System and method for providing encryption in storage operations in a storage network, such as for use by application service providers that provide data storage services

US 8,966,288 B2
Filed: 04/23/2013
Issued: 02/24/2015
Est. Priority Date: 03/11/1998
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method, to be performed by at least one hardware processor, for storing data for a user in hardware storage devices, the method comprising:

when storing data for the user;

receiving an encryption key associated with the data for the user;

causing the data to be encrypted for the user with the received encryption key to create encrypted data;

causing the encrypted data to be stored in a first hardware storage device associated with a third party;

causing the encryption key to be encrypted to create an encrypted encryption key,wherein a password or other information set by the user is required to decrypt the encrypted encryption key; and

causing the encrypted encryption key to be stored in a second hardware storage device,wherein the encrypted encryption key is accessible to allow the encrypted data stored in the first hardware storage device to be restored during a subsequent restore operation,wherein the password or other information for decrypting the encrypted encryption key is set by the user without knowledge of the third party, andwherein the third party is unable to decrypt the encrypted data stored in the first hardware storage device without first receiving the password or other information from the user.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with embodiments of the invention, a method is provided for performing a storage operation in a pipeline storage system in which one or more data streams containing data to be stored are written into data chunks. The method includes generating an encryption key associated with a first archive file to be stored when encryption is requested for the storage operation, encrypting the archive data from the data stream using the encryption key to create an encrypted data chunk when a data stream containing the archive file is processed in the pipeline storage system, storing the encrypted data chunk on a storage medium, and storing the encryption key in a manner accessible during a restore operation of the encrypted data chunk.

Citations

16 Claims

1. A computer-implemented method, to be performed by at least one hardware processor, for storing data for a user in hardware storage devices, the method comprising:
- when storing data for the user;
  
  receiving an encryption key associated with the data for the user;
  
  causing the data to be encrypted for the user with the received encryption key to create encrypted data;
  
  causing the encrypted data to be stored in a first hardware storage device associated with a third party;
  
  causing the encryption key to be encrypted to create an encrypted encryption key,wherein a password or other information set by the user is required to decrypt the encrypted encryption key; and
  
  causing the encrypted encryption key to be stored in a second hardware storage device,wherein the encrypted encryption key is accessible to allow the encrypted data stored in the first hardware storage device to be restored during a subsequent restore operation,wherein the password or other information for decrypting the encrypted encryption key is set by the user without knowledge of the third party, andwherein the third party is unable to decrypt the encrypted data stored in the first hardware storage device without first receiving the password or other information from the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the method is performed in a pipeline storage system comprising multiple processes arranged in stages including an encryption process, and wherein causing the data to be encrypted is performed by the encryption process.
  - 3. The method of claim 1, further comprising causing the encrypted data, stored in the first hardware storage device, to be restored using the password or other information for decrypting the encrypted encryption key, wherein the password or other information for decrypting the encrypted encryption key is contained in a file kept on a data agent belonging to and controlled by the user, and wherein causing the encrypted data to be restored is performed by a restore process which uses the password or other information contained in the file to decrypt the encrypted encryption key.
  - 4. The method of claim 1, wherein first hardware storage device is the same as the second hardware storage device.
  - 5. The method of claim 1, wherein the method is performed in a pipeline storage system, wherein the method comprises causing an index of storage media to be stored on a component used by the pipeline storage system, and wherein the component is the same as the second hardware storage device.
  - 6. The method of claim 1, wherein the method is performed in a pipeline storage system, wherein the pipeline storage system includes a storage management component, and wherein the storage management component is the same as the second hardware storage device.
  - 7. The method of claim 1, further comprisingcausing a tag to be inserted in the encrypted data indicating that the encrypted data is encrypted, andcausing the encrypted encryption key to be inserted in the tag in the encrypted data.
  - 8. The method of claim 1, further comprising causing a tag to be stored in the encrypted data indicating that the encrypted data is encrypted.

