Data encryption in a de-duplicating storage in a multi-tenant environment

US 9,396,341 B1
Filed: 03/31/2015
Issued: 07/19/2016
Est. Priority Date: 03/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method for deduplicating data on a storage system comprising:

storing in the storage system a plurality of raw data objects;

storing in the storage system a plurality of fingerprints, each of the plurality of fingerprints corresponding to one of the raw data object of the plurality of raw data objects;

converting a tenant data object into a plurality of raw data objects;

calculating, by a hardware processor, a first fingerprint for a first raw data object that is one of the plurality of raw data objects;

comparing the first fingerprint with the plurality of fingerprints that have been stored;

if the first fingerprint matches any of the plurality of fingerprints that have been stored, associating the first fingerprint to the raw data object of the stored fingerprint, and not storing the first data object in the storage system;

if the first fingerprint does not match the stored fingerprint, storing the first data object in the storage system, wherein the first data object is stored in a single use key encrypted format and the first fingerprint is calculated before the first data object is encrypted;

encrypting each of the plurality of fingerprints with a single use key of a plurality of single use keys by the storage system;

transmitting some of the plurality of fingerprints that have been encrypted with the single use keys to a tenant by the storage system; and

wrapping the single use keys that encrypt the some of the fingerprints with a tenant key (T-key) by the tenant.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention addresses encryption systems and methods in the de-duplication of data in a multi-tenant environment. The system provides isolation between tenants'"'"' stored data and the storage system. The tenants'"'"' data is broken down into many smaller raw data items. Fingerprints are generated for the raw data and compared to fingerprints of raw data previously stored on the storage system. The raw data and fingerprint are encrypted with a single use key (SUK) by the storage system. The SUK encrypted fingerprint is wrapped with a storage system key and stored with other fingerprints. The SUK encrypted fingerprint is also returned to the tenants and wrapped with a tenant key. The use of tenant key wraps allows the tenant data to be protected and confidential to each tenant but allows the raw data to be shared by all tenants.

47 Citations

View as Search Results

17 Claims

1. A method for deduplicating data on a storage system comprising:
- storing in the storage system a plurality of raw data objects;
  
  storing in the storage system a plurality of fingerprints, each of the plurality of fingerprints corresponding to one of the raw data object of the plurality of raw data objects;
  
  converting a tenant data object into a plurality of raw data objects;
  
  calculating, by a hardware processor, a first fingerprint for a first raw data object that is one of the plurality of raw data objects;
  
  comparing the first fingerprint with the plurality of fingerprints that have been stored;
  
  if the first fingerprint matches any of the plurality of fingerprints that have been stored, associating the first fingerprint to the raw data object of the stored fingerprint, and not storing the first data object in the storage system;
  
  if the first fingerprint does not match the stored fingerprint, storing the first data object in the storage system, wherein the first data object is stored in a single use key encrypted format and the first fingerprint is calculated before the first data object is encrypted;
  
  encrypting each of the plurality of fingerprints with a single use key of a plurality of single use keys by the storage system;
  
  transmitting some of the plurality of fingerprints that have been encrypted with the single use keys to a tenant by the storage system; and
  
  wrapping the single use keys that encrypt the some of the fingerprints with a tenant key (T-key) by the tenant.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 further comprising:
    - encrypting each of the raw data objects with one single use key of the plurality of single use keys.
  - 3. The method of claim 2 wherein each of the single use keys is used to encrypt one of the raw data objects.
  - 4. The method of claim 2 wherein each of the single use keys is used to encrypt two or more of the raw data objects.
  - 5. The method of claim 1 further comprising:
    - encrypting each of the plurality of raw data objects with the single use key of the plurality of single use keys by the storage system.
  - 6. The method of claim 1 further comprising:
    - wrapping each of the plurality of fingerprints encrypted with the plurality of single use keys with a storage system key by the storage system.

