Content aware hierarchical encryption for secure storage systems
First Claim
1. A computer-implemented method, comprising:
- receiving metadata of a data object to be stored in a storage system, wherein the metadata is represented in a hierarchical structure having a plurality of levels, each level having a plurality of nodes and each node being one of a root node, a leaf node and an intermediate node, and wherein each leaf node represents a deduplicated segment associated with the data object and each parent node stores metadata of its one or more child nodes;
traversing the hierarchical structure to encrypt each of the nodes in a bottom-up approach, starting from leaf nodes, using a plurality of different keys, wherein a child key for encrypting content of a child node is stored in a parent node that references the child node, and wherein the child key is encrypted together with content of the parent node by a parent key associated with the parent node, wherein traversing the hierarchical structure to encrypt each of the nodes in a bottom-up approach comprisesfor a given first node as a parent node to one or more second nodes as child nodes, obtaining a first fingerprint of content of the first node,encrypting, using a first key derived from the first fingerprint, content of the first node and one or more second keys that encrypt the second nodes, andstoring the encrypted first node having content of the first node and the one or more second keys embedded therein in the storage system; and
storing the encrypted content of the plurality of nodes in one or more storage units of the storage system in a deduplicated manner.
9 Assignments
0 Petitions
Accused Products
Abstract
In one embodiment, metadata of a data object to be stored in a storage system is received, where the metadata is in a hierarchical structure having multiple levels, each level having multiple nodes and each node being one of a root node, a leaf node and an intermediate node. Each leaf node represents a deduplicated segment associated with the data object. The hierarchical structure is traversed to encrypt each of the nodes in a bottom-up approach, starting from leaf nodes, using different keys. A child key for encrypting content of a child node is stored in a parent node that references the child node, and the child key is encrypted by a parent key associated with the parent node. The encrypted content of the nodes are then stored in one or more storage units of the storage system in a deduplicated manner.
36 Citations
24 Claims
-
1. A computer-implemented method, comprising:
-
receiving metadata of a data object to be stored in a storage system, wherein the metadata is represented in a hierarchical structure having a plurality of levels, each level having a plurality of nodes and each node being one of a root node, a leaf node and an intermediate node, and wherein each leaf node represents a deduplicated segment associated with the data object and each parent node stores metadata of its one or more child nodes; traversing the hierarchical structure to encrypt each of the nodes in a bottom-up approach, starting from leaf nodes, using a plurality of different keys, wherein a child key for encrypting content of a child node is stored in a parent node that references the child node, and wherein the child key is encrypted together with content of the parent node by a parent key associated with the parent node, wherein traversing the hierarchical structure to encrypt each of the nodes in a bottom-up approach comprises for a given first node as a parent node to one or more second nodes as child nodes, obtaining a first fingerprint of content of the first node, encrypting, using a first key derived from the first fingerprint, content of the first node and one or more second keys that encrypt the second nodes, and storing the encrypted first node having content of the first node and the one or more second keys embedded therein in the storage system; and storing the encrypted content of the plurality of nodes in one or more storage units of the storage system in a deduplicated manner. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations, the operations comprising:
-
receiving metadata of a data object to be stored in a storage system, wherein the metadata is represented in a hierarchical structure having a plurality of levels, each level having a plurality of nodes and each node being one of a root node, a leaf node and an intermediate node, and wherein each leaf node represents a deduplicated segment associated with the data object and each parent node stores metadata of its one or more child nodes; traversing the hierarchical structure to encrypt each of the nodes in a bottom-up approach, starting from leaf nodes, using a plurality of different keys, wherein a child key for encrypting content of a child node is stored in a parent node that references the child node, and wherein the child key is encrypted together with content of the parent node by a parent key associated with the parent node, wherein traversing the hierarchical structure to encrypt each of the nodes in a bottom-up approach comprises for a given first node as a parent node to one or more second nodes as child nodes, obtaining a first fingerprint of content of the first node, encrypting, using a first key derived from the first fingerprint, content of the first node and one or more second keys that encrypt the second nodes, and storing the encrypted first node having content of the first node and the one or more second keys embedded therein in the storage system; and storing the encrypted content of the plurality of nodes in one or more storage units of the storage system in a deduplicated manner. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A data processing system, comprising:
-
a processor; and a memory coupled to the processor for storing instructions, which when executed from the memory, cause the processor to receive metadata of a data object to be stored in a storage system, wherein the metadata is represented in a hierarchical structure having a plurality of levels, each level having a plurality of nodes and each node being one of a root node, a leaf node and an intermediate node, and wherein each leaf node represents a deduplicated segment associated with the data object and each parent node stores metadata of its one or more child nodes, traverse the hierarchical structure to encrypt each of the nodes in a bottom-up approach, starting from leaf nodes, using a plurality of different keys, wherein a child key for encrypting content of a child node is stored in a parent node that references the child node, and wherein the child key is encrypted together with content of the parent node by a parent key associated with the parent node, wherein traversing the hierarchical structure to encrypt each of the nodes in a bottom-up approach comprises for a given first node as a parent node to one or more second nodes as child nodes, obtaining a first fingerprint of content of the first node, encrypting, using a first key derived from the first fingerprint, content of the first node and one or more second keys that encrypt the second nodes, and storing the encrypted first node having content of the first node and the one or more second keys embedded therein in the storage system, and store the encrypted content of the plurality of nodes in one or more storage units of the storage system in a deduplicated manner. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification