Systems and methods for accessing storage or network based replicas of encrypted volumes with no additional key management
First Claim
1. A computer implemented method for creating an encrypted logical unit (LUN), the method comprising the unordered steps of:
- virtualizing a first LUN into a first virtual logical unit (VLU), the first LUN associated with at least one data storage device, where the first LUN and first VLU are part of a first input/output (I/O) stack in operable communication with a first host;
providing a first input/output (I/O) filter system configured as part of the first I/O stack, wherein the first I/O filter system is disposed on the first I/O stack between the first VLU and the first host, wherein the first I/O filter system is in operable communication with the first host and with the first VLU, and wherein the first I/O filter system is configured to ensure that all communications between the VLU and entities disposed above or executing above the first I/O filter system in the first I/O stack, including reads and writes to the VLU, pass through the first I/O filter system;
defining on the first VLU a first plaintext metadata storage space and a first encrypted data storage space, wherein;
the first plaintext metadata storage space comprises an unencrypted plaintext region on the first VLU that is configured to remain unencrypted, to store unencrypted metadata, to be available only for read and write I/O commands that originate from the first I/O filter system, and to be unavailable for read and write I/O commands that originate from entities disposed above or executing above the I/O filter system; and
the first encrypted data storage space comprises a region on the first VLU that is configured to store encrypted information that has been encrypted with and can be decrypted using an encryption key;
receiving, at a processor in operable communication with the first VLU, a first unique identification number (UIN) associated with the encryption key used to encrypt all information written to the first encrypted data storage space, wherein the first UIN is associated with the encryption key and wherein information relating to the first UIN and the encryption key is stored at a secure location that is in operable communication with the first host and the processor, wherein the first UIN is configured to be device independent; and
configuring the first I/O filter system to store the first UIN in the first plaintext metadata storage space on the first VLU.
9 Assignments
0 Petitions
Accused Products
Abstract
A computer implemented method for creating an encrypted logical unit is provided. A first identification number is received, the first identification number associated with a first encryption key used to encrypt a first logical unit. The first identification number and the first encryption key are stored at a first secure location, where the first secure location provides the first encryption key to a requester in response to receiving the first identification number from the requester, assuming the requester provides security credentials. A first metadata storage space is defined on the first logical unit, the first metadata storage space comprising a region on the first logical unit that remains unencrypted. The first identification number is stored in the first metadata storage space on the first logical unit.
205 Citations
20 Claims
-
1. A computer implemented method for creating an encrypted logical unit (LUN), the method comprising the unordered steps of:
-
virtualizing a first LUN into a first virtual logical unit (VLU), the first LUN associated with at least one data storage device, where the first LUN and first VLU are part of a first input/output (I/O) stack in operable communication with a first host; providing a first input/output (I/O) filter system configured as part of the first I/O stack, wherein the first I/O filter system is disposed on the first I/O stack between the first VLU and the first host, wherein the first I/O filter system is in operable communication with the first host and with the first VLU, and wherein the first I/O filter system is configured to ensure that all communications between the VLU and entities disposed above or executing above the first I/O filter system in the first I/O stack, including reads and writes to the VLU, pass through the first I/O filter system; defining on the first VLU a first plaintext metadata storage space and a first encrypted data storage space, wherein; the first plaintext metadata storage space comprises an unencrypted plaintext region on the first VLU that is configured to remain unencrypted, to store unencrypted metadata, to be available only for read and write I/O commands that originate from the first I/O filter system, and to be unavailable for read and write I/O commands that originate from entities disposed above or executing above the I/O filter system; and the first encrypted data storage space comprises a region on the first VLU that is configured to store encrypted information that has been encrypted with and can be decrypted using an encryption key; receiving, at a processor in operable communication with the first VLU, a first unique identification number (UIN) associated with the encryption key used to encrypt all information written to the first encrypted data storage space, wherein the first UIN is associated with the encryption key and wherein information relating to the first UIN and the encryption key is stored at a secure location that is in operable communication with the first host and the processor, wherein the first UIN is configured to be device independent; and configuring the first I/O filter system to store the first UIN in the first plaintext metadata storage space on the first VLU. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for creating an encrypted logical unit (LUN), the system comprising:
-
a first logical unit (LUN) associated with at least a first data storage device; a first encrypted virtual logical unit (eVLU), the eVLU corresponding to a first logical entity configured as a first virtualization of the first LUN, the first eVLU comprising; a first encrypted data storage space configured to store encrypted data written to the eVLU using an encryption key; and a first plaintext metadata storage space configured to store plaintext metadata, the plaintext metadata comprising a unique identification number (UIN) associated with the encryption key; a first input/output I/O) filter system configured as part of a first I/O stack of the system, wherein the first I/O filter system is disposed on the first I/O stack between the first eVLU and a first host in operable communication with the system, wherein the first I/O filter system is in operable communication with the first host and with the first eVLU, and wherein the first I/O filter system is configured to ensure that; all communications between the first eVLU and entities disposed above or executing above the first I/O filter system in the I/O stack, including reads and writes to the first eVLU, pass through the first I/O filter system; and the first plaintext metadata storage space remains unencrypted, stores unencrypted metadata, is available only for read and write I/O commands that originate from the first I/O filter system and its extensions, and is unavailable for read and write I/O commands that originate from entities disposed above or executing above the I/O filter system; and a processor in operable communication with the I/O filter system and with a key manager, the processor configured to; receive from the key manager the UIN associated with the encryption key, where the UIN and encryption key are securely stored together in the key manager, where the UIN associated with the encryption key is configured to be independent of a first device identifier associated with the first LUN; and configure the I/O filter system to store the UIN in the first plaintext metadata storage space on the first eVLU. - View Dependent Claims (15, 16, 17)
-
-
18. A computer program product, comprising a computer-usable storage medium having a computer-readable program code stored therein, the computer-readable program code containing instructions that, when executed by a processor of a computer system, implement a method for creating an encrypted logical unit (LUN), the method comprising:
-
virtualizing a first LUN into a first virtual logical unit (VLU), the first LUN associated with at least one data storage device, where the first LUN and first VLU are part of a first input/output (I/O) stack in operable communication with a first host; providing a first input/output (I/O) filter system configured as part of the first I/O stack, wherein the first I/O filter system is disposed on the first I/O stack between the first VLU and the first host, wherein the first I/O filter system is in operable communication with the first host and with the first VLU, and wherein the first I/O filter system is configured to ensure that all communications between the VLU and entities disposed above or executing above the first I/O filter system in the first I/O stack, pass through the first I/O filter system; defining on the first VLU a first plaintext metadata storage space and a first encrypted data storage space, wherein; the first plaintext metadata storage space comprises an unencrypted plaintext region on the first VLU that is configured to remain unencrypted, to store unencrypted metadata, to be available only for read and write I/O commands that originate from the first I/O filter system, and to be unavailable for read and write I/O commands that originate from entities disposed above or executing above the I/O filter system; and the first encrypted data storage space comprises a region on the first VLU that is configured to store encrypted information that has been encrypted with and can be decrypted using an encryption key; receiving, at a processor in operable communication with the first VLU, a first unique identification number (UIN) associated with a first encryption key used to encrypt all information written to the first encrypted data storage space, wherein the first UIN is associated with the first encryption key and wherein information relating to the first UIN and the first encryption key is stored at a secure location that is in operable communication with the first host and the processor, wherein the first UIN is configured to be device independent; and configuring the first I/O filter system to store the first UIN in the first plaintext metadata storage space on the first VLU. - View Dependent Claims (19, 20)
-
Specification