Systems and methods for accessing storage or network based replicas of encrypted volumes with no additional key management

US 8,416,954 B1
Filed: 09/30/2008
Issued: 04/09/2013
Est. Priority Date: 09/30/2008
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for creating an encrypted logical unit (LUN), the method comprising the unordered steps of:

virtualizing a first LUN into a first virtual logical unit (VLU), the first LUN associated with at least one data storage device, where the first LUN and first VLU are part of a first input/output (I/O) stack in operable communication with a first host;

providing a first input/output (I/O) filter system configured as part of the first I/O stack, wherein the first I/O filter system is disposed on the first I/O stack between the first VLU and the first host, wherein the first I/O filter system is in operable communication with the first host and with the first VLU, and wherein the first I/O filter system is configured to ensure that all communications between the VLU and entities disposed above or executing above the first I/O filter system in the first I/O stack, including reads and writes to the VLU, pass through the first I/O filter system;

defining on the first VLU a first plaintext metadata storage space and a first encrypted data storage space, wherein;

the first plaintext metadata storage space comprises an unencrypted plaintext region on the first VLU that is configured to remain unencrypted, to store unencrypted metadata, to be available only for read and write I/O commands that originate from the first I/O filter system, and to be unavailable for read and write I/O commands that originate from entities disposed above or executing above the I/O filter system; and

the first encrypted data storage space comprises a region on the first VLU that is configured to store encrypted information that has been encrypted with and can be decrypted using an encryption key;

receiving, at a processor in operable communication with the first VLU, a first unique identification number (UIN) associated with the encryption key used to encrypt all information written to the first encrypted data storage space, wherein the first UIN is associated with the encryption key and wherein information relating to the first UIN and the encryption key is stored at a secure location that is in operable communication with the first host and the processor, wherein the first UIN is configured to be device independent; and

configuring the first I/O filter system to store the first UIN in the first plaintext metadata storage space on the first VLU.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer implemented method for creating an encrypted logical unit is provided. A first identification number is received, the first identification number associated with a first encryption key used to encrypt a first logical unit. The first identification number and the first encryption key are stored at a first secure location, where the first secure location provides the first encryption key to a requester in response to receiving the first identification number from the requester, assuming the requester provides security credentials. A first metadata storage space is defined on the first logical unit, the first metadata storage space comprising a region on the first logical unit that remains unencrypted. The first identification number is stored in the first metadata storage space on the first logical unit.

205 Citations

20 Claims

1. A computer implemented method for creating an encrypted logical unit (LUN), the method comprising the unordered steps of:
- virtualizing a first LUN into a first virtual logical unit (VLU), the first LUN associated with at least one data storage device, where the first LUN and first VLU are part of a first input/output (I/O) stack in operable communication with a first host;
  
  providing a first input/output (I/O) filter system configured as part of the first I/O stack, wherein the first I/O filter system is disposed on the first I/O stack between the first VLU and the first host, wherein the first I/O filter system is in operable communication with the first host and with the first VLU, and wherein the first I/O filter system is configured to ensure that all communications between the VLU and entities disposed above or executing above the first I/O filter system in the first I/O stack, including reads and writes to the VLU, pass through the first I/O filter system;
  
  defining on the first VLU a first plaintext metadata storage space and a first encrypted data storage space, wherein;
  
  the first plaintext metadata storage space comprises an unencrypted plaintext region on the first VLU that is configured to remain unencrypted, to store unencrypted metadata, to be available only for read and write I/O commands that originate from the first I/O filter system, and to be unavailable for read and write I/O commands that originate from entities disposed above or executing above the I/O filter system; and
  
  the first encrypted data storage space comprises a region on the first VLU that is configured to store encrypted information that has been encrypted with and can be decrypted using an encryption key;
  
  receiving, at a processor in operable communication with the first VLU, a first unique identification number (UIN) associated with the encryption key used to encrypt all information written to the first encrypted data storage space, wherein the first UIN is associated with the encryption key and wherein information relating to the first UIN and the encryption key is stored at a secure location that is in operable communication with the first host and the processor, wherein the first UIN is configured to be device independent; and
  
  configuring the first I/O filter system to store the first UIN in the first plaintext metadata storage space on the first VLU.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the first UIN is configured to be at least one of globally unique within a first domain.
  - 3. the method of claim 1, wherein the virtualization of the first LUN further defines therein a third plaintext metadata storage space distinct from the first encrypted data storage space and distinct from the first plaintext metadata storage space, wherein the first plaintext metadata storage space serves as a primary metadata storage space for the first UIN and wherein the third plaintext metadata storage space serves as an alternate copy of the first plaintext metadata storage space, wherein the third plaintext metadata storage space is configured to enable rollback to a previous state of information stored in the first-metadata storage space, and wherein the third plaintext metadata storage space is configured to remain unencrypted, to be available only for read and write I/O commands that originate from the first I/O filter system, and to be unavailable for read and write I/O commands that originate from entities disposed above or executing above the I/O filter system.
  - 4. The method of claim 1, further comprising the unordered step of:
    - configuring the first 1/0 filter system to ensure that the first plaintext metadata storage space is not visible to entities disposed above or executing above the first I/O filter system in the I/0 stack.
  - 5. The method of claim 1, wherein the first plaintext metadata storage space is further configured to be available for read and write I/0 commands originating from predetermined extensions of the first I/0 filter system.
  - 6. The method of claim 1, further comprising the unordered steps of:
    - configuring the first I/O filter system to retrieve the first UIN from the first plaintext metadata storage space;
      
      presenting the first UIN to a key manager disposed at the secure location;
      
      receiving the encryption key; and
      
      storing the encryption key in a first data structure in a first kernel running on a first host in operable communication with the virtualized first LUN.
  - 7. The method of claim 6 further comprising storing the encryption key in at least one of an encryption key cache in the first kernel and in non-pageable kernel memory.
  - 8. The method of claim 1, further comprising the unordered steps ofconfiguring the first VLU to the first host as a first encrypted VLU (cVLU) after the first UIN is stored in the first plaintext metadata storage space, wherein the configuring comprises;
    - reading the first plaintext metadata storage space to retrieve the first TAN;
      
      providing the first UIN to the secure location to retrieve the encryption key;
      
      receiving the encryption key; and
      
      storing the received encryption key in a first data structure in a first kernel running on the first host.
  - 9. The method of claim 8, further comprising the unordered steps of:
    - receiving a request from a requester to write data to or read data from the first eVLU;
      
      providing the encryption key in the first data structure to a cryptographic module;
      
      providing to the cryptographic module, if the request is a write, the data to be encrypted;
      
      providing to the cryptographic module, if the request is a read, the encrypted data stored in the first encrypted data storage space on the first eVLU;
      
      receiving, if the request is a write, at the first encrypted data storage space of the first eVLU, data from the requester that has been encrypted by the cryptographic module; and
      
      providing to the requester, if the request is a read, plaintext data that has been decrypted by the cryptographic module.
  - 10. The method of claim 8, further comprising the unordered steps of:
    - associating a first device identifier with the first LUN;
      
      receiving, from the first secure location, at the processor, the first UIN and associated key information, the associated key information comprising information used by an encryption algorithm associated with the encryption key;
      
      defining a first keyBlob, the first keyBlob comprising the associated key information, the first UIN, the first device identifier and, and the encryption key, such that the first keyBlob is unique to the first LUN;
      
      storing the first keyBlob in a first data structure in a first kernel running on the first host.
  - 11. The method of claim 10, further comprising the unordered steps of:
    - receiving a request from a requester to write data to or read data from the first encrypted data storage space of the first eVLU;
      
      retrieving the first UN from the first plaintext metadata storage space;
      
      looking up the first keyfilob in the first data structure, based on the first UIN;
      
      providing the encryption key and associated key information from the first keyBlob to a cryptographic module;
      
      providing to the cryptographic module, if the request is a write, the data to be encrypted;
      
      providing to the cryptographic module, if the request is a read, the encrypted data stored in the encrypted data storage space on the first eVLU;
      
      receiving, if the request is a write, at the first eVLU, data from the requester that has been encrypted by the cryptographic module; and
      
      providing to the requester, if the request is a read, plaintext data that has been decrypted by the cryptographic module.
  - 12. The method of claim 8, wherein the first LUN has a first size and further comprising the unordered step of:
    - replicating the first LUN to a second LUN having a size sufficient to accommodate the first eVLU, wherein the replication includes copying the first eVLU to a corresponding second eVLU on the second LUN, such that the second eVLU comprises a replica eVLU of the first eVLU, including a second respective encrypted storage space and a second respective plaintext rnetadata storage space storing therein a copy of the first UIN unique identification number;
      
      wherein the second LUN is in operable communication with a respective one of the first I/O filter driver and a second I/O filter driver.
  - 13. The method of claim 12, further comprising:
    - configuring the respective one of the first and second I/O filter drivers to detect whether the first UIN is stored in the second plaintext metadata storage space in the second eVLU;
      
      providing, if the first UIN is present in the second plaintext metadata storage space, the first UIN to the secure location;
      
      receiving from the secure location the encryption key; and
      
      storing the encryption key in a second data structure in a second kernel running on a second host.

14. A system for creating an encrypted logical unit (LUN), the system comprising:
- a first logical unit (LUN) associated with at least a first data storage device;
  
  a first encrypted virtual logical unit (eVLU), the eVLU corresponding to a first logical entity configured as a first virtualization of the first LUN, the first eVLU comprising;
  
  a first encrypted data storage space configured to store encrypted data written to the eVLU using an encryption key; and
  
  a first plaintext metadata storage space configured to store plaintext metadata, the plaintext metadata comprising a unique identification number (UIN) associated with the encryption key;
  
  a first input/output I/O) filter system configured as part of a first I/O stack of the system, wherein the first I/O filter system is disposed on the first I/O stack between the first eVLU and a first host in operable communication with the system, wherein the first I/O filter system is in operable communication with the first host and with the first eVLU, and wherein the first I/O filter system is configured to ensure that;
  
  all communications between the first eVLU and entities disposed above or executing above the first I/O filter system in the I/O stack, including reads and writes to the first eVLU, pass through the first I/O filter system; and
  
  the first plaintext metadata storage space remains unencrypted, stores unencrypted metadata, is available only for read and write I/O commands that originate from the first I/O filter system and its extensions, and is unavailable for read and write I/O commands that originate from entities disposed above or executing above the I/O filter system; and
  
  a processor in operable communication with the I/O filter system and with a key manager, the processor configured to;
  
  receive from the key manager the UIN associated with the encryption key, where the UIN and encryption key are securely stored together in the key manager, where the UIN associated with the encryption key is configured to be independent of a first device identifier associated with the first LUN; and
  
  configure the I/O filter system to store the UIN in the first plaintext metadata storage space on the first eVLU.
- View Dependent Claims (15, 16, 17)
- - 15. The system of claim 14, wherein the processor is further configured to:
    - configure the I/O filter system to retrieve the UIN from the first plaintext metadata storage space;
      
      present the UIN to the key manager;
      
      receive the encryption key; and
      
      store the encryption key in a first data structure in a first kernel running on the first host, wherein the first host is in operable communication with the first eVLU via the I/O filter system.
  - 16. The system of claim 14, further comprising:
    - a second LUN in operable communication with the first I/O filter system, the second LUN associated with at least a second storage device, the second LUN having a size sufficient to accommodate a replica of the first eVLU; and
      
      a second data structure stored in at least one of the first kernel running on the first host or a second kernel running on a second host;
      
      wherein the processor is further configured to;
      
      replicate the first LUN to the second LUN, the second LUN being in operable communication with a respective one of the first I/O filter driver and a second I/O filter driver, wherein the replication includes replication of the first eVLU to a corresponding second eVLU, including replication of the first plaintext metadata storage space and the UIN stored therein, and replication of the first encrypted data storage space, to a corresponding second plaintext metadata storage space and second encrypted data storage space;
      
      configure the respective one of the first and second I/O filter systems to detect the presence of the UIN stored in the second plaintext metadata storage space on the second LUN;
      
      configure the respective one of the first and second I/O filter systems to retrieve the UIN;
      
      provide the UIN to the key manager to retrieve the encryption key; and
      
      store the encryption key in the second data structure.
  - 17. The system of claim 14, wherein the first eVLU further comprises:
    - a third plaintext metadata storage space distinct from the first encrypted data storage space and from the first plaintext metadata storage space, wherein the first plaintext metadata storage space serves as a primary metadata storage space for the UIN and wherein the third plaintext metadata storage space serves as an alternate copy of the first plaintext metadata storage space, wherein the third plaintext metadata storage space is configured to enable rollback to a previous state of information stored in the first metadata storage space, and wherein the third plaintext metadata storage space is configured to remain unencrypted, to store unencrypted metadata, to be available only for read and write I/O commands that originate from the first I/O filter system, and to be unavailable for read and write I/O commands that originate from entities disposed above or executing above the I/O filter system.

