Distribution of storage area network encryption keys across data centers
First Claim
1. A method, comprising:
- receiving, at a device including a processor and a non-transitory memory, a request to transfer key information from a source data center to a destination data center, the key information corresponding to a data block maintained in a storage area network (SAN);
identifying at the device, a source data center key object corresponding to the data block wherein the source data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier;
decrypting, at the device, the encrypted key using a source data center key hierarchy Such that a key is obtained, wherein decrypting the encrypted key comprises using keying material accessed using the wrapper unique identifier, the wrapper unique identifier referencing another key object at a key management center in the source data center;
transmitting, at the device, the key information including the key from the source data center to the destination data center; and
generating, at the device, a destination data center key object from the key information using a destination data center key hierarchy.
1 Assignment
0 Petitions
Accused Products
Abstract
Efficient mechanisms are provided for transferring key objects associated with disk logical unit numbers and tape cartridges from one data center to another data center. A request is received to transfer a source data center key object from a source data center to a destination data center. The source data center key object corresponds to a data block, such as a disk logical unit number (LUN) or a tape cartridge, maintained in a storage area network (SAN) and includes a unique identifier, an encrypted key, and a wrapper unique identifier. The encrypted key is decrypted using a source data center key hierarchy. Key information is transmitted from the source data center to the destination data center. A destination data center key object is generated using a destination data center key hierarchy.
-
Citations
22 Claims
-
1. A method, comprising:
-
receiving, at a device including a processor and a non-transitory memory, a request to transfer key information from a source data center to a destination data center, the key information corresponding to a data block maintained in a storage area network (SAN); identifying at the device, a source data center key object corresponding to the data block wherein the source data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier; decrypting, at the device, the encrypted key using a source data center key hierarchy Such that a key is obtained, wherein decrypting the encrypted key comprises using keying material accessed using the wrapper unique identifier, the wrapper unique identifier referencing another key object at a key management center in the source data center; transmitting, at the device, the key information including the key from the source data center to the destination data center; and generating, at the device, a destination data center key object from the key information using a destination data center key hierarchy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system, comprising:
-
an interface operable to receive a request to transfer key information from a source data center to a data destination data center, the key information corresponding to a data block maintained in a storage area network (SAN); and a processor operable to; obtain a source data center key object corresponding to the data block, wherein the source data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier; and decrypt the encrypted key using a source data center key hierarchy such that a key is obtained and provide the key information from the source data center to the destination data center, wherein decrypting the encrypted key comprises using keying material accessed using the wrapper unique identifier, the wrapper unique identifier referencing another key objet at a key management center in the source data center; wherein the destination data center generates a destination data center key object from the key information using a destination data center key hierarchy. - View Dependent Claims (18, 19, 20, 21)
-
-
22. A system, comprising:
-
means for receiving a request to transfer key information from a source data center to a destination data center, the key information corresponding to a data block maintained in a storage area network (SAN); means for identifying a source data center key object corresponding to the data block, wherein the source data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier; means for decrypting the encrypted key using a source data center key hierarchy such that a key is obtained, wherein decrypting the encrypted key comprises using keying material accessed using the wrapper unique identifier, the wrapper unique identifier referencing another key object at a key management center in the source data center; means for transmitting key information including the key from the source data center to the destination data center; means for generating a destination data center key object from the key information using a destination data center key hierarchy.
-
Specification