Maintaing encryption keys to provide encryption on top of data deduplication

US 9,652,634 B2
Filed: 05/19/2015
Issued: 05/16/2017
Est. Priority Date: 05/19/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

generating an encryption key based upon data content of a portion of data to be encrypted by the encryption key;

storing the encryption key as one of a plurality of encryption keys within a subset of storage, each of the plurality of encryption keys generated based upon corresponding data content;

calculating a checksum representing the plurality of encryption keys;

calculating, in response to receiving an input/output (I/O) request for data encrypted by the encryption key, a verification checksum representing the plurality of encryption keys;

modifying the checksum to a reserved value in response to determining the checksum and the verification checksum do not match due to a corruption of the plurality of encryption keys;

repairing the plurality of encryption keys; and

recalculating the checksum in response to the repairing of the plurality of encryption keys.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Exemplary methods, apparatuses, and systems generate an encryption key based upon data content of a portion of data to be encrypted by the encryption key. The encryption key is stored as one of a plurality of encryption keys within a subset of storage. Each of the plurality of encryption keys is generated based upon corresponding data content. A checksum representing the plurality of encryption keys is calculated. In response to receiving an input/output (I/O) request for data encrypted by the encryption key, a verification checksum representing the plurality of encryption keys is calculated. The requested data is decrypted using the encryption key in response to verifying the checksum and verification checksum match.

15 Citations

View as Search Results

17 Claims

1. A computer-implemented method, comprising:
- generating an encryption key based upon data content of a portion of data to be encrypted by the encryption key;
  
  storing the encryption key as one of a plurality of encryption keys within a subset of storage, each of the plurality of encryption keys generated based upon corresponding data content;
  
  calculating a checksum representing the plurality of encryption keys;
  
  calculating, in response to receiving an input/output (I/O) request for data encrypted by the encryption key, a verification checksum representing the plurality of encryption keys;
  
  modifying the checksum to a reserved value in response to determining the checksum and the verification checksum do not match due to a corruption of the plurality of encryption keys;
  
  repairing the plurality of encryption keys; and
  
  recalculating the checksum in response to the repairing of the plurality of encryption keys.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, further comprising:
    - determining, when calculating the checksum, that the checksum equals a reserved value; and
      
      modifying the checksum to no longer equal the reserved value.
  - 3. The computer-implemented method of claim 1, further comprising:
    - determining the verification checksum equals a reserved value; and
      
      modifying the verification checksum to no longer equal the reserved value.
  - 4. The computer-implemented method of claim 1, wherein generating the encryption key is based upon a secret key and the data content.
  - 5. The computer-implemented method of claim 1, wherein the plurality of stored encryption keys are wrapped using a secret key.
  - 6. The computer-implemented method of claim 5, wherein the portion of data is stored within a datacenter on behalf of one of a plurality of tenant groups of the datacenter, and wherein the secret key is used to wrap a plurality of encryption keys for a plurality of users within the tenant group.

7. A non-transitory computer-readable medium storing instructions, which when executed by a processing device, cause the processing device to perform a method comprising:
- generating an encryption key based upon data content of a portion of data to be encrypted by the encryption key;
  
  storing the encryption key as one of a plurality of encryption keys within a subset of storage, each of the plurality of encryption keys generated based upon corresponding data content;
  
  calculating a checksum representing the plurality of encryption keys;
  
  calculating, in response to receiving an input/output (I/O) request for data encrypted by the encryption key, a verification checksum representing the plurality of encryption keys;
  
  modifying the checksum to a reserved value in response to determining the checksum and the verification checksum do not match due to a corruption of the plurality of encryption keys;
  
  repairing the plurality of encryption keys; and
  
  recalculating the checksum in response to the repairing of the plurality of encryption keys.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The non-transitory computer-readable medium of claim 7, the method further comprising:
    - determining, when calculating the checksum, that the checksum equals a reserved value; and
      
      modifying the checksum to no longer equal the reserved value.
  - 9. The non-transitory computer-readable medium of claim 7, the method further comprising:
    - determining the verification checksum equals a reserved value; and
      
      modifying the verification checksum to no longer equal the reserved value.
  - 10. The non-transitory computer-readable medium of claim 7, wherein generating the encryption key is based upon a secret key and the data content.
  - 11. The non-transitory computer-readable medium of claim 7, wherein the plurality of stored encryption keys are wrapped using a secret key.
  - 12. The non-transitory computer-readable medium of claim 11, wherein the portion of data is stored within a datacenter on behalf of one of a plurality of tenant groups of the datacenter, and wherein the secret key is used to wrap a plurality of encryption keys for a plurality of users within the tenant group.

13. An apparatus comprising:
- a processing device; and
  
  a memory coupled to the processing device, the memory storing instructions which, when executed by the processing device, cause the apparatus to;
  
  generate an encryption key based upon data content of a portion of data to be encrypted by the encryption key;
  
  store the encryption key as one of a plurality of encryption keys within a subset of storage, each of the plurality of encryption keys generated based upon corresponding data content;
  
  calculate a checksum representing the plurality of encryption keys;
  
  calculate, in response to receiving an input/output (I/O) request for data encrypted by the encryption key, a verification checksum representing the plurality of encryption keys;
  
  modify the checksum to a reserved