Automation of coordination of encryption keys in a SAN based environment where an encryption engine, device management, and key management are not co-located

US 8,498,417 B1
Filed: 03/06/2008
Issued: 07/30/2013
Est. Priority Date: 12/27/2007
Status: Active Grant

First Claim

Patent Images

1. A method of operation in a data processing system including a storage area network, a storage system computer, and a key management server computer separate from the storage system computer, the storage area network including data storage devices, and the storage system computer including a replication facility and an encryption engine separate from the data storage devices, and the key management server computer providing encryption keys to the encryption engine, said method comprising:

a) the storage system computer creating an encrypted storage object in the storage area network, and the storage system computer sending a first request to the key management server computer for a data encryption key for writing encrypted data into the storage object, and the key management server computer responding to the first request by assigning a data encryption key to the storage object and keeping a record of the data encryption key assigned to the storage object;

b) the storage system computer creating a replica of the storage object in the storage area network, and the storage system computer sending a second request to the key management server computer for a data encryption key for the replica to be associated in the key management server, and the key management server computer responding to the second request by assigning a data encryption key to the replica in coordination with the replication facility independent of the encryption engine, and the key management server computer keeping a record of the data encryption key assigned to the replica and an association of the replica with the storage object; and

c) the storage system computer responding to a failure of the storage object in the storage area network by obtaining from the key management server computer an identification of the replica of the storage object that is associated with the storage object, and using the identification of the replica from the key management server computer to find the replica in the storage area network, and using the replica found in the storage area network to recover from the failure of the storage object.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A key management server in a storage area network (SAN) provides encryption keys for source and destination storage objects and also associates destination storage objects with source storage objects. When a source object is to be replicated, a replication facility in a storage system of a new destination object requests the key management server to associate the destination object with the source object and assign the data encryption key of the source object or a new data encryption key to the destination object. For recovery of the source object, a replication facility in the storage system of the source object obtains information from the key management server about the replica associated with the source object for replicating data from the destination object back to the source object.

113 Citations

View as Search Results

19 Claims

1. A method of operation in a data processing system including a storage area network, a storage system computer, and a key management server computer separate from the storage system computer, the storage area network including data storage devices, and the storage system computer including a replication facility and an encryption engine separate from the data storage devices, and the key management server computer providing encryption keys to the encryption engine, said method comprising:
- a) the storage system computer creating an encrypted storage object in the storage area network, and the storage system computer sending a first request to the key management server computer for a data encryption key for writing encrypted data into the storage object, and the key management server computer responding to the first request by assigning a data encryption key to the storage object and keeping a record of the data encryption key assigned to the storage object;
  
  b) the storage system computer creating a replica of the storage object in the storage area network, and the storage system computer sending a second request to the key management server computer for a data encryption key for the replica to be associated in the key management server, and the key management server computer responding to the second request by assigning a data encryption key to the replica in coordination with the replication facility independent of the encryption engine, and the key management server computer keeping a record of the data encryption key assigned to the replica and an association of the replica with the storage object; and
  
  c) the storage system computer responding to a failure of the storage object in the storage area network by obtaining from the key management server computer an identification of the replica of the storage object that is associated with the storage object, and using the identification of the replica from the key management server computer to find the replica in the storage area network, and using the replica found in the storage area network to recover from the failure of the storage object.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as claimed in claim 1, which further includes the storage system computer using the replica to recover from the failure of the storage object by restoring the storage object with data read from the replica.
  - 3. The method as claimed in claim 2, which further includes the key management server computer providing an indication of whether or not the data encryption key of the replica is the same as the data encryption key of the storage object, and in response to the key management server computer indicating that the data encryption key of the of the replica is the same as the data encryption key of the storage object, the storage system computer using the data read from the replica to restore the storage object by writing the data read from the replica into the storage object.
  - 4. The method as claimed in claim 2, which further includes the key management server computer providing an indication of whether or not the data encryption key of the replica is the same as the data encryption key of the storage object, and in response to the key management server computer indicating that the data encryption key of the of the replica is not the same as the data encryption key of the storage object, the storage system computer using the data read from the replica to restore the storage object by decrypting the data read from the replica with the data encryption key of the replica to produce decrypted data and encrypting the decrypted data with the data encryption key of the storage object to produce encrypted data written to the storage object.
  - 5. The method as claimed in claim 2, which further includes the key management server computer keeping an indication of restoration status of the storage object, the restoration status indicating whether or not restoration of the storage object is in progress or has been completed.
  - 6. The method as claimed in claim 1, which further includes the key management server computer keeping an indication of replication status of the replica, the replication status indicating whether or not replication from the storage object to the replica is in progress or has been completed.
  - 7. The method as claimed in claim 1, wherein the method further includes a first storage processor in the storage area network requesting the data encryption key of the storage object from the key management server computer for writing encrypted data into the storage object, and a second storage processor in the storage area network requesting the data encryption key of the replica to be associated in the key management server computer.

