×

Encryption key recovery in the event of storage management failure

  • US 8,588,425 B1
  • Filed: 03/06/2008
  • Issued: 11/19/2013
  • Est. Priority Date: 12/27/2007
  • Status: Active Grant
First Claim
Patent Images

1. A method of encryption key recovery, said method comprising a hardware processor executing computer instructions in memory to perform the steps of:

  • (a) creating a storage object for containing encrypted data in data storage of a data storage system, assigning an object identifier to the storage object for identifying the storage object in the data storage system, assigning a data encryption key to the storage object, assigning a key identifier to the data encryption key, storing the data encryption key in the data storage system in association with the object identifier, and storing the key identifier in the data storage system in association with the object identifier; and

    (b) when performing an operation upon the storage object using the data encryption key in the data storage system, detecting failure of the data encryption key in the data storage system, and in response to detecting failure of the data encryption key in the data storage system, the data storage system requesting a first copy of the data encryption key by sending a first request to a key server computer, the first request specifying the object identifier; and

    then(c) the key server computer receiving the first request from the data storage system, and the key server computer searching a key store for the data encryption key associated with the object identifier specified by the first request, and the key server computer returning, to the data storage system, a first copy of the data encryption key found in the key store to be associated with the object identifier specified by the first request; and

    then(d) the data storage system receiving the first copy of the data encryption key from the key server computer, and when performing the operation upon the storage object using the first copy of the data encryption key, the data storage system detecting failure of the first copy of the data encryption key, and in response to the data storage system detecting failure of the first copy of the data encryption key, the data storage system fetching the key identifier stored in association with the object identifier in the data storage system and the data storage system sending a second request to the key server computer, the second request specifying the key identifier stored in association with the object identifier in the data storage system; and

    then(e) the key server computer receiving the second request from the data storage system, and the key server computer searching the key store for the data encryption key associated with the key identifier specified by the second request, and the key server computer returning, to the data storage system, a second copy of the data encryption key found in the key store to be associated with the key identifier specified by the second request; and

    then(f) resuming the operation upon the storage object using the second copy of the data encryption key fetched from the key server computer.

View all claims
  • 9 Assignments
Timeline View
Assignment View
    ×
    ×