Encryption key recovery in the event of storage management failure
First Claim
1. A method of encryption key recovery, said method comprising a hardware processor executing computer instructions in memory to perform the steps of:
- (a) creating a storage object for containing encrypted data in data storage of a data storage system, assigning an object identifier to the storage object for identifying the storage object in the data storage system, assigning a data encryption key to the storage object, assigning a key identifier to the data encryption key, storing the data encryption key in the data storage system in association with the object identifier, and storing the key identifier in the data storage system in association with the object identifier; and
(b) when performing an operation upon the storage object using the data encryption key in the data storage system, detecting failure of the data encryption key in the data storage system, and in response to detecting failure of the data encryption key in the data storage system, using the object identifier for fetching the stored key identifier associated with the object identifier, and using the fetched key identifier associated with the object identifier for fetching a copy of the data encryption key from a key server computer, and resuming the operation upon the storage object using the copy of the data encryption key fetched from the key server computer.
6 Assignments
0 Petitions
Accused Products
Abstract
A data processing system stores encrypted data. Object identifiers are assigned to storage objects, and data encryption keys are assigned to the storage objects. When performing an operation upon a storage object, data encryption key failure may occur due to a corrupt or incorrect key. In this case, a copy of the data encryption key is fetched from a key server. It is possible for the association of the object identifiers with the data encryption keys to become lost or confused, so that the key server may fail to provide the correct key for a specified object identifier. Therefore, an absolute key identifier that is unique across the key server namespace also is stored in association with the object identifier in the storage system and in the key store of the key server, and the absolute key identifier is used as a failsafe for recovery of encrypted data.
98 Citations
20 Claims
-
1. A method of encryption key recovery, said method comprising a hardware processor executing computer instructions in memory to perform the steps of:
-
(a) creating a storage object for containing encrypted data in data storage of a data storage system, assigning an object identifier to the storage object for identifying the storage object in the data storage system, assigning a data encryption key to the storage object, assigning a key identifier to the data encryption key, storing the data encryption key in the data storage system in association with the object identifier, and storing the key identifier in the data storage system in association with the object identifier; and (b) when performing an operation upon the storage object using the data encryption key in the data storage system, detecting failure of the data encryption key in the data storage system, and in response to detecting failure of the data encryption key in the data storage system, using the object identifier for fetching the stored key identifier associated with the object identifier, and using the fetched key identifier associated with the object identifier for fetching a copy of the data encryption key from a key server computer, and resuming the operation upon the storage object using the copy of the data encryption key fetched from the key server computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of encryption key recovery, said method comprising a hardware processor executing computer instructions in memory to perform the steps of:
-
(a) creating a storage object for containing encrypted data in data storage of a data storage system, assigning an object identifier to the storage object for identifying the storage object in the data storage system, obtaining a key identifier and a data encryption key assigned to the storage object from a key server computer, storing the key identifier and the data encryption key in the data storage system in association with the object identifier, and storing the key identifier and a copy of the data encryption key in association with the object identifier and an identifier of the data storage system in a key store of the key server computer; and (b) when performing an operation upon the storage object using the data encryption key in the data storage system, detecting failure of the data encryption key in the data storage system, and in response to detecting failure of the data encryption key in the data storage system, requesting the key server computer to provide a copy of the data encryption key assigned to the storage object, and the key server responding by failing to provide a correct copy of the data encryption key assigned to the storage object, and in response to the key server computer failing to provide a correct copy of the data encryption key assigned to the storage object, using the object identifier for fetching the stored key identifier associated with the object identifier, and using the fetched key identifier associated with the object identifier for fetching a copy of the data encryption key from the key server computer, and resuming the operation upon the storage object using the copy of the data encryption key fetched from the key server computer. - View Dependent Claims (11, 12, 13)
-
-
14. A data storage system comprising:
-
data storage; and at least one storage processor computer coupled to the data storage for storing data in the data storage; wherein said at least one storage processor computer is programmed for creating a storage object for containing encrypted data in the data storage, assigning an object identifier to the storage object for identifying the storage object in the data storage system, obtaining a key identifier and a data encryption key assigned to the storage object from a key server computer, and storing the key identifier and the data encryption key in the data storage system in association with the object identifier; and wherein said at least one storage processor computer is further programmed for performing an operation upon the storage object using the data encryption key in the data storage system, and when performing the operation upon the storage object using the data encryption key in the data storage system, detecting failure of the data encryption key in the data storage system, and in response to detecting failure of the data encryption key in the data storage system, using the object identifier for fetching the stored key identifier associated with the object identifier, and using the fetched key identifier associated with the object identifier for fetching a copy of the data encryption key from the key server computer, and resuming the operation upon the storage object using the copy of the data encryption key fetched from the key server computer. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification