Automation of coordination of encryption keys in a SAN based environment where an encryption engine, device management, and key management are not co-located
First Claim
1. A method of operation in a data processing system including a storage area network, a storage system computer, and a key management server computer separate from the storage system computer, the storage area network including data storage devices, and the storage system computer including a replication facility and an encryption engine separate from the data storage devices, and the key management server computer providing encryption keys to the encryption engine, said method comprising:
- a) the storage system computer creating an encrypted storage object in the storage area network, and the storage system computer sending a first request to the key management server computer for a data encryption key for writing encrypted data into the storage object, and the key management server computer responding to the first request by assigning a data encryption key to the storage object and keeping a record of the data encryption key assigned to the storage object;
b) the storage system computer creating a replica of the storage object in the storage area network, and the storage system computer sending a second request to the key management server computer for a data encryption key for the replica to be associated in the key management server, and the key management server computer responding to the second request by assigning a data encryption key to the replica in coordination with the replication facility independent of the encryption engine, and the key management server computer keeping a record of the data encryption key assigned to the replica and an association of the replica with the storage object; and
c) the storage system computer responding to a failure of the storage object in the storage area network by obtaining from the key management server computer an identification of the replica of the storage object that is associated with the storage object, and using the identification of the replica from the key management server computer to find the replica in the storage area network, and using the replica found in the storage area network to recover from the failure of the storage object.
9 Assignments
0 Petitions
Accused Products
Abstract
A key management server in a storage area network (SAN) provides encryption keys for source and destination storage objects and also associates destination storage objects with source storage objects. When a source object is to be replicated, a replication facility in a storage system of a new destination object requests the key management server to associate the destination object with the source object and assign the data encryption key of the source object or a new data encryption key to the destination object. For recovery of the source object, a replication facility in the storage system of the source object obtains information from the key management server about the replica associated with the source object for replicating data from the destination object back to the source object.
113 Citations
19 Claims
-
1. A method of operation in a data processing system including a storage area network, a storage system computer, and a key management server computer separate from the storage system computer, the storage area network including data storage devices, and the storage system computer including a replication facility and an encryption engine separate from the data storage devices, and the key management server computer providing encryption keys to the encryption engine, said method comprising:
-
a) the storage system computer creating an encrypted storage object in the storage area network, and the storage system computer sending a first request to the key management server computer for a data encryption key for writing encrypted data into the storage object, and the key management server computer responding to the first request by assigning a data encryption key to the storage object and keeping a record of the data encryption key assigned to the storage object; b) the storage system computer creating a replica of the storage object in the storage area network, and the storage system computer sending a second request to the key management server computer for a data encryption key for the replica to be associated in the key management server, and the key management server computer responding to the second request by assigning a data encryption key to the replica in coordination with the replication facility independent of the encryption engine, and the key management server computer keeping a record of the data encryption key assigned to the replica and an association of the replica with the storage object; and c) the storage system computer responding to a failure of the storage object in the storage area network by obtaining from the key management server computer an identification of the replica of the storage object that is associated with the storage object, and using the identification of the replica from the key management server computer to find the replica in the storage area network, and using the replica found in the storage area network to recover from the failure of the storage object. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of operating a data processing system including at least one host processor, at least one storage system computer coupled to said at least one host processor for storing data of said at least one host processor, and at least one key management server computer coupled to and separate from said at least one storage system computer for providing data encryption keys to said at least one storage system computer, said method comprising:
-
(a) the key management server computer providing a data encryption key to said at least one storage system computer for encrypting data to be written to a source storage object in data storage of said at least one storage system computer, and the key management server computer keeping a record of the source storage object and the data encryption key for the source storage object; and
then(b) said at least one storage system computer using the data encryption key for encrypting data to be written to the source storage object by encrypting data from said at least one host processor and writing the encrypted data to the source storage object in the data storage; and
then(c) the key management server computer providing a data encryption key to said at least one storage system for decrypting data read from the source storage object and written to a destination storage object in the data storage of said at least one storage system, and the key management server computer keeping a record of the destination storage object and the data encryption key for the destination storage object and keeping an association of the record of the destination storage object with the record of the source storage object; and
then(d) said at least one storage system computer responding to a failure of the source storage object by sending a request to the key management server computer, the request specifying the source storage object and requesting the key management server computer to identify any storage object associated with the specified storage object; and
in response to the request, the key management server computer finding that the record of the destination storage object is associated with the record of the specified source storage object, and returning a reply to said at least one storage system, the reply identifying the destination storage object; and(e) said at least one storage system computer responding to the reply from the key management server computer by reading data from the destination storage object identified by the reply, and using the data read from the destination storage object identified by the reply to recover from the failure of the source storage object; and (f) said at least one storage system computer using the data read from the destination storage object identified by the reply to recover from the failure of the source storage object by restoring the source storage object with the data read from the destination storage object identified by the reply; and (g) the key management server computer keeping an indication of the restoration status of the source storage object, the restoration status indicating whether or not restoration of the source storage object is in progress or has been completed. - View Dependent Claims (9, 10, 11)
-
-
12. A data processing system comprising:
-
a storage area network including data storage devices and a storage system computer, the storage system computer including a replication facility and an encryption engine separate from the data storage devices; and a key management server computer separate from the storage system computer and coupled to the storage area network for providing data encryption keys to the encryption engine;
wherein the storage system computer is programmed for creating an encrypted storage object in the storage area network, and the storage system computer is further programmed for sending a first request to the key management server computer for a data encryption key for writing encrypted data into the storage object and the key management server computer is programmed for responding to the first request by assigning a data encryption key to the storage object and keeping a record of the data encryption key assigned to the storage object;the storage system computer is further programmed for creating a replica of the storage object in the storage area network in coordination with the replication facility independent of the encryption engine, and the storage system computer is further programmed for sending a second request to the key management server computer for a data encryption key for the replica to be associated in the key management server, and the key management server computer is further programmed for responding to the second request by assigning a data encryption key to the replica and keeping a record of the data encryption key assigned to the replica and an association of the replica with the storage object; and
the storage system computer is further programmed for responding to a failure of the storage object in the storage area network by obtaining from the key management server computer an identification of the replica of the storage object that is associated with the storage object, and using the identification of the replica from the key management server computer to find the replica in the storage area network and use the replica to recover from the failure of the storage object. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
Specification