18. A computer program product, comprising a computer-usable storage medium having a computer-readable program code stored therein, the computer-readable program code containing instructions that, when executed by a processor of a computer system, implement a method for creating an encrypted logical unit (LUN), the method comprising:
- virtualizing a first LUN into a first virtual logical unit (VLU), the first LUN associated with at least one data storage device, where the first LUN and first VLU are part of a first input/output (I/O) stack in operable communication with a first host;
  
  providing a first input/output (I/O) filter system configured as part of the first I/O stack, wherein the first I/O filter system is disposed on the first I/O stack between the first VLU and the first host, wherein the first I/O filter system is in operable communication with the first host and with the first VLU, and wherein the first I/O filter system is configured to ensure that all communications between the VLU and entities disposed above or executing above the first I/O filter system in the first I/O stack, pass through the first I/O filter system;
  
  defining on the first VLU a first plaintext metadata storage space and a first encrypted data storage space, wherein;
  
  the first plaintext metadata storage space comprises an unencrypted plaintext region on the first VLU that is configured to remain unencrypted, to store unencrypted metadata, to be available only for read and write I/O commands that originate from the first I/O filter system, and to be unavailable for read and write I/O commands that originate from entities disposed above or executing above the I/O filter system; and
  
  the first encrypted data storage space comprises a region on the first VLU that is configured to store encrypted information that has been encrypted with and can be decrypted using an encryption key;
  
  receiving, at a processor in operable communication with the first VLU, a first unique identification number (UIN) associated with a first encryption key used to encrypt all information written to the first encrypted data storage space, wherein the first UIN is associated with the first encryption key and wherein information relating to the first UIN and the first encryption key is stored at a secure location that is in operable communication with the first host and the processor, wherein the first UIN is configured to be device independent; and
  
  configuring the first I/O filter system to store the first UIN in the first plaintext metadata storage space on the first VLU.
- View Dependent Claims (19, 20)
- - 19. The computer program product of claim 18, wherein the computer-readable program code further contains instructions that, when executed by the processor of the computer system, further implement the method for creating an encrypted logical unit (LUN), the method further comprising:
    - detecting the presence of a second LUN in operable communication with the first host and the first I/O filter system, at a time when the first host has not yet have stored therein a second data structure comprising a corresponding second encryption key and corresponding second UIN, for the second LUN;
      
      configuring the first I/O filter system to detect whether the second LUN includes a corresponding second plaintext metadata region;
      
      configuring, if the second LUN includes a corresponding second plaintext metadata region, the first I/O filter system to detect whether a corresponding second UIN is stored in the second plaintext metadata region;
      
      configuring, if the second UIN is present, the first I/O filter driver to retrieve the second UIN;
      
      providing, if the second UIN is present, the second UIN to the secure location;
      
      receiving from the secure location the corresponding second encryption key;
      
      storing the second encryption key and the second UIN in the second data structure in the first kernel miming on the first host.
  - 20. The computer program product of claim 18, wherein the computer-readable program code further contains instructions that, when executed by the processor of the computer system, further implement the method for creating an encrypted logical unit (LUN), the method further comprising:
    - detecting the presence of a third LUN in operable communication with the first host and the first I/O filter system, at a time when the first host has previously stored therein a third data structure comprising a corresponding third UIN and corresponding third encryption key for the third LUN;
      
      configuring the first I/O filter system to retrieve from a third plaintext metadata region on the third LUN a fourth UIN stored in the third plaintext metadata region;
      
      providing, if the third UIN stored in the third data structure is not identical to the fourth UIN unique identification number stored in the third plaintext metadata region, the fourth UIN to the secure location;
      
      receiving from the secure location a corresponding fourth encryption key associated with the fourth UIN; and
      
      replacing the third encryption key and third UIN in the third data structure in the first kernel running on the first host with the fourth encryption key and fourth UIN.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Raizen, Helen S., Harwood, John, Bappe, Michael E., Freund, David W.
Primary Examiner(s)
Lipman, Jacob

Application Number

US12/242,690
Time in Patent Office

1,652 Days
Field of Search

380/277, 726/2
US Class Current

380/277
CPC Class Codes

G06F 16/13   File access structures, e.g...

G06F 21/78   to assure secure storage of...

G06F 3/0665   at area level, e.g. provisi...

H04L 63/00   Network architectures or ne...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 67/1095   Replication or mirroring of...

H04L 67/1097   for distributed storage of ...

H04L 9/08   Key distribution or managem...

Systems and methods for accessing storage or network based replicas of encrypted volumes with no additional key management

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

205 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for accessing storage or network based replicas of encrypted volumes with no additional key management

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

205 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others