Storage and recovery of cryptographic key identifiers

US 8,621,241 B1
Filed: 04/25/2008
Issued: 12/31/2013
Est. Priority Date: 04/25/2008
Status: Active Grant

First Claim

Patent Images

1. A method of storing a cryptographic key identifier on a logical disk having a plurality of blocks, the method comprising:

compressing data that is stored in one or more blocks of the plurality of blocks;

encrypting the compressed data stored in the one or more blocks with a cryptographic key, the cryptographic key (i) being identified by the cryptographic key identifier, and (ii) being stored in a storage device separate from the logical disk having the plurality of blocks;

storing the cryptographic key identifier with the encrypted compressed data in the one or more blocks, wherein the cryptographic key identifier is stored as metadata; and

for each of the one or more blocks in which the cryptographic key identifier is stored, providing a marker that indicates presence of the cryptographic key identifier in that block;

wherein a block identifier is assigned to the logical disk and the cryptographic key identifier is associated with the block identifier.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Example embodiments provide various techniques for storing and recovering a cryptographic key identifier that may be used to recover encrypted data. The cryptographic key identifier may be stored with the encrypted data itself. In an example, the cryptographic key identifier may be stored in particular blocks on a logical disk that are specifically designated to store the cryptographic key identifier. To store the cryptographic key identifiers in the designated blocks, the data within the blocks is compressed to fit the cryptographic key identifiers within the blocks. This cryptographic key identifier can be recovered at a later time by locating the designated blocks and retrieving the cryptographic key identifier from the blocks.

Citations

19 Claims

1. A method of storing a cryptographic key identifier on a logical disk having a plurality of blocks, the method comprising:
- compressing data that is stored in one or more blocks of the plurality of blocks;
  
  encrypting the compressed data stored in the one or more blocks with a cryptographic key, the cryptographic key (i) being identified by the cryptographic key identifier, and (ii) being stored in a storage device separate from the logical disk having the plurality of blocks;
  
  storing the cryptographic key identifier with the encrypted compressed data in the one or more blocks, wherein the cryptographic key identifier is stored as metadata; and
  
  for each of the one or more blocks in which the cryptographic key identifier is stored, providing a marker that indicates presence of the cryptographic key identifier in that block;
  
  wherein a block identifier is assigned to the logical disk and the cryptographic key identifier is associated with the block identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - locating the one or more blocks of the plurality of blocks that is configured to store the cryptographic key identifier.
  - 3. The method of claim 1, wherein the cryptographic key identifier corresponds to a random number assigned to the cryptographic key.
  - 4. The method of claim 1, wherein for each of the one or more blocks in which the cryptographic key identifier is stored, the marker is stored as metadata.
  - 5. The method of claim 1, wherein the plurality of blocks are between a logical block addressing (LBA) 0 and a LBA 17.
  - 6. The method of claim 1, wherein the plurality of blocks are assigned to store file system information.
  - 7. The method of claim 6, wherein the file system information comprises an allocation table.

8. A method of storing a cryptographic key identifier on a logical disk having a plurality of blocks, the method comprising:
- receiving a request to write a first data to a first block of the plurality of blocks and a second data to a second block of the plurality of blocks, the first block and the second block being provided as part of the logical disk, the logical disk being an area of usable storage capacity on one or more physical storage devices;
  
  identifying that the first block and the second block are each configured to store the cryptographic key identifier, the cryptographic key identifier being configured to identify a cryptographic key;
  
  compressing the first data to generate a first compressed data;
  
  compressing the second data to generate a second compressed data;
  
  encrypting the first and second compressed data with the cryptographic key, the cryptographic key being stored in a storage device separate from the logical disk;
  
  storing the cryptographic key identifier and the first encrypted compressed data in the first block of the plurality of blocks;
  
  storing the cryptographic key identifier and the second encrypted compressed data in the second block of the plurality of blocks; and
  
