Data encryption in a de-duplicating storage in a multi-tenant environment
First Claim
1. A method for deduplicating data on a storage system comprising:
- storing in the storage system a plurality of raw data objects;
storing in the storage system a plurality of fingerprints, each of the plurality of fingerprints corresponding to one of the raw data object of the plurality of raw data objects;
converting a tenant data object into a plurality of raw data objects;
calculating, by a hardware processor, a first fingerprint for a first raw data object that is one of the plurality of raw data objects;
comparing the first fingerprint with the plurality of fingerprints that have been stored;
if the first fingerprint matches any of the plurality of fingerprints that have been stored, associating the first fingerprint to the raw data object of the stored fingerprint, and not storing the first data object in the storage system;
if the first fingerprint does not match the stored fingerprint, storing the first data object in the storage system, wherein the first data object is stored in a single use key encrypted format and the first fingerprint is calculated before the first data object is encrypted;
encrypting each of the plurality of fingerprints with a single use key of a plurality of single use keys by the storage system;
transmitting some of the plurality of fingerprints that have been encrypted with the single use keys to a tenant by the storage system; and
wrapping the single use keys that encrypt the some of the fingerprints with a tenant key (T-key) by the tenant.
9 Assignments
0 Petitions
Accused Products
Abstract
The present invention addresses encryption systems and methods in the de-duplication of data in a multi-tenant environment. The system provides isolation between tenants'"'"' stored data and the storage system. The tenants'"'"' data is broken down into many smaller raw data items. Fingerprints are generated for the raw data and compared to fingerprints of raw data previously stored on the storage system. The raw data and fingerprint are encrypted with a single use key (SUK) by the storage system. The SUK encrypted fingerprint is wrapped with a storage system key and stored with other fingerprints. The SUK encrypted fingerprint is also returned to the tenants and wrapped with a tenant key. The use of tenant key wraps allows the tenant data to be protected and confidential to each tenant but allows the raw data to be shared by all tenants.
47 Citations
17 Claims
-
1. A method for deduplicating data on a storage system comprising:
-
storing in the storage system a plurality of raw data objects; storing in the storage system a plurality of fingerprints, each of the plurality of fingerprints corresponding to one of the raw data object of the plurality of raw data objects; converting a tenant data object into a plurality of raw data objects; calculating, by a hardware processor, a first fingerprint for a first raw data object that is one of the plurality of raw data objects; comparing the first fingerprint with the plurality of fingerprints that have been stored; if the first fingerprint matches any of the plurality of fingerprints that have been stored, associating the first fingerprint to the raw data object of the stored fingerprint, and not storing the first data object in the storage system; if the first fingerprint does not match the stored fingerprint, storing the first data object in the storage system, wherein the first data object is stored in a single use key encrypted format and the first fingerprint is calculated before the first data object is encrypted; encrypting each of the plurality of fingerprints with a single use key of a plurality of single use keys by the storage system; transmitting some of the plurality of fingerprints that have been encrypted with the single use keys to a tenant by the storage system; and wrapping the single use keys that encrypt the some of the fingerprints with a tenant key (T-key) by the tenant. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for deduplicating data, the system comprising:
-
a hardware processor in a computer system and configured to; store in the storage system a plurality of raw data objects; store in the storage system a plurality of fingerprints, each of the plurality of fingerprints corresponding to one of the raw data object of the plurality of raw data objects; convert a tenant data object into a plurality of raw data objects; calculate a first fingerprints for a first raw data object that is one of the plurality of raw data objects; compare the first fingerprint with the plurality of fingerprints that have been stored; if the first fingerprint matches any of the plurality of fingerprints that have been stored, associate the first fingerprint to the raw data object of the stored fingerprint, and not store the first data object in the storage system; if the first fingerprint does not match the stored fingerprint, store the first data object in the storage system, wherein the first data object is stored in a single use key encrypted format and the first fingerprint is calculated before the first data object is encrypted; encrypt each of the plurality of fingerprints with a single use key of a plurality of single use keys by the storage system; transmit some of the plurality of fingerprints that have been encrypted with the single use keys to a tenant by the storage system; and wrap the single use keys that encrypt the some of the fingerprints with a tenant key (T-key) by the tenant. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computer program product, comprising a non-transitory computer-readable medium having a computer-readable program code embodied therein, the computer-readable program code adapted to be executed by one or more processors to implement a method comprising:
-
storing in a storage system a plurality of raw data objects; storing in the storage system a plurality of fingerprints, each of the plurality of fingerprints corresponding to one of the raw data object of the plurality of raw data objects; converting a tenant data object into a plurality of raw data objects; calculating, by a hardware processor, a first fingerprint for a first raw data object that is one of the plurality of raw data objects; comparing the first fingerprint with the plurality of fingerprints that have been stored; if the first fingerprint matches any of the plurality of fingerprints that have been stored, associating the first fingerprint to the raw data object of the stored fingerprint, and not storing the first data object in the storage system; if the first fingerprint does not match the stored fingerprint, storing the first data object in the storage system, wherein the first data object is stored in a single use key encrypted format and the first fingerprint is calculated before the first data object is encrypted; encrypting each of the plurality of fingerprints with a single use key of a plurality of single use keys by the storage system; transmitting some of the plurality of fingerprints that have been encrypted with the single use keys to a tenant by the storage system; and wrapping the single use keys that encrypt the some of the fingerprints with a tenant key (T-key) by the tenant. - View Dependent Claims (14, 15, 16, 17)
-
Specification