Storage system to which removable encryption/decryption module is connected

US 8,533,494 B2
Filed: 01/04/2008
Issued: 09/10/2013
Est. Priority Date: 07/27/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A storage system comprising:

a storage device;

a connector to which a removable encryption/decryption module is connected; and

a control section which controls writing of data to the storage device and reading of data from the storage device, and has the connector, whereinthe removable encryption/decryption module comprises a storage section for storing encryption/decryption information related to encryption and decryption of data, including key information and a key table having key management information, and for storing a port-logical unit table and a logical unit storage map table,at least one of the control section and the removable encryption/decryption module encrypts data using the encryption/decryption information, and the control section writes the encrypted data to the storage device, andthe control section reads encrypted data from the storage device, and at least one of the control section and the removable encryption/decryption module decrypts the encrypted data that has been read, using the encryption/decryption information,wherein said system further includes;

a plurality of the connectors, which include a first connector and a second connector,a first removable encryption/decryption module is connected to the first connector,a second removable encryption/decryption module is connected to the second connector,the storage device stores first encrypted data by a first encryption/decryption scheme, andthe control section reads the first encrypted data from the storage device, at least one of the control section and the first removable encryption/decryption module decrypts the first encrypted data that has been read, by the first encryption/decryption scheme to create decrypted data, at least one of the control section and the second removable encryption/decryption module encrypts the decrypted data to create second encrypted data, by a second encryption/decryption scheme, and the control section writes the second encrypted data to the storage device, or another storage device, andwhereinfirst key information is included in first encryption/decryption information of the first removable encryption/decryption module,second key information is included in second encryption/decryption information of the second removable encryption/decryption module,the first encrypted data stored in the storage device is data encrypted using the first key information by the first encryption/decryption scheme, andat least one of the control section and the first removable encryption/decryption module decrypts the first encrypted data that has been read, using the first key information by the first encryption/decryption scheme, and at least one of the control section and the second removable encryption/decryption module encrypts the decrypted data to create the second encrypted data, using the second key information by the second encryption/decryption scheme, andwhereinthe first encryption/decryption information includes key management information, and the key management information shows correspondence of a first key ID, which is information for identifying the first key information, and encryption target element information for indicating a storage device or an element with which a storage device is associated,at least one of the control section, the first removable encryption/decryption module and the second removable encryption/decryption module copies the first key management information from the storage section of the first removable encryption/decryption module to the storage section of the second removable encryption/decryption module,at least one of the control section and the second removable encryption/decryption module updates the first key ID in the copied key management information to a second key ID which is information for identifying the second key information, andthe control section judges whether the second encryption/decryption scheme, which is an encryption/decryption scheme after change of the first encryption/decryption scheme, is an older scheme than the first encryption/decryption scheme, which is the encryption/decryption scheme before change, and when judged as the older scheme, sends a warning,whereby encrypted data migrated from a first storage system to a second storage system without decryption of the encrypted data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A storage system comprises a connector to which a removable module is connected. The removable module comprises a storage section for storing encryption/decryption information related to encryption and decryption of data, and/or an encryption/decryption engine for encrypting/decryption data by a predetermined encryption/decryption scheme. A control section and/or a module of the storage system encrypts data using the encryption/decryption information, or decrypts encrypted data using the encryption/decryption information. Alternatively the encryption/decryption engine encrypts data or decrypts encrypted data.

20 Citations

View as Search Results

10 Claims

1. A storage system comprising:
- a storage device;
  
  a connector to which a removable encryption/decryption module is connected; and
  
  a control section which controls writing of data to the storage device and reading of data from the storage device, and has the connector, whereinthe removable encryption/decryption module comprises a storage section for storing encryption/decryption information related to encryption and decryption of data, including key information and a key table having key management information, and for storing a port-logical unit table and a logical unit storage map table,at least one of the control section and the removable encryption/decryption module encrypts data using the encryption/decryption information, and the control section writes the encrypted data to the storage device, andthe control section reads encrypted data from the storage device, and at least one of the control section and the removable encryption/decryption module decrypts the encrypted data that has been read, using the encryption/decryption information,wherein said system further includes;
  
