Encryption based security system for network storage
First Claim
1. A security apparatus for accessing data in a data container stored on a storage system, comprising:
- a secure interface;
a clear-text interface;
an encryption device configured to receive a first command using a first data storage protocol via the clear-text interface, wherein the first command includes a command information and a data payload, wherein the command information includes an instruction to store the data payload in the data container,the encryption device further configured to distinguish the command information from the data payload,the encryption device further configured to associate the data container with a first random value;
the encryption device further configured to encrypt the data payload using an encryption key and the first random value; and
the encryption device further configured to transmit via the secure interface a second command using a second data storage protocol, wherein the second command includes the encrypted data payload and the command information, wherein the command information is unencrypted, wherein the second data storage protocol is different than the first data storage protocol, and wherein the both first and second data storage protocols are selected from a group consisting of NFS, CIFS, iSCSI and Fibrechannel.
0 Assignments
0 Petitions
Accused Products
Abstract
The presently preferred embodiment of the invention provides an encryption based security system for network storage that separates the ability to access storage from the ability to access the stored data. This is achieved by keeping all the data encrypted on the storage devices. Logically, the invention comprises a device that has two network interfaces: one is a clear text network interface that connects to one or more clients, and the other is a secure network interface that is connected to one or more persistent storage servers. Functionally, each network interface supports multiple network nodes. That is, the clear text network interface supports multiple client machines, and the secure network interface supports one or more storage servers.
-
Citations
24 Claims
-
1. A security apparatus for accessing data in a data container stored on a storage system, comprising:
-
a secure interface; a clear-text interface; an encryption device configured to receive a first command using a first data storage protocol via the clear-text interface, wherein the first command includes a command information and a data payload, wherein the command information includes an instruction to store the data payload in the data container, the encryption device further configured to distinguish the command information from the data payload, the encryption device further configured to associate the data container with a first random value; the encryption device further configured to encrypt the data payload using an encryption key and the first random value; and the encryption device further configured to transmit via the secure interface a second command using a second data storage protocol, wherein the second command includes the encrypted data payload and the command information, wherein the command information is unencrypted, wherein the second data storage protocol is different than the first data storage protocol, and wherein the both first and second data storage protocols are selected from a group consisting of NFS, CIFS, iSCSI and Fibrechannel. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A security apparatus for accessing data in a data container stored on a storage system, comprising:
-
an encryption device having a clear text interface, and a secure interface, wherein the data container is accessible by the encryption device only via the secure interface; and the encryption device configured to receive via the clear-text interface a first command using a first data storage protocol, wherein the first command includes a data payload and command information, wherein the first command includes an instruction to store the data payload in the data container, the encryption device further configured to distinguish the command information from the data payload, the encryption device further configured to encrypt the data payload, and the encryption device further configured to transmit via the secure interface a second command using a second data storage protocol, wherein the second command includes the encrypted data payload and the command information, wherein the command information is unencrypted, wherein the second data storage protocol is different than the first data storage protocol, and wherein the both first and second data storage protocols are selected from a group consisting of NFS, CIFS, iSCSI and Fibrechannel.
-
Specification