Encryption key recovery in the event of storage management failure

US 8,588,425 B1
Filed: 03/06/2008
Issued: 11/19/2013
Est. Priority Date: 12/27/2007
Status: Active Grant

First Claim

Patent Images

1. A method of encryption key recovery, said method comprising a hardware processor executing computer instructions in memory to perform the steps of:

(a) creating a storage object for containing encrypted data in data storage of a data storage system, assigning an object identifier to the storage object for identifying the storage object in the data storage system, assigning a data encryption key to the storage object, assigning a key identifier to the data encryption key, storing the data encryption key in the data storage system in association with the object identifier, and storing the key identifier in the data storage system in association with the object identifier; and

(b) when performing an operation upon the storage object using the data encryption key in the data storage system, detecting failure of the data encryption key in the data storage system, and in response to detecting failure of the data encryption key in the data storage system, the data storage system requesting a first copy of the data encryption key by sending a first request to a key server computer, the first request specifying the object identifier; and

then(c) the key server computer receiving the first request from the data storage system, and the key server computer searching a key store for the data encryption key associated with the object identifier specified by the first request, and the key server computer returning, to the data storage system, a first copy of the data encryption key found in the key store to be associated with the object identifier specified by the first request; and

then(d) the data storage system receiving the first copy of the data encryption key from the key server computer, and when performing the operation upon the storage object using the first copy of the data encryption key, the data storage system detecting failure of the first copy of the data encryption key, and in response to the data storage system detecting failure of the first copy of the data encryption key, the data storage system fetching the key identifier stored in association with the object identifier in the data storage system and the data storage system sending a second request to the key server computer, the second request specifying the key identifier stored in association with the object identifier in the data storage system; and

then(e) the key server computer receiving the second request from the data storage system, and the key server computer searching the key store for the data encryption key associated with the key identifier specified by the second request, and the key server computer returning, to the data storage system, a second copy of the data encryption key found in the key store to be associated with the key identifier specified by the second request; and

then(f) resuming the operation upon the storage object using the second copy of the data encryption key fetched from the key server computer.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data processing system stores encrypted data. Object identifiers are assigned to storage objects, and data encryption keys are assigned to the storage objects. When performing an operation upon a storage object, data encryption key failure may occur due to a corrupt or incorrect key. In this case, a copy of the data encryption key is fetched from a key server. It is possible for the association of the object identifiers with the data encryption keys to become lost or confused, so that the key server may fail to provide the correct key for a specified object identifier. Therefore, an absolute key identifier that is unique across the key server namespace also is stored in association with the object identifier in the storage system and in the key store of the key server, and the absolute key identifier is used as a failsafe for recovery of encrypted data.

Citations

21 Claims

1. A method of encryption key recovery, said method comprising a hardware processor executing computer instructions in memory to perform the steps of:
- (a) creating a storage object for containing encrypted data in data storage of a data storage system, assigning an object identifier to the storage object for identifying the storage object in the data storage system, assigning a data encryption key to the storage object, assigning a key identifier to the data encryption key, storing the data encryption key in the data storage system in association with the object identifier, and storing the key identifier in the data storage system in association with the object identifier; and
  
  (b) when performing an operation upon the storage object using the data encryption key in the data storage system, detecting failure of the data encryption key in the data storage system, and in response to detecting failure of the data encryption key in the data storage system, the data storage system requesting a first copy of the data encryption key by sending a first request to a key server computer, the first request specifying the object identifier; and
  
  then(c) the key server computer receiving the first request from the data storage system, and the key server computer searching a key store for the data encryption key associated with the object identifier specified by the first request, and the key server computer returning, to the data storage system, a first copy of the data encryption key found in the key store to be associated with the object identifier specified by the first request; and
  
  then(d) the data storage system receiving the first copy of the data encryption key from the key server computer, and when performing the operation upon the storage object using the first copy of the data encryption key, the data storage system detecting failure of the first copy of the data encryption key, and in response to the data storage system detecting failure of the first copy of the data encryption key, the data storage system fetching the key identifier stored in association with the object identifier in the data storage system and the data storage system sending a second request to the key server computer, the second request specifying the key identifier stored in association with the object identifier in the data storage system; and
  