  a plurality of the connectors, which include a first connector and a second connector,a first removable encryption/decryption module is connected to the first connector,a second removable encryption/decryption module is connected to the second connector,the storage device stores first encrypted data by a first encryption/decryption scheme, andthe control section reads the first encrypted data from the storage device, at least one of the control section and the first removable encryption/decryption module decrypts the first encrypted data that has been read, by the first encryption/decryption scheme to create decrypted data, at least one of the control section and the second removable encryption/decryption module encrypts the decrypted data to create second encrypted data, by a second encryption/decryption scheme, and the control section writes the second encrypted data to the storage device, or another storage device, andwhereinfirst key information is included in first encryption/decryption information of the first removable encryption/decryption module,second key information is included in second encryption/decryption information of the second removable encryption/decryption module,the first encrypted data stored in the storage device is data encrypted using the first key information by the first encryption/decryption scheme, andat least one of the control section and the first removable encryption/decryption module decrypts the first encrypted data that has been read, using the first key information by the first encryption/decryption scheme, and at least one of the control section and the second removable encryption/decryption module encrypts the decrypted data to create the second encrypted data, using the second key information by the second encryption/decryption scheme, andwhereinthe first encryption/decryption information includes key management information, and the key management information shows correspondence of a first key ID, which is information for identifying the first key information, and encryption target element information for indicating a storage device or an element with which a storage device is associated,at least one of the control section, the first removable encryption/decryption module and the second removable encryption/decryption module copies the first key management information from the storage section of the first removable encryption/decryption module to the storage section of the second removable encryption/decryption module,at least one of the control section and the second removable encryption/decryption module updates the first key ID in the copied key management information to a second key ID which is information for identifying the second key information, andthe control section judges whether the second encryption/decryption scheme, which is an encryption/decryption scheme after change of the first encryption/decryption scheme, is an older scheme than the first encryption/decryption scheme, which is the encryption/decryption scheme before change, and when judged as the older scheme, sends a warning,whereby encrypted data migrated from a first storage system to a second storage system without decryption of the encrypted data.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The storage system according to claim 1, wherein access to the storage device is prohibited when the control section detects that the removable encryption/decryption module is disconnected from the connector.
  - 3. The storage system according to claim 1, wherein the connector is constructed so that a removable storage device is connectable thereto.
  - 4. The storage system according to claim 1, wherein the removable encryption/decryption module further comprises an encryption/decryption engine for performing encryption and decryption.
  - 5. The storage system according to claim 1, wherein a management storage section for storing encryption/decryption management information is further provided,the encryption/decryption management information shows the correspondence of a module ID, which is information for identifying an encryption/decryption module, and encryption target element information for indicating a storage device or an element with which a storage device is associated, andthe control section specifies a module ID corresponding to an encryption target information element related to an access destination storage device based on the encryption/decryption management information, and an encryption/decryption module identified by the specified module ID encrypts data to be written to the access destination storage device, or decrypts encrypted data read from the access destination storage device.

6. A storage system comprising:
- a storage device;
  
  a connector to which a removable encryption/decryption module is connected; and
  
  a control section which controls writing of data to the storage device and reading of data from the storage device, and has the connector, whereinthe removable encryption/decryption module comprises a storage section for storing encryption/decryption information related to encryption and decryption of data,at least one of the control section and the removable encryption/decryption module encrypts data using the encryption/decryption information, and the control section writes the encrypted data to the storage device, andthe control section reads encrypted data from the storage device, and at least one of the control section and the removable encryption/decryption module decrypts the encrypted data that has been read, using the encryption/decryption information,wherein said system further includes;
  
  a plurality of the connectors exist, which include a first connector and a second connector,a first removable encryption/decryption module is connected to the first connector,a second removable encryption/decryption module is connected to the second connector,the storage device stores first encrypted data by a first encryption/decryption scheme, andthe control section reads the first encrypted data from the storage device, at least one of the control section and the first removable encryption/decryption module decrypts the first encrypted data that has been read, by the first encryption/decryption scheme to create decrypted data, at least one of the control section and the second removable encryption/decryption module encrypts the decrypted data to create second encrypted data, by a second encryption/decryption scheme, and the control section writes the second encrypted data to the storage device, or another storage device, andwhereinfirst key information is included in first encryption/decryption information of the first removable encryption/decryption module,second key information is included in second encryption/decryption information of the second removable encryption/decryption module,the first encrypted data stored in the storage device is data encrypted using the first key information by the first encryption/decryption scheme, andat least one of the control section and the first removable encryption/decryption module decrypts the first encrypted data that has been read, using the first key information by the first encryption/decryption scheme, and at least one of the control section and the second removable encryption/decryption module encrypts the decrypted data to create the second encrypted data, using the second key information by the second encryption/decryption scheme, andwhereinthe first encryption/decryption information includes key management information, and the key management information shows correspondence of a first key ID, which is information for identifying the first key information, and encryption target element information for indicating a storage device or an element with which a storage device is associated,at least one of the control section, the first removable encryption/decryption module and the removable second encryption/decryption module copies the first key management information from the storage section of the first removable encryption/decryption module to the storage section of the second removable encryption/decryption module, andat least one of the control section and the second removable encryption/decryption module updates the first key ID in the copied key management information to a second key ID which is information for identifying the second key information, andwherein at least one of the control section, the first removable encryption/decryption module and the second removable encryption/decryption module judges compatibility between the first encryption/decryption scheme and the second encryption/decryption scheme based on a feature of the encrypted data prior to decryption, and at least one of the control section and the first encryption/decryption module performs decryption by the first encryption/decryption scheme when judged as compatible and precludes decryption when judged as incompatible.
- View Dependent Claims (7)
- - 7. The storage system according to claim 6, wherein compatibility refers to whether the data size of encrypted data is different between a case of encrypting data with a predetermined data size by the first encryption/decryption scheme, and a case of encrypting the data by the second encryption/decryption scheme.

