Deduplication of encrypted dataset on datadomain backup appliance
First Claim
1. A computer-implemented method for deduplicating encrypted data, the method comprising:
- receiving a first data file from a remote source to be stored at a local deduplicated storage system by a backup and restore (backup/restore) engine executed by a processor of the local deduplicated storage system, wherein the first data file is encrypted by a first security key;
transmitting by a security module of the backup/restore engine to a remote security manager a first key identifier (ID) that is extracted from the first data file, the first key ID identifying the first security key, wherein the remote security manager is hosted by a remote server separated from the remote source and the local deduplicated storage system;
in response to receiving the first security key from the remote security manager based on the first key ID, decrypting by the security module the first data file using the first security key provided by the remote security manager;
deduplicating the decrypted first data file by a deduplication storage engine executed by the processor of the local deduplicated storage system, wherein deduplicating the decrypted first data file comprises partitioning the decrypted first data file into a plurality of data segments;
generating a hash for each of plurality of data segments,comparing the generated hashes with hashes of data segments already stored at the local deduplicated storage system, anddetermining one or more deduplicated data segments of the first data file, wherein the deduplicated data segments of the first data file are data segments with hashes that do not match the hashes of data segments already stored at the local deduplicated storage system;
encrypting the deduplicated data segments of the first data file using a second security key; and
storing the encrypted deduplicated data segments of the first data file.
9 Assignments
0 Petitions
Accused Products
Abstract
Exemplary methods for deduplicating encrypted files are described herein. The exemplary methods include receiving a first encrypted data file from a remote source that is encrypted by a first security key. In one embodiment, the methods include transmitting to a remote security manager a first key identifier (ID) that is extracted from the first data file, the first key ID identifying the first security key. In one aspect of the invention, in response to receiving the first security key from the remote security manager based on the first key ID, decrypting the first data file using the first security key provided by the remote security manager. In at least one embodiment, the methods include deduplicating the decrypted first data file.
36 Citations
18 Claims
-
1. A computer-implemented method for deduplicating encrypted data, the method comprising:
-
receiving a first data file from a remote source to be stored at a local deduplicated storage system by a backup and restore (backup/restore) engine executed by a processor of the local deduplicated storage system, wherein the first data file is encrypted by a first security key; transmitting by a security module of the backup/restore engine to a remote security manager a first key identifier (ID) that is extracted from the first data file, the first key ID identifying the first security key, wherein the remote security manager is hosted by a remote server separated from the remote source and the local deduplicated storage system; in response to receiving the first security key from the remote security manager based on the first key ID, decrypting by the security module the first data file using the first security key provided by the remote security manager; deduplicating the decrypted first data file by a deduplication storage engine executed by the processor of the local deduplicated storage system, wherein deduplicating the decrypted first data file comprises partitioning the decrypted first data file into a plurality of data segments; generating a hash for each of plurality of data segments, comparing the generated hashes with hashes of data segments already stored at the local deduplicated storage system, and determining one or more deduplicated data segments of the first data file, wherein the deduplicated data segments of the first data file are data segments with hashes that do not match the hashes of data segments already stored at the local deduplicated storage system; encrypting the deduplicated data segments of the first data file using a second security key; and storing the encrypted deduplicated data segments of the first data file. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory computer-readable medium having computer instructions stored therein, which when executed by a processor, cause the processor to perform operations, the operations comprising:
-
receiving a first data file from a remote source to be stored at a local deduplicated storage system by a backup and restore (backup/restore) engine executed by a processor of the local deduplicated storage system, wherein the first data file is encrypted by a first security key; transmitting by a security module of the backup/restore engine to a remote security manager a first key identifier (ID) that is extracted from the first data file, the first key ID identifying the first security key, wherein the remote security manager is hosted by a remote server separated from the remote source and the local deduplicated storage system; in response to receiving the first security key from the remote security manager based on the first key ID, decrypting by the security module the first data file using the first security key provided by the remote security manager; deduplicating the decrypted first data file by a deduplication storage engine executed by the processor of the local deduplicated storage system, wherein deduplicating the decrypted first data file comprises partitioning the decrypted first data file into a plurality of data segments; generating a hash for each of plurality of data segments, comparing the generated hashes with hashes of data segments already stored at the local deduplicated storage system, and determining one or more deduplicated data segments of the first data file, wherein the deduplicated data segments of the first data file are data segments with hashes that do not match the hashes of data segments already stored at the local deduplicated storage system; encrypting the deduplicated data segments of the first data file using a second security key; and storing the encrypted deduplicated data segments of the first data file. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A data processing system, comprising:
-
a processor; a network interface configured to receive a first data file from a remote source to be stored at a local deduplicated storage system, wherein the first data file is encrypted by a first security key; a security module executed by the processor and coupled to the network interface, configured to transmit to a remote security manager a first key identifier (ID) that is extracted from the first data file, the first key ID identifying the first security key, and in response to receiving the first security key from the remote security manager based on the first key ID, decrypt the first data file using the first security key provided by the remote security manager, wherein the remote security manager is hosted by a remote server separated from the remote source and the local deduplicated storage system; and a deduplication storage engine executed by the processor and coupled to the security module, configured to deduplicate the decrypted first data file, including partitioning the decrypted first data file into a plurality of data segments; generating a hash for each of plurality of data segments, comparing the generated hashes with hashes of data segments already stored at the local deduplicated storage system, and determining one or more deduplicated data segments of the first data file, wherein the deduplicated data segments of the first data file are data segments with hashes that do not match the hashes of data segments already stored at the local deduplicated storage system, wherein the security module encrypts the deduplicated data segments of the first data file using a second security key and stores the encrypted deduplicated data segments of the first data file. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification