Distribution of storage area network encryption keys across data centers

US 8,989,388 B2
Filed: 04/02/2008
Issued: 03/24/2015
Est. Priority Date: 04/02/2008
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, at a device including a processor and a non-transitory memory, a request to transfer key information from a source data center to a destination data center, the key information corresponding to a data block maintained in a storage area network (SAN);

identifying at the device, a source data center key object corresponding to the data block wherein the source data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier;

decrypting, at the device, the encrypted key using a source data center key hierarchy Such that a key is obtained, wherein decrypting the encrypted key comprises using keying material accessed using the wrapper unique identifier, the wrapper unique identifier referencing another key object at a key management center in the source data center;

transmitting, at the device, the key information including the key from the source data center to the destination data center; and

generating, at the device, a destination data center key object from the key information using a destination data center key hierarchy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Efficient mechanisms are provided for transferring key objects associated with disk logical unit numbers and tape cartridges from one data center to another data center. A request is received to transfer a source data center key object from a source data center to a destination data center. The source data center key object corresponds to a data block, such as a disk logical unit number (LUN) or a tape cartridge, maintained in a storage area network (SAN) and includes a unique identifier, an encrypted key, and a wrapper unique identifier. The encrypted key is decrypted using a source data center key hierarchy. Key information is transmitted from the source data center to the destination data center. A destination data center key object is generated using a destination data center key hierarchy.

Citations

22 Claims

1. A method, comprising:
- receiving, at a device including a processor and a non-transitory memory, a request to transfer key information from a source data center to a destination data center, the key information corresponding to a data block maintained in a storage area network (SAN);
  
  identifying at the device, a source data center key object corresponding to the data block wherein the source data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier;
  
  decrypting, at the device, the encrypted key using a source data center key hierarchy Such that a key is obtained, wherein decrypting the encrypted key comprises using keying material accessed using the wrapper unique identifier, the wrapper unique identifier referencing another key object at a key management center in the source data center;
  
  transmitting, at the device, the key information including the key from the source data center to the destination data center; and
  
  generating, at the device, a destination data center key object from the key information using a destination data center key hierarchy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the source data center key object corresponds to a disk logical unit number (LUN).
  - 3. The method of claim 2, wherein the destination data center key object allows decryption of the disk LUN when the disk LUN is moved form the source data center to the destination data center.
  - 4. The method of claim 1, wherein the source data center key object corresponds to a tape cartridge.
  - 5. The method of claim 4, wherein the destination data center key object allows decryption of the tape cartridge when the tape cartridge is moved form the source data center to the destination data center.
  - 6. The method of claim 1, wherein encrypting the decrypted key comprises using key material accessed from the destination data center.
  - 7. The method of claim 1, wherein the key information is transmitted using public key private key encryption.
  - 8. The method of claim 1, wherein the key information is transmitted using password protected key export.
  - 9. The method of claim 1, wherein the unique identifier is a globally unique identifier.
  - 10. The method of claim 9, wherein the globally unique identifier is written to the storage area network medium.
  - 11. The method of claim 10, wherein the storage area network medium is tape.
  - 12. The method of claim 10, wherein the storage area network medium Comprises a disk logical unit.
  - 13. The method of claim 1, wherein the key entity identifies the storage area network medium.
  - 14. The method of claim 1, wherein the wrapper unique identifier is a wrapper globally unique identifier that points to another key object having information for decrypting the encrypted key.
  - 15. The method of claim 14, wherein another key object further comprises an additional wrapper unique identifier.
  - 16. The method of claim 1, wherein the key object further comprises key state information.

17. A system, comprising:
- an interface operable to receive a request to transfer key information from a source data center to a data destination data center, the key information corresponding to a data block maintained in a storage area network (SAN); and
  
  a processor operable to;
  
  obtain a source data center key object corresponding to the data block, wherein the source data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier; and
  
  decrypt the encrypted key using a source data center key hierarchy such that a key is obtained and provide the key information from the source data center to the destination data center, wherein decrypting the encrypted key comprises using keying material accessed using the wrapper unique identifier, the wrapper unique identifier referencing another key objet at a key management center in the source data center;
  
  wherein the destination data center generates a destination data center key object from the key information using a destination data center key hierarchy.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The system of claim 17, wherein the source data center key object corresponds to a disk logical unit number (LUN).
  - 19. The system of claim 18, wherein the destination data center key object allows decryption of the disk LUN when the disk LUN is moved form the source data center to the destination data center.
  - 20. The system of claim 17, wherein the source data center key object corresponds to a tape cartridge.
  - 21. The system of claim 20, wherein the destination data center key object allows decryption of the tape cartridge when the tape cartridge is moved form the source data center to the destination data center.

22. A system, comprising:
- means for receiving a request to transfer key information from a source data center to a destination data center, the key information corresponding to a data block maintained in a storage area network (SAN);
  
  means for identifying a source data center key object corresponding to the data block, wherein the source data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier;
  
  means for decrypting the encrypted key using a source data center key hierarchy such that a key is obtained, wherein decrypting the encrypted key comprises using keying material accessed using the wrapper unique identifier, the wrapper unique identifier referencing another key object at a key management center in the source data center;
  
  means for transmitting key information including the key from the source data center to the destination data center;
  
  means for generating a destination data center key object from the key information using a destination data center key hierarchy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Patnala, Praveen, Parthasarathy, Anand, Deshmukh, Makarand, Kondamuri, Chandra Sekhar
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US12/061,597
Publication Number

US 20090252330A1
Time in Patent Office

2,547 Days
Field of Search
US Class Current

380/279
CPC Class Codes

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0836   using tree structure or hie...

H04L 9/0894   Escrow, recovery or storing...

Distribution of storage area network encryption keys across data centers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Distribution of storage area network encryption keys across data centers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links