8. A storage system comprising:
- a storage device;
  
  a connector to which a removable encryption/decryption module is connected; and
  
  a control section which controls writing of data to the storage device and reading of data from the storage device, and has the connector, whereinthe removable encryption/decryption module comprises a storage section for storing encryption/decryption information related to encryption and decryption of data,at least one of the control section and the removable encryption/decryption module encrypts data using the encryption/decryption information, and the control section writes the encrypted data to the storage device, andthe control section reads encrypted data from the storage device, and at least one of the control section and the removable encryption/decryption module decrypts the encrypted data that has been read, using the encryption/decryption information,wherein said system further includes;
  
  a plurality of the connectors exist, which include a first connector and a second connector,a first removable encryption/decryption module is connected to the first connector,a second removable encryption/decryption module is connected to the second connector,the storage device stores first encrypted data by a first encryption/decryption scheme, andthe control section reads the first encrypted data from the storage device, at least one of the control section and the first removable encryption/decryption module decrypts the first encrypted data that has been read, by the first encryption/decryption scheme to create decrypted data, at least one of the control section and the second removable encryption/decryption module encrypts the decrypted data to create second encrypted data, by a second encryption/decryption scheme, and the control section writes the second encrypted data to the storage device, or another storage device, andwhereinfirst key information is included in first encryption/decryption information of the first removable encryption/decryption module,second key information is included in second encryption/decryption information of the second removable encryption/decryption module,the first encrypted data stored in the storage device is data encrypted using the first key information by the first encryption/decryption scheme, andat least one of the control section and the first removable encryption/decryption module decrypts the first encrypted data that has been read, using the first key information by the first encryption/decryption scheme, and at least one of the control section and the second removable encryption/decryption module encrypts the decrypted data to create the second encrypted data, using the second key information by the second encryption/decryption scheme, andwhereinthe first encryption/decryption information includes key management information, and the key management information shows correspondence of a first key ID, which is information for identifying the first key information, and encryption target element information for indicating a storage device or an element with which a storage device is associated,at least one of the control section, the first removable encryption/decryption module and the second removable encryption/decryption module copies the first key management information from the storage section of the first removable encryption/decryption module to the storage section of the second removable encryption/decryption module,at least one of the control section and the second removable encryption/decryption module updates the first key ID in the copied key management information to a second key ID which is information for identifying the second key information,at least one of the control section, the first removable encryption/decryption module and the second removable encryption/decryption module copies all or a part of the encryption/decryption information from the first removable encryption/decryption module to the second removable encryption/decryption module, andthe control section reads the encrypted data from the storage device, and sends the encrypted data to a migration destination storage system without decryption of the data.
- View Dependent Claims (9, 10)
- - 9. The storage system according to claim 8, wherein the part of the encryption/decryption information to be copied refers to the key management information.
  - 10. The storage system according to claim 8, whereinthe removable encryption/decryption module further comprises an authentication information storage section for storing authentication information,at least one of the control section and the removable encryption/decryption module judges whether the use of the removable encryption/decryption module is permitted using the authentication information,the first removable encryption/decryption module is a module for which use in the storage system is judged to be permitted in the judgment of usage permission, andthe second removable encryption/decryption module is a module for which use in the storage system is judged to be temporarily permitted for copying the encryption/decryption information in the judgment of usage permission.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Harada, Akitatsu
Primary Examiner(s)
Rashid, Harunur

Application Number

US11/969,394
Publication Number

US 20100031056A1
Time in Patent Office

2,076 Days
Field of Search

713/193, 713/185
US Class Current

713/193
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/78   to assure secure storage of...

G06F 3/0623   in relation to content

G06F 3/0647   Migration mechanisms

G06F 3/0689   Disk arrays, e.g. RAID, JBOD

H04L 63/0464   using hop-by-hop encryption...

H04L 63/06   for supporting key manageme...

Storage system to which removable encryption/decryption module is connected

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

10 Claims

Specification

Use Cases

Quick Links

Others

Storage system to which removable encryption/decryption module is connected

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

10 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others