7. A system for deduplicating data, the system comprising:
- a hardware processor in a computer system and configured to;
  
  store in the storage system a plurality of raw data objects;
  
  store in the storage system a plurality of fingerprints, each of the plurality of fingerprints corresponding to one of the raw data object of the plurality of raw data objects;
  
  convert a tenant data object into a plurality of raw data objects;
  
  calculate a first fingerprints for a first raw data object that is one of the plurality of raw data objects;
  
  compare the first fingerprint with the plurality of fingerprints that have been stored;
  
  if the first fingerprint matches any of the plurality of fingerprints that have been stored, associate the first fingerprint to the raw data object of the stored fingerprint, and not store the first data object in the storage system;
  
  if the first fingerprint does not match the stored fingerprint, store the first data object in the storage system, wherein the first data object is stored in a single use key encrypted format and the first fingerprint is calculated before the first data object is encrypted;
  
  encrypt each of the plurality of fingerprints with a single use key of a plurality of single use keys by the storage system;
  
  transmit some of the plurality of fingerprints that have been encrypted with the single use keys to a tenant by the storage system; and
  
  wrap the single use keys that encrypt the some of the fingerprints with a tenant key (T-key) by the tenant.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7 wherein the hardware processor is configured to:
    - encrypt each of the raw data objects with one single use key of the plurality of single use keys.
  - 9. The system of claim 8 wherein each of the single use keys is used to encrypt one of the raw data objects.
  - 10. The system of claim 8 wherein each of the single use keys is used to encrypt two or more of the raw data objects.
  - 11. The system of claim 7 wherein the hardware processor is configured to:
    - encrypt each of the plurality of raw data objects with the single use key of the plurality of single use keys by the storage system.
  - 12. The system of claim 7 wherein the processor based the hardware processor is configured to:
    - wrap each of the plurality of fingerprints encrypted with the plurality of single use keys with a storage system key by the storage system.

13. A computer program product, comprising a non-transitory computer-readable medium having a computer-readable program code embodied therein, the computer-readable program code adapted to be executed by one or more processors to implement a method comprising:
- storing in a storage system a plurality of raw data objects;
  
  storing in the storage system a plurality of fingerprints, each of the plurality of fingerprints corresponding to one of the raw data object of the plurality of raw data objects;
  
  converting a tenant data object into a plurality of raw data objects;
  
  calculating, by a hardware processor, a first fingerprint for a first raw data object that is one of the plurality of raw data objects;
  
  comparing the first fingerprint with the plurality of fingerprints that have been stored;
  
  if the first fingerprint matches any of the plurality of fingerprints that have been stored, associating the first fingerprint to the raw data object of the stored fingerprint, and not storing the first data object in the storage system;
  
  if the first fingerprint does not match the stored fingerprint, storing the first data object in the storage system, wherein the first data object is stored in a single use key encrypted format and the first fingerprint is calculated before the first data object is encrypted;
  
  encrypting each of the plurality of fingerprints with a single use key of a plurality of single use keys by the storage system;
  
  transmitting some of the plurality of fingerprints that have been encrypted with the single use keys to a tenant by the storage system; and
  
  wrapping the single use keys that encrypt the some of the fingerprints with a tenant key (T-key) by the tenant.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13 further comprising:
    - encrypting each of the raw data objects with one single use key of the plurality of single use keys.
  - 15. The method of claim 14 wherein each of the single use keys is used to encrypt two or more of the raw data objects.
  - 16. The method of claim 13 further comprising:
    - encrypting each of the plurality of raw data objects with the single use key of the plurality of single use keys by the storage system.
  - 17. The method of claim 13 further comprising:
    - wrapping each of the plurality of fingerprints encrypted with the plurality of single use keys with a storage system key by the storage system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Chandra, Surendar, Sawyer, Darren
Primary Examiner(s)
Patel, Haresh N

Application Number

US14/675,252
Time in Patent Office

476 Days
Field of Search

713/167, 713/193, 726/6
US Class Current

1/1
CPC Class Codes

G06F 16/1748   De-duplication implemented ...

G06F 21/602   Providing cryptographic fac...

G06F 21/6272   by registering files or doc...

H04L 63/0428   wherein the data content is...

H04L 9/32   including means for verifyi...

Data encryption in a de-duplicating storage in a multi-tenant environment

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Data encryption in a de-duplicating storage in a multi-tenant environment

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others