Encrypting data for storage in a dispersed storage network

US 9,380,032 B2
Filed: 04/23/2013
Issued: 06/28/2016
Est. Priority Date: 04/25/2012
Status: Active Grant

First Claim

Patent Images

1. A method for execution by a computing device, the method comprises:

dividing data into a plurality of data segments;

for a data segment of the plurality of data segments;

encoding the data segment using a dispersed storage error encoding function to produce a set of encoded data slices, wherein a decode threshold number of encoded data slices of the set of encoded data slices is needed to recover the data segment and wherein the decode threshold number is less than a total number of encoded data slices in the set of encoded data slices;

generating slice names for each encoded data slice of the set of encoded data slices to produce a plurality of slice names, wherein a slice name of the plurality of slice names includes a data identifier, a data segment identifier, and an encoded slice identifier;

when a subset of encoded data slices of the set of encoded data slices is to be encrypted;

generating a master key;

selecting a portion of the slice names for the subset of encoded data slices to produce a subset of selected slice name portions;

generating a subset of encryption keys based on the master key and the subset of selected slice name portions;

encrypting the subset of encoded data slices using the subset of encryption keys to produce a subset of encrypted encoded data slices;

outputting the subset of encrypted encoded data slices to a dispersed storage network (DSN) for storage therein; and

outputting remaining encoded data slices of the set of encoded data slices to the DSN for storage therein.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a dispersed storage (DS) processing module dividing data into a plurality of data segments, encoding a data segment using a dispersed storage error encoding function to produce a set of encoded data slices, and generating slice names for each encoded data slice to produce a plurality of slice names. When a subset of encoded data slices of the set of encoded data slices is to be encrypted, the method continues with the DS processing module generating a master key, selecting a portion of the slice names for the subset of encoded data slices to produce a subset of selected slice name portions, generating a subset of encryption keys, encrypting the subset of encoded data slices using the subset of encryption keys to produce a subset of encrypted encoded data slices, and outputting the subset of encrypted encoded data slices to a dispersed storage network (DSN).

126 Citations

18 Claims

1. A method for execution by a computing device, the method comprises:
- dividing data into a plurality of data segments;
  
  for a data segment of the plurality of data segments;
  
  encoding the data segment using a dispersed storage error encoding function to produce a set of encoded data slices, wherein a decode threshold number of encoded data slices of the set of encoded data slices is needed to recover the data segment and wherein the decode threshold number is less than a total number of encoded data slices in the set of encoded data slices;
  
  generating slice names for each encoded data slice of the set of encoded data slices to produce a plurality of slice names, wherein a slice name of the plurality of slice names includes a data identifier, a data segment identifier, and an encoded slice identifier;
  
  when a subset of encoded data slices of the set of encoded data slices is to be encrypted;
  
  generating a master key;
  
  selecting a portion of the slice names for the subset of encoded data slices to produce a subset of selected slice name portions;
  
  generating a subset of encryption keys based on the master key and the subset of selected slice name portions;
  
  encrypting the subset of encoded data slices using the subset of encryption keys to produce a subset of encrypted encoded data slices;
  
  outputting the subset of encrypted encoded data slices to a dispersed storage network (DSN) for storage therein; and
  
  outputting remaining encoded data slices of the set of encoded data slices to the DSN for storage therein.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 further comprises:
    - selecting the subset of encoded data slices as a first type of encoded data slices of the set of encoded data slices, wherein the data segment was encoded utilizing a dispersed storage error encoding matrix that includes a unity matrix section, wherein the set of encoded data slices includes the first type of encoded data slices and a second type of encoded data slices, wherein the first type of encoded data slices corresponds to the unity matrix section and the second type of encoded data slices corresponds to another section of the dispersed storage error encoding matrix.
  - 3. The method of claim 1 further comprises:
    - selecting the subset of encoded data slices as a first type of encoded data slices of the set of encoded data slices, wherein the set of encoded data slices includes the first type of encoded data slices and a second type of encoded data slices, wherein the first type of encoded data slices includes encoded data slices based on data blocks and the second type of encoded data slices includes encoded data slices based on data blocks and auxiliary blocks.
  - 4. The method of claim 1 further comprises:
    - identifying storage units of the DSN requiring a higher security than other storage units of the DSN; and
      
      selecting the subset of encoded data slices as being targeted for storage in the storage units requiring higher security.
  - 5. The method of claim 1 further comprises:
    - selecting the data identifier as the portion of the slice names; and
      
      generating an encryption key based on the master key and the data identifier as the subset of encryption keys for each of the plurality of data segments.
  - 6. The method of claim 1 further comprises:
    - selecting the data segment identifier as the portion of the slice names; and
      
      generating an encryption key based on the master key and the data segment identifier as the subset of encryption keys for the data segment.
  - 7. The method of claim 1 further comprises:
    - selecting the encoded slice identifier as the portion of the slice names; and
      
      generating the subset of encryption keys based on the master key and each of the encoded data slice identifiers of the subset of encoded data slices.
  - 8. The method of claim 1, wherein the slice name further comprises at least one of:
    - identity of a target storage node of the DSN;
      
      a security identifier;
      
      a random number;
      
      a revision level number; and
      
      a transaction number.
  - 9. The method of claim 1 further comprises:
    - selecting a pillar number as the portion of the slice names, wherein the slice name further includes the pillar number; and
      
      generating the subset of encryption keys based on the master key and each of the pillar numbers of the subset of encoded data slices.