9. A storage management system for storing data for a user, the system comprising:
- means for receiving an encryption key associated with data for the user;
  
  means for causing the data belonging to the user to be encrypted with the received encryption key to create encrypted data;
  
  means for causing the encrypted data to be stored in a data center associated with a third party;
  
  means for causing the encryption key to be encrypted to create an encrypted encryption key such that a password or other information set by the user is required to decrypt the encrypted encryption key; and
  
  means for causing the encrypted encryption key to be stored such that the encrypted encryption key is accessible to allow the encrypted data stored in the data center to be restored during a subsequent restore operation,wherein the system is configured such that the password or other information for decrypting the encrypted encryption key is set by the user without knowledge of the third party, andwherein the third party is unable to decrypt the encrypted data stored in the data center without receiving the password or other information from the user.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9, further comprising means for causing the encrypted data, stored in the data center, to be restored using the password or other information for decrypting the encrypted encryption key, wherein the password or other information for decrypting the encrypted encryption key is contained in a file kept on a data agent, and wherein the means for causing the encrypted data to be restored includes a restore process which uses the password or other information contained in the file to decrypt the encrypted encryption key.
  - 11. The system of claim 9, wherein the system includes a pipeline storage system, wherein a first storage device stores an index of storage media used by the pipeline storage system, and wherein the encrypted encryption key is stored on the first storage device.
  - 12. The system of claim 9, wherein the system includes a pipeline storage system, wherein the pipeline storage system includes a storage management component, and wherein the encryption key is stored on the storage management component.
  - 13. The system of claim 9, further comprisingmeans for causing a tag to be inserted in the encrypted data indicating that the encrypted data is encrypted, andmeans for causing the encrypted encryption key to be inserted in the tag in the encrypted data.
  - 14. The system of claim 9, further comprising means for causing a tag to be inserted in the encrypted data indicating that the encrypted data is encrypted.

15. A non-transitory computer-readable medium having instructions which, when executed by a processor of a data storage system, cause the data storage system to perform a method for storing data for a user, the method comprising:
- receiving an encryption key associated with data for the user;
  
  causing the data belonging to the user to be encrypted using the received encryption key to create encrypted data;
  
  causing the encrypted data to be stored in a data center associated with a third party;
  
  causing the encryption key to be encrypted to create an encrypted encryption key, wherein a password or other information set by the user is required to decrypt the encrypted encryption key; and
  
  causing the encrypted encryption key to be stored, wherein the encrypted encryption key is accessible to allow the encrypted data stored in the data center to be restored during a subsequent restore operation,wherein the password or other information for decrypting the encrypted encryption key is set by the user without knowledge by the third party, andwherein the third party is unable to decrypt the encrypted data stored in the data center without first receiving the password or other information from the user.
- View Dependent Claims (16)
- - 16. The non-transitory computer-readable medium of claim 15, wherein the method further comprises causing the encrypted data, stored in the data center, to be restored using the password or other information for decrypting the encrypted encryption key, wherein the password or other information for decrypting the encrypted encryption key is contained in a file kept on a data agent, and wherein causing the encrypted data to be restored is performed by a restore process which uses the password or other information contained in the file to decrypt the encrypted encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CommVault Systems Incorporated
Original Assignee
CommVault Systems Incorporated
Inventors
Ignatius, Paul, Prahlad, Anand, Tyagarajan, Mahesh, Vijayan, Manoj Kumar, Amarendran, Arun Prasad, Kottomtharayil, Rajiv
Primary Examiner(s)
LEMMA, SAMSON B

Application Number

US13/868,320
Publication Number

US 20130311785A1
Time in Patent Office

672 Days
Field of Search

713/189, 713/193, 713/171, 713/182, 380/44, 709/225, 709/229
US Class Current

713/193
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

H04L 2209/125   Parallelization or pipelini...

H04L 9/0625   with splitting of the data ...

H04L 9/0894   Escrow, recovery or storing...

System and method for providing encryption in storage operations in a storage network, such as for use by application service providers that provide data storage services

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing encryption in storage operations in a storage network, such as for use by application service providers that provide data storage services

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links