8. A method of operating a data processing system including at least one host processor, at least one storage system computer coupled to said at least one host processor for storing data of said at least one host processor, and at least one key management server computer coupled to and separate from said at least one storage system computer for providing data encryption keys to said at least one storage system computer, said method comprising:
- (a) the key management server computer providing a data encryption key to said at least one storage system computer for encrypting data to be written to a source storage object in data storage of said at least one storage system computer, and the key management server computer keeping a record of the source storage object and the data encryption key for the source storage object; and
  
  then(b) said at least one storage system computer using the data encryption key for encrypting data to be written to the source storage object by encrypting data from said at least one host processor and writing the encrypted data to the source storage object in the data storage; and
  
  then(c) the key management server computer providing a data encryption key to said at least one storage system for decrypting data read from the source storage object and written to a destination storage object in the data storage of said at least one storage system, and the key management server computer keeping a record of the destination storage object and the data encryption key for the destination storage object and keeping an association of the record of the destination storage object with the record of the source storage object; and
  
  then(d) said at least one storage system computer responding to a failure of the source storage object by sending a request to the key management server computer, the request specifying the source storage object and requesting the key management server computer to identify any storage object associated with the specified storage object; and
  
  in response to the request, the key management server computer finding that the record of the destination storage object is associated with the record of the specified source storage object, and returning a reply to said at least one storage system, the reply identifying the destination storage object; and
  
  (e) said at least one storage system computer responding to the reply from the key management server computer by reading data from the destination storage object identified by the reply, and using the data read from the destination storage object identified by the reply to recover from the failure of the source storage object; and
  
  (f) said at least one storage system computer using the data read from the destination storage object identified by the reply to recover from the failure of the source storage object by restoring the source storage object with the data read from the destination storage object identified by the reply; and
  
  (g) the key management server computer keeping an indication of the restoration status of the source storage object, the restoration status indicating whether or not restoration of the source storage object is in progress or has been completed.
- View Dependent Claims (9, 10, 11)
- - 9. The method as claimed in claim 8, wherein the reply includes an indication of whether or not the data encryption key of the destination storage object is the same as the data encryption key of the source storage object, and the method further includes said at least one storage system computer inspecting the reply and finding that the reply indicates that the data encryption key of the destination storage object is the same as the data encryption key of the source storage object, and in response to finding that the data encryption key of the destination storage object is the same as the data encryption key of the source storage object, using the data read from the destination storage object identified by the reply to restore the source storage object by writing the data read from the destination storage object into the source storage object.
  - 10. The method as claimed in claim 8, wherein the reply includes an indication of whether or not the data encryption key of the destination storage object is the same as the data encryption key of the source storage object, and the method further includes said at least one storage system computer inspecting the reply and finding that the reply indicates that the data encryption key of the destination storage object is not the same as the data encryption key of the source storage object, and in response to finding that the data encryption key of the destination storage object is not the same as the data encryption key of the source storage object, using the data read from the destination storage object identified by the reply to restore the source storage object by decrypting the data read from the destination storage object identified by the reply with the data encryption key of the destination storage object identified by the reply to produce decrypted data and encrypting the decrypted data with the data encryption key of the source storage object to produce encrypted data written to the source storage object.
  - 11. The method as claimed in claim 8, which further includes the key management server computer keeping an indication of replication status of the destination storage object, the replication status indicating whether or not replication to the destination storage object is in progress or has been completed.

12. A data processing system comprising:
- a storage area network including data storage devices and a storage system computer, the storage system computer including a replication facility and an encryption engine separate from the data storage devices; and
  
  a key management server computer separate from the storage system computer and coupled to the storage area network for providing data encryption keys to the encryption engine;
  
  wherein the storage system computer is programmed for creating an encrypted storage object in the storage area network, and the storage system computer is further programmed for sending a first request to the key management server computer for a data encryption key for writing encrypted data into the storage object and the key management server computer is programmed for responding to the first request by assigning a data encryption key to the storage object and keeping a record of the data encryption key assigned to the storage object;
  
  the storage system computer is further programmed for creating a replica of the storage object in the storage area network in coordination with the replication facility independent of the encryption engine, and the storage system computer is further programmed for sending a second request to the key management server computer for a data encryption key for the replica to be associated in the key management server, and the key management server computer is further programmed for responding to the second request by assigning a data encryption key to the replica and keeping a record of the data encryption key assigned to the replica and an association of the replica with the storage object; and
  
  the storage system computer is further programmed for responding to a failure of the storage object in the storage area network by obtaining from the key management server computer an identification of the replica of the storage object that is associated with the storage object, and using the identification of the replica from the key management server computer to find the replica in the storage area network and use the replica to recover from the failure of the storage object.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The data processing system as claimed in claim 12, wherein the storage system computer is further programmed for using the replica to recover from the failure of the storage object by restoring the storage object with data read from the replica.
  - 14. The data processing system as claimed in claim 13, wherein the key management server computer is further programmed for providing an indication of whether or not the data encryption key of the replica is the same as the data encryption key of the storage object, and the storage system computer is further programmed to respond to the key management server computer indicating that the data encryption key of the replica is the same as the data encryption key of the storage object by using the data read from the replica to restore the storage object by writing the data read from the replica into the storage object.
  - 15. The data processing system as claimed in claim 13, wherein the key management server computer is further programmed for providing an indication of whether or not the data encryption key of the replica is the same as the data encryption key of the storage object, and the storage system computer is further programmed for responding to the key management server computer indicating that the data encryption key of the replica is not the same as the data encryption key of the storage object by using the data read from the replica to restore the storage object by decrypting the data read from the replica with the data encryption key of the replica to produce decrypted data and encrypting the decrypted data with the data encryption key of the storage object to produce encrypted data written to the storage object.
  - 16. The data processing system as claimed in claim 13, wherein the key management server computer is further programmed for keeping an indication of restoration status of the storage object, the restoration status indicating whether or not restoration of the storage object is in progress or has been completed.
  - 17. The data processing system as claimed in claim 12, which further includes the key management server computer keeping an indication of replication status of the replica, the replication status indicating whether or not replication from the storage object to the replica is in progress or has been completed.
  - 18. The data processing system as claimed in claim 12, wherein the storage area network includes a plurality of host processors linked to a plurality of storage systems for storing encrypted data from the plurality of host processors in data storage of the storage systems, and a management local area network linking the storage systems to the key management server computer for transmitting data encryption keys from the key management server computer to the plurality of storage systems.
  - 19. The data processing system as claimed in claim 18, wherein the management area network includes a management station from which a system administrator may remotely configure the storage systems, and wherein the key management server is located in a physically secure area including the management station.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Harwood, John S., Griffin, Robert W., Fitzgerald, John T., Linnell, Thomas E., Rosenthol, Joshua A.
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
Branske, Hilary

Application Number

US12/043,898
Time in Patent Office

1,972 Days
Field of Search

380/44, 380/264, 380/277, 380/278, 380/279, 380/280, 380/281, 380/282, 713/153, 713/164, 713/165, 713/193
US Class Current

380/277
CPC Class Codes

H04L 63/062 for key distribution, e.g. ...

H04L 67/1097 for distributed storage of ...

Automation of coordination of encryption keys in a SAN based environment where an encryption engine, device management, and key management are not co-located

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

113 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Automation of coordination of encryption keys in a SAN based environment where an encryption engine, device management, and key management are not co-located

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

113 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others