  then(e) the key server computer receiving the second request from the data storage system, and the key server computer searching the key store for the data encryption key associated with the key identifier specified by the second request, and the key server computer returning, to the data storage system, a second copy of the data encryption key found in the key store to be associated with the key identifier specified by the second request; and
  
  then(f) resuming the operation upon the storage object using the second copy of the data encryption key fetched from the key server computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as claimed in claim 1, wherein the data encryption key is stored in the data storage system in association with the object identifier in a first table of global memory of the data storage system, the first table stores object identifiers and respective data encryption keys for a plurality of storage objects for containing encrypted data in the data storage of the data storage system;
    - and wherein the key identifier is stored in the data storage system in association with the object identifier in a second table of global memory of the data storage system, and the second table stores object identifiers and respective key identifiers for the plurality of storage objects.
  - 3. The method as claimed in claim 1, wherein the object identifier is unique in the data storage system for identifying the storage object among a plurality of storage objects containing encrypted data in the data storage of the data storage system, and wherein the key identifier is unique in the key server for identifying the copy of the data encryption key among a multiplicity of copies of data encryption keys provided by the key server to a plurality of data storage systems.
  - 4. The method as claimed in claim 1, which includes the key server computer maintaining in the key store the copy of the data encryption key in association with an identifier of the data storage system, the object identifier, and the key identifier.
  - 5. The method as claimed in claim 1, which further includes the key server computer providing the data encryption key to the data storage system in response to a request including the object identifier and an identifier of the data storage system.
  - 6. The method as claimed in claim 1, wherein the fetching of the key identifier associated with the object identifier is performed after the data storage system requests the key server computer to provide a copy of the data encryption key associated with the object identifier in a namespace of the data storage system, and the key server computer fails to provide a correct copy of the data encryption key assigned to the object.
  - 7. The method as claimed in claim 1, wherein the fetching of the key identifier associated with the object identifier includes finding the key identifier associated with the object identifier in unencrypted metadata stored with the storage object in the data storage of the data storage system, and obtaining the key identifier from the unencrypted metadata.
  - 8. The method as claimed in claim 1, wherein the fetching of the key identifier associated with the object identifier includes finding the key identifier associated with the object identifier in an archive index, and obtaining the key identifier from the archive index.
  - 9. The method as claimed in claim 1, wherein the fetching of the key identifier associated with the object identifier includes finding the key identifier associated with the object identifier in another data storage system.

10. A method of encryption key recovery, said method comprising a hardware processor executing computer instructions in memory to perform the steps of:
- (a) creating a storage object for containing encrypted data in data storage of a data storage system, assigning an object identifier to the storage object for identifying the storage object in the data storage system, obtaining a key identifier and a data encryption key assigned to the storage object from a key server computer, storing the key identifier and the data encryption key in the data storage system in association with the object identifier, and storing the key identifier and a copy of the data encryption key in association with the object identifier and an identifier of the data storage system in a key store of the key server computer; and
  
  (b) when performing an operation upon the storage object using the data encryption key in the data storage system, detecting failure of the data encryption key in the data storage system, and in response to detecting failure of the data encryption key in the data storage system, the data storage system requesting a first copy of the data encryption key by sending a first request to the key server computer, the first request specifying the object identifier; and
  
  then(c) the key server computer receiving the first request from the data storage system, and the key server computer searching the key store for the data encryption key associated with the object identifier specified by the first request, and the key server computer returning, to the data storage system, a first copy of the data encryption key found in the key store to be associated with the object identifier specified by the first request; and
  
  then(d) the data storage system receiving the first copy of the data encryption key from the key server computer, and when performing the operation upon the storage object using the first copy of the data encryption key, the data storage system detecting failure of the first copy of the data encryption key, and in response to the data storage system detecting failure of the first copy of the data encryption key, the data storage system fetching the key identifier stored in association with the object identifier in the data storage system and the data storage system sending a second request to the key server computer, the second request specifying the key identifier stored in association with the object identifier in the data storage system; and
  
  then(e) the key server computer receiving the second request from the data storage system, and the key server computer searching the key store for the data encryption key associated with the key identifier specified by the second request, and the key server computer returning, to the data storage system, a second copy of the data encryption key found in the key store to be associated with the key identifier specified by the second request; and
  