  providing a marker with each of the first block and the second block in order to indicate presence of the cryptographic key identifier being stored with each of the first block and the second block;
  
  wherein the cryptographic key identifier is stored as metadata.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method of claim 8, further comprising:
    - identifying that the cryptographic key identifier and the first compressed data fit within the first block; and
      
      identifying that the cryptographic key identifier and the second compressed data fit within the second block.
  - 10. The method of claim 8, wherein the first block and the second block are each between a logical block addressing (LBA) 0 and a LBA 17.
  - 11. The method of claim 8, wherein the first block and the second block are assigned to store file system information.
  - 12. The method of claim 11, wherein the file system information comprises a portion of an allocation table.

13. A computing device comprising:
- at least one processor; and
  
  a non-transitory machine-readable medium in communication with the at least one processor, the machine-readable medium being configured to store a storage network processing module, the storage network processing module being executed by the at least one processor to perform operations comprising;
  
  receiving a request to write a first data to a first block of a plurality of blocks and a second data to a second block of the plurality of blocks, the first block and the second block being located on a storage device;
  
  identifying that the first block and the second block are each configured to store a cryptographic key identifier, the cryptographic key identifier being configured to identify a cryptographic key associated with storage device;
  
  compressing the first data to generate a first compressed data;
  
  compressing the second data to generate a second compressed data;
  
  encrypting the first and second compressed data with the cryptographic key, the cryptographic key being stored in a key storage device separate from the storage device;
  
  storing the cryptographic key identifier and the first encrypted compressed data in the first block of the plurality of blocks, wherein the cryptographic key identifier is stored as metadata;
  
  storing the cryptographic key identifier and the second encrypted compressed data in the second block of the plurality of blocks, wherein the cryptographic key identifier is stored as metadata; and
  
  providing a marker with each of the first block and the second block in order to indicate presence of the cryptographic key identifier being stored with each of the first block and the second block.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computing device of claim 13, wherein the cryptographic key identifier corresponds to a random number assigned to the cryptographic key.
  - 15. The computing device of claim 13, wherein the computing device is a network switch that enables connectivity to the storage device.
  - 16. The computing device of claim 15, wherein the storage device is a Fibre Channel storage device and wherein the network switch is a Fibre Channel switch that enables connectivity to the Fibre Channel storage device.
  - 17. The computing device of claim 13, wherein the computing device is an Internet Computer System Interface (iSCSI) gateway that is in communication with an iSCSI client, and wherein the storage device is a Fibre Channel storage device, and wherein the iSCSI gateway enables connectivity between the iSCSI client and the Fibre Channel storage device.

18. A method of recovering a cryptographic key, the method being performed by a processor and comprising:
- identifying individual blocks in a plurality blocks of a logical disk that provide a marker for a cryptographic key identifier, the marker indicating presence of the cryptographic key identifier in that block, wherein the cryptographic key identifier is stored as metadata, wherein the identified individual blocks include data previously encrypted using the cryptographic key;
  
  reading metadata from the individual blocks that includes the marker;
  
  determining the cryptographic key identifier from the data read from the individual blocks that provide the marker; and
  
  retrieving the cryptographic key using the cryptographic key identifier;
  
  wherein a block identifier is assigned to the logical disk and the cryptographic key identifier is associated with the block identifier.
- View Dependent Claims (19)
- - 19. The method of claim 18, further comprising using a predefined offset from the marker to determine the cryptographic key identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Stephenson, David
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Ambaye, Samuel

Application Number

US12/109,693
Time in Patent Office

2,076 Days
Field of Search

713/193, 713/189
US Class Current

713/193
CPC Class Codes

G06F 12/14   Protection against unauthor...

G06F 12/1408   by using cryptography for d...

H04L 63/04   for providing a confidentia...

H04L 67/56   Provisioning of proxy servi...

H04L 9/40   Network security protocols

Storage and recovery of cryptographic key identifiers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Storage and recovery of cryptographic key identifiers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links