Data encryption in a de-duplicating storage in a multi-tenant environment

US 9,602,283 B1
Filed: 06/20/2016
Issued: 03/21/2017
Est. Priority Date: 03/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

assigning a plurality of tenant keys to a plurality of tenants, each tenant being assigned a specific tenant key of the plurality of tenant keys;

storing in a storage system a plurality of raw data objects backed up for the plurality of tenants;

storing in the storage system a plurality of fingerprints, corresponding to the plurality of raw data objects, in a single use key encrypted format;

wrapping, by a hardware processor, the plurality of fingerprints with a storage system key held by the storage system;

receiving, from a first tenant, a request to retrieve data backed up on the storage system for the first tenant, the request comprising a set of fingerprints corresponding to a set of raw data objects to retrieve, and a first tenant key assigned to the first tenant, the set of fingerprints being in the single use key encrypted format and wrapped with the first tenant key;

unwrapping, using the first tenant key, the received set of fingerprints to retrieve the set of raw data objects corresponding to the received set of fingerprints;

transmitting the set of raw data objects to the first tenant; and

removing the first tenant key from the storage system.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention addresses encryption systems and methods in the de-duplication of data in a multi-tenant environment. The system provides isolation between tenants'"'"' stored data and the storage system. Tenant keys are assigned to tenants. The storage system stores raw data objects backed up for the tenants and fingerprints, corresponding to the data objects, in a single use key encrypted format. Fingerprints are wrapped with a storage system key held by the storage system. A request is received to retrieve data backed up for a tenant. The request includes fingerprints corresponding to the data objects to retrieve, and a tenant key, the fingerprints being in the single use key encrypted format and wrapped with the tenant key. The received fingerprints are unwrapped using the tenant key to retrieve data objects corresponding to the received fingerprints. The data objects are transmitted to the tenant and the tenant key is removed.

27 Citations

View as Search Results

15 Claims

1. A method comprising:
- assigning a plurality of tenant keys to a plurality of tenants, each tenant being assigned a specific tenant key of the plurality of tenant keys;
  
  storing in a storage system a plurality of raw data objects backed up for the plurality of tenants;
  
  storing in the storage system a plurality of fingerprints, corresponding to the plurality of raw data objects, in a single use key encrypted format;
  
  wrapping, by a hardware processor, the plurality of fingerprints with a storage system key held by the storage system;
  
  receiving, from a first tenant, a request to retrieve data backed up on the storage system for the first tenant, the request comprising a set of fingerprints corresponding to a set of raw data objects to retrieve, and a first tenant key assigned to the first tenant, the set of fingerprints being in the single use key encrypted format and wrapped with the first tenant key;
  
  unwrapping, using the first tenant key, the received set of fingerprints to retrieve the set of raw data objects corresponding to the received set of fingerprints;
  
  transmitting the set of raw data objects to the first tenant; and
  
  removing the first tenant key from the storage system.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein the first tenant key is removed from the storage system after responding to the request from the first tenant.
  - 3. The method of claim 1 wherein the first tenant key specifies a first sequence of raw data objects that form a first data item of the first tenant, a second tenant key specifies a second sequence of raw data objects, different from the first sequence, that form a second data item of the second tenant, andwherein at least one raw data object specified in the first sequence is also specified in the second sequence.
  - 4. The method of claim 1 comprising:
    - maintaining a plurality of single use keys for encryption and decryption of the plurality of fingerprints stored in the storage system; and
      
      in response to the request to retrieve data backed up on the storage system for the first tenant, decrypting the unwrapped received set of fingerprints from the first tenant using a single use key of the plurality of single use keys.
  - 5. The method of claim 1 comprising:
    - encrypting the plurality of raw data objects with a single use key of a plurality of single use keys maintained by the storage system.