  then(f) resuming the operation upon the storage object using the second copy of the data encryption key fetched from the key server computer.
- View Dependent Claims (11, 12, 13)
- - 11. The method as claimed in claim 10, wherein the data encryption key is stored in the data storage system in association with the object identifier in a first table of global memory of the data storage system, and the first table stores object identifiers and respective data encryption keys for a plurality of storage objects for containing encrypted data in the data storage of the data storage system;
    - and wherein the key identifier is stored in the data storage system in association with the object identifier in a second table of global memory of the data storage system, and the second table stores object identifiers and respective key identifiers for the plurality of storage objects.
  - 12. The method as claimed in claim 10, wherein the object identifier is unique in the data storage system for identifying the storage object among a plurality of storage objects containing encrypted data in the data storage of the data storage system, and wherein the key identifier is unique in the key server for identifying the copy of the data encryption key among a multiplicity of copies of data encryption keys provided by the key server to a plurality of data storage systems.
  - 13. The method as claimed in claim 10, wherein the fetching of the key identifier associated with the object identifier is performed after the data storage system requests the key server computer to provide a copy of the data encryption key associated with the object identifier in a namespace of the data storage system, and the key server computer fails to provide a correct copy of the data encryption key assigned to the object.

14. A data storage system comprising:
- data storage; and
  
  at least one storage processor coupled to the data storage for storing data in the data storage;
  
  wherein said at least one storage processor is programmed for creating a storage object for containing encrypted data in the data storage, assigning an object identifier to the storage object for identifying the storage object in the data storage system, obtaining a key identifier and a data encryption key assigned to the storage object from a key server computer, and storing the key identifier and the data encryption key in the data storage system in association with the object identifier; and
  
  wherein said at least one storage processor is further programmed for performing an operation upon the storage object using the data encryption key in the data storage system, and when performing the operation upon the storage object using the data encryption key in the data storage system;
  
  (a) detecting failure of the data encryption key in the data storage system, and in response to detecting failure of the data encryption key in the data storage system, said at least one storage processor requesting a first copy of the data encryption key by sending a first request to the key server computer, the first request specifying the object identifier; and
  
  then(b) the key server computer receiving the first request from said at least one storage processor, and the key server computer searching a key store for the data encryption key associated with the object identifier specified by the first request, and the key server computer returning, to said at least one storage processor, a first copy of the data encryption key found in the key store to be associated with the object identifier specified by the first request; and
  
  then(c) said at least one storage processor receiving the first copy of the data encryption key from the key server computer, and when performing the operation upon the storage object using the first copy of the data encryption key, said at least one storage processor detecting failure of the first copy of the data encryption key, and in response to said at least one storage processor detecting failure of the first copy of the data encryption key, said at least one storage processor fetching the key identifier stored in association with the object identifier in the data storage system and said at least one storage processor sending a second request to the key server computer, the second request specifying the key identifier stored in association with the object identifier in the data storage system; and
  
  then(d) the key server computer receiving the second request from said at least one storage processor, and the key server computer searching the key store for the data encryption key associated with the key identifier specified by the second request, and the key server computer returning, to said at least one storage processor, a second copy of the data encryption key found in the key store to be associated with the key identifier specified by the second request; and
  
  then(e) resuming the operation upon the storage object using the second copy of the data encryption key fetched from the key server computer.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The data storage system as claimed in claim 14, which further includes a global memory, wherein the data encryption key is stored in the data storage system in association with the object identifier in a first table in the global memory, the first table stores object identifiers and respective data encryption keys for a plurality of storage objects for containing encrypted data in the data storage, the key identifier is stored in the data storage system in association with the object identifier in a second table in the global memory, and the second table stores object identifiers and respective key identifiers for the plurality of storage objects.
  - 16. The data storage system as claimed in claim 14, wherein the object identifier is unique in the data storage system for identifying the storage object among a plurality of storage objects containing encrypted data in the data storage, and wherein the key identifier is unique in the key server computer for identifying the copy of the data encryption key among a multiplicity of copies of data encryption keys provided by the key server computer to a plurality of data storage systems.
  - 17. The data storage system as claimed in claim 14, wherein said at least one storage processor is programmed so that fetching of the key identifier associated with the object identifier is performed after the data storage system requests the key server computer to provide a copy of the data encryption key associated with the object identifier in a namespace of the data storage system, and the data storage system determines that the key server computer fails to provide a correct copy of the data encryption key assigned to the object.
  - 18. The data storage system as claimed in claim 14, wherein said at least one storage processor is programmed so that the fetching of the key identifier associated with the object identifier includes finding the key identifier associated with the object identifier in unencrypted metadata stored with the storage object in the data storage of the data storage system, and obtaining the key identifier from the unencrypted metadata.
  - 19. The data storage system as claimed in claim 14, wherein said at least one storage processor is programmed so that the fetching of the key identifier associated with the object identifier includes finding the key identifier associated with the object identifier in an archive index, and obtaining the key identifier from the archive index.
  - 20. The data storage system as claimed in claim 14, wherein said at least one storage processor is programmed so that the fetching of the key identifier associated with the object identifier includes finding the key identifier associated with the object identifier in another data storage system.