10. A dispersed storage (DS) module comprises:
- a first module, when operable within a computing device, causes the computing device to;
  
  divide data into a plurality of data segments;
  
  for a data segment of the plurality of data segments;
  
  encode the data segment using a dispersed storage error encoding function to produce a set of encoded data slices, wherein a decode threshold number of encoded data slices of the set of encoded data slices is needed to recover the data segment and wherein the decode threshold number is less than a total number of encoded data slices in the set of encoded data slices; and
  
  generate slice names for each encoded data slice of the set of encoded data slices to produce a plurality of slice names, wherein a slice name of the plurality of slice names includes a data identifier, a data segment identifier, and an encoded slice identifier;
  
  a second module, when operable within the computing device, causes the computing device to;
  
  when a subset of encoded data slices of the set of encoded data slices is to be encrypted;
  
  generate a master key;
  
  select a portion of the slice names for the subset of encoded data slices to produce a subset of selected slice name portions;
  
  generate a subset of encryption keys based on the master key and the subset of selected slice name portions; and
  
  encrypt the subset of encoded data slices using the subset of encryption keys to produce a subset of encrypted encoded data slices; and
  
  a third module, when operable within the computing device, causes the computing device to;
  
  output the subset of encrypted encoded data slices to a dispersed storage network (DSN) for storage therein; and
  
  output remaining encoded data slices of the set of encoded data slices to the DSN for storage therein.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The DS module of claim 10 further comprises:
    - the second module further functions to;
      
      select the subset of encoded data slices as a first type of encoded data slices of the set of encoded data slices, wherein the data segment was encoded utilizing a dispersed storage error encoding matrix that includes a unity matrix section, wherein the set of encoded data slices includes the first type of encoded data slices and a second type of encoded data slices, wherein the first type of encoded data slices corresponds to the unity matrix section and the second type of encoded data slices corresponds to another section of the dispersed storage error encoding matrix.
  - 12. The DS module of claim 10 further comprises:
    - the second module further functions to;
      
      select the subset of encoded data slices as a first type of encoded data slices of the set of encoded data slices, wherein the set of encoded data slices includes the first type of encoded data slices and a second type of encoded data slices, wherein the first type of encoded data slices includes encoded data slices based on data blocks and the second type of encoded data slices includes encoded data slices based on data blocks and auxiliary blocks.
  - 13. The DS module of claim 10 further comprises:
    - the third module further functions to;
      
      identify storage units of the DSN requiring a higher security than other storage units of the DSN; and
      
      select the subset of encoded data slices as being targeted for storage in the storage units requiring higher security.
  - 14. The DS module of claim 10 further comprises:
    - the second module further functions to;
      
      select the data identifier as the portion of the slice names; and
      
      generate an encryption key based on the master key and the data identifier as the subset of encryption keys for each of the plurality of data segments.
  - 15. The DS module of claim 10 further comprises:
    - the second module further functions to;
      
      select the data segment identifier as the portion of the slice names; and
      
      generate an encryption key based on the master key and the data segment identifier as the subset of encryption keys for the data segment.
  - 16. The DS module of claim 10 further comprises:
    - the second module further functions to;
      
      select the encoded slice identifier as the portion of the slice names; and
      
      generate the subset of encryption keys based on the master key and each of the encoded data slice identifiers of the subset of encoded data slices.
  - 17. The DS module of claim 10, wherein the slice name further comprises at least one of:
    - identity of a target storage node of the DSN;
      
      a security identifier;
      
      a random number;
      
      a revision level number; and
      
      a transaction number.
  - 18. The DS module of claim 10 further comprises:
    - the second module further functions to;
      
      select a pillar number as the portion of the slice names, wherein the slice name further includes the pillar number; and
      
      generate the subset of encryption keys based on the master key and each of the pillar numbers of the subset of encoded data slices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Resch, Jason K., Dhuse, Greg
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
GIDDINS, NELSON S

Application Number

US13/868,311
Publication Number

US 20130290703A1
Time in Patent Office

1,162 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/1076   Parity data used in redunda...

G06F 3/0619   in relation to data integri...

G06F 3/064   Management of blocks

G06F 3/067   Distributed or networked st...

H04L 2463/061   applying further key deriva...

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 67/1097   for distributed storage of ...

H04L 9/0822   using key encryption key

H04L 9/0861   Generation of secret inform...

H04W 12/04   Key management, e.g. using ...

Encrypting data for storage in a dispersed storage network

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

126 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Encrypting data for storage in a dispersed storage network

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

126 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links