6. A system for retrieving data backed up to a de-duplicating storage system for a multi-tenant environment, the system comprising:
- a hardware processor in a computer system and configured to;
  
  assign a plurality of tenant keys to a plurality of tenants, each tenant being assigned a specific tenant key of the plurality of tenant keys;
  
  store in a storage system a plurality of raw data objects backed up for the plurality of tenants;
  
  store in the storage system a plurality of fingerprints, corresponding to the plurality of raw data objects, in a single use key encrypted format;
  
  wrap, by the hardware processor, the plurality of fingerprints with a storage system key held by the storage system;
  
  receive, from a first tenant, a request to retrieve data backed up on the storage system for the first tenant, the request comprising a set of fingerprints corresponding to a set of raw data objects to retrieve, and a first tenant key assigned to the first tenant, the set of fingerprints being in the single use key encrypted format and wrapped with the first tenant key;
  
  unwrap, using the first tenant key, the received set of fingerprints to retrieve the set of raw data objects corresponding to the received set of fingerprints;
  
  transmit the set of raw data objects to the first tenant; and
  
  remove the first tenant key from the storage system.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6 wherein the first tenant key is removed from the storage system after responding to the request from the first tenant.
  - 8. The system of claim 6 wherein the first tenant key specifies a first sequence of raw data objects that form a first data item of the first tenant, a second tenant key specifies a second sequence of raw data objects, different from the first sequence, that form a second data item of the second tenant, andwherein at least one raw data object specified in the first sequence is also specified in the second sequence.
  - 9. The system of claim 6 wherein the hardware processor is configured to:
    - maintain a plurality of single use keys for encryption and decryption of the plurality of fingerprints stored in the storage system; and
      
      in response to the request to retrieve data backed up on the storage system for the first tenant, decrypt the unwrapped received set of fingerprints from the first tenant using a single use key of the plurality of single use keys.
  - 10. The system of claim 6 wherein the hardware processor is configured to:
    - encrypt the plurality of raw data objects with a single use key of a plurality of single use keys maintained by the storage system.

11. A computer program product, comprising a non-transitory computer-readable medium having a computer-readable program code embodied therein, the computer-readable program code adapted to be executed by one or more processors to implement a method comprising:
- assigning a plurality of tenant keys to a plurality of tenants, each tenant being assigned a specific tenant key of the plurality of tenant keys;
  
  storing in a storage system a plurality of raw data objects backed up for the plurality of tenants;
  
  storing in the storage system a plurality of fingerprints, corresponding to the plurality of raw data objects, in a single use key encrypted format;
  
  wrapping, by a hardware processor, the plurality of fingerprints with a storage system key held by the storage system;
  
  receiving, from a first tenant, a request to retrieve data backed up on the storage system for the first tenant, the request comprising a set of fingerprints corresponding to a set of raw data objects to retrieve, and a first tenant key assigned to the first tenant, the set of fingerprints being in the single use key encrypted format and wrapped with the first tenant key;
  
  unwrapping, using the first tenant key, the received set of fingerprints to retrieve the set of raw data objects corresponding to the received set of fingerprints;
  
  transmitting the set of raw data objects to the first tenant; and
  
  removing the first tenant key from the storage system.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11 wherein the first tenant key is removed from the storage system after responding to the request from the first tenant.
  - 13. The method of claim 11 wherein the first tenant key specifies a first sequence of raw data objects that form a first data item of the first tenant, a second tenant key specifies a second sequence of raw data objects, different from the first sequence, that form a second data item of the second tenant, andwherein at least one raw data object specified in the first sequence is also specified in the second sequence.
  - 14. The method of claim 11 comprising:
    - maintaining a plurality of single use keys for encryption and decryption of the plurality of fingerprints stored in the storage system; and
      
      in response to the request to retrieve data backed up on the storage system for the first tenant, decrypting the unwrapped received set of fingerprints from the first tenant using a single use key of the plurality of single use keys.
  - 15. The method of claim 11 comprising:
    - encrypting the plurality of raw data objects with a single use key of a plurality of single use keys maintained by the storage system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Chandra, Surendar, Sawyer, Darren
Primary Examiner(s)
Patel, Haresh N

Application Number

US15/187,434
Time in Patent Office

274 Days
Field of Search

713/163, 713/193, 726/6
US Class Current

1/1
CPC Class Codes

G06F 16/1748   De-duplication implemented ...

G06F 21/602   Providing cryptographic fac...

G06F 21/6272   by registering files or doc...

H04L 63/0428   wherein the data content is...

H04L 9/32   including means for verifyi...

Data encryption in a de-duplicating storage in a multi-tenant environment

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Data encryption in a de-duplicating storage in a multi-tenant environment

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links