21. A method of encryption key recovery comprising:
- (a) a storage processor computer creating a storage object for containing encrypted data in data storage of a data storage system and assigning an object identifier to the storage object for identifying the storage object in the data storage system, and the storage processor computer requesting a new data encryption key for the storage object by sending a first request to a key server computer, the first request specifying the object identifier; and
  
  then(b) the key server computer receiving the first request from the storage processor computer, and the key server computer assigning a data encryption key to the storage object and assigning a key identifier to the data encryption key, and the key server computer storing the data encryption key in a key store of the key server computer, and the key server computer storing the object identifier in the key store in association with the data encryption key, and the key server computer storing the key identifier in the key store in association with the data encryption key, and the key server computer returning the data encryption key and the key identifier to the storage processor computer; and
  
  then(c) the storage processor computer receiving the data encryption key and the key identifier from the key server computer, and the storage processor computer storing the data encryption key in association with the object identifier in the storage processor computer, and the storage processor computer storing the key identifier in association with the object identifier in the storage processor computer, and then(d) when performing an operation upon the storage object using the data encryption key stored in the storage processor computer, the storage processor computer detecting failure of the data encryption key, and in response to the storage processor computer detecting failure of the data encryption key, the storage processor computer requesting a first copy of the data encryption key by sending a second request to the key server computer, the second request specifying the object identifier; and
  
  then(e) the key server computer receiving the second request from the storage processor computer, and the key server computer searching the key store for the data encryption key associated with the object identifier specified by the second request, and the key server computer returning, to the storage processor computer, a first copy of the data encryption key found in the key store to be associated with the object identifier specified by the second request; and
  
  then(f) the storage processor computer receiving the first copy of the data encryption key from the key server computer, and when performing the operation upon the storage object using the first copy of the data encryption key, the storage processor computer detecting failure of the first copy of the data encryption key, and in response to the storage processor computer detecting failure of the first copy of the data encryption key, the storage processor computer fetching the key identifier stored in association with the object identifier in the storage processor computer and the storage processor computer sending a third request to the key server computer, the third request specifying the key identifier stored in association with the object identifier in the first storage system computer; and
  
  then(g) the key server computer receiving the third request from the storage processor computer, and the key server computer searching the key store for the data encryption key associated with the key identifier specified by the third request, and the key server computer returning, to the storage processor computer, a second copy of the data encryption key found in the key store to be associated with the key identifier specified by the third request; and
  
  then(h) the storage processor computer receiving the second copy of the data encryption key from the key server computer, and the storage processor computer resuming the operation upon the storage object using the second copy of the data encryption key fetched from the key server computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Harwood, John S., Linnell, Thomas E., Fitzgerald, John T., Izhar, Amnon, Arsenault, Charles E.
Primary Examiner(s)
Kim, Tae K.
Assistant Examiner(s)
Gao, Shu Chun

Application Number

US12/043,780
Time in Patent Office

2,084 Days
Field of Search

380/277, 380/286, 380/278, 380/281, 726 1- 36, 713/187, 713/193, 709/216, 709/208
US Class Current

380/286
CPC Class Codes

G06F 11/1402   Saving, restoring, recoveri...

G06F 11/1415   at system level

G06F 12/1408   by using cryptography for d...

G06F 21/6209   to a single file or object,...

H04L 9/0894   Escrow, recovery or storing...

Encryption key recovery in the event of storage management failure

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption key recovery in the event of storage management failure

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links