Data encryption in a de-duplicating storage in a multi-tenant environment
First Claim
1. A method comprising:
- assigning a plurality of tenant keys to a plurality of tenants, each tenant being assigned a specific tenant key of the plurality of tenant keys;
storing in a storage system a plurality of raw data objects backed up for the plurality of tenants;
storing in the storage system a plurality of fingerprints, corresponding to the plurality of raw data objects, in a single use key encrypted format;
wrapping, by a hardware processor, the plurality of fingerprints with a storage system key held by the storage system;
receiving, from a first tenant, a request to retrieve data backed up on the storage system for the first tenant, the request comprising a set of fingerprints corresponding to a set of raw data objects to retrieve, and a first tenant key assigned to the first tenant, the set of fingerprints being in the single use key encrypted format and wrapped with the first tenant key;
unwrapping, using the first tenant key, the received set of fingerprints to retrieve the set of raw data objects corresponding to the received set of fingerprints;
transmitting the set of raw data objects to the first tenant; and
removing the first tenant key from the storage system.
8 Assignments
0 Petitions
Accused Products
Abstract
The present invention addresses encryption systems and methods in the de-duplication of data in a multi-tenant environment. The system provides isolation between tenants'"'"' stored data and the storage system. Tenant keys are assigned to tenants. The storage system stores raw data objects backed up for the tenants and fingerprints, corresponding to the data objects, in a single use key encrypted format. Fingerprints are wrapped with a storage system key held by the storage system. A request is received to retrieve data backed up for a tenant. The request includes fingerprints corresponding to the data objects to retrieve, and a tenant key, the fingerprints being in the single use key encrypted format and wrapped with the tenant key. The received fingerprints are unwrapped using the tenant key to retrieve data objects corresponding to the received fingerprints. The data objects are transmitted to the tenant and the tenant key is removed.
27 Citations
15 Claims
-
1. A method comprising:
-
assigning a plurality of tenant keys to a plurality of tenants, each tenant being assigned a specific tenant key of the plurality of tenant keys; storing in a storage system a plurality of raw data objects backed up for the plurality of tenants; storing in the storage system a plurality of fingerprints, corresponding to the plurality of raw data objects, in a single use key encrypted format; wrapping, by a hardware processor, the plurality of fingerprints with a storage system key held by the storage system; receiving, from a first tenant, a request to retrieve data backed up on the storage system for the first tenant, the request comprising a set of fingerprints corresponding to a set of raw data objects to retrieve, and a first tenant key assigned to the first tenant, the set of fingerprints being in the single use key encrypted format and wrapped with the first tenant key; unwrapping, using the first tenant key, the received set of fingerprints to retrieve the set of raw data objects corresponding to the received set of fingerprints; transmitting the set of raw data objects to the first tenant; and removing the first tenant key from the storage system. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system for retrieving data backed up to a de-duplicating storage system for a multi-tenant environment, the system comprising:
-
a hardware processor in a computer system and configured to; assign a plurality of tenant keys to a plurality of tenants, each tenant being assigned a specific tenant key of the plurality of tenant keys; store in a storage system a plurality of raw data objects backed up for the plurality of tenants; store in the storage system a plurality of fingerprints, corresponding to the plurality of raw data objects, in a single use key encrypted format; wrap, by the hardware processor, the plurality of fingerprints with a storage system key held by the storage system; receive, from a first tenant, a request to retrieve data backed up on the storage system for the first tenant, the request comprising a set of fingerprints corresponding to a set of raw data objects to retrieve, and a first tenant key assigned to the first tenant, the set of fingerprints being in the single use key encrypted format and wrapped with the first tenant key; unwrap, using the first tenant key, the received set of fingerprints to retrieve the set of raw data objects corresponding to the received set of fingerprints; transmit the set of raw data objects to the first tenant; and remove the first tenant key from the storage system. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A computer program product, comprising a non-transitory computer-readable medium having a computer-readable program code embodied therein, the computer-readable program code adapted to be executed by one or more processors to implement a method comprising:
-
assigning a plurality of tenant keys to a plurality of tenants, each tenant being assigned a specific tenant key of the plurality of tenant keys; storing in a storage system a plurality of raw data objects backed up for the plurality of tenants; storing in the storage system a plurality of fingerprints, corresponding to the plurality of raw data objects, in a single use key encrypted format; wrapping, by a hardware processor, the plurality of fingerprints with a storage system key held by the storage system; receiving, from a first tenant, a request to retrieve data backed up on the storage system for the first tenant, the request comprising a set of fingerprints corresponding to a set of raw data objects to retrieve, and a first tenant key assigned to the first tenant, the set of fingerprints being in the single use key encrypted format and wrapped with the first tenant key; unwrapping, using the first tenant key, the received set of fingerprints to retrieve the set of raw data objects corresponding to the received set of fingerprints; transmitting the set of raw data objects to the first tenant; and removing the first tenant key from the storage system. - View Dependent Claims (12, 13, 14, 15)
-
Specification