of a plurality of data containers within a metadata portion of each data container, wherein the data container includes the metadata portion and a data portion; program instructions that encrypt the data portion of each data container with the associated data container encryption key stored within the metadata portion of each data container; program instructions that encrypt each data container encryption key stored within the metadata portion of each data container with a first secure storage key, stored in a lifetime key management server, associated with the cryptainer that stores the plurality of data containers; program instructions that initiate deletion of a specified data container of the plurality of data containers stored on the cryptainer; program instructions that delete a first data container encryption key associated with a specified data container; program instructions that re-key each metadata portion of all other data containers stored within the cryptainer using a second secure storage key associated with the cryptainer; and program instructions that delete the first secure storage key to thereby delete the specified data container from within the cryptainer. - View Dependent Claims (17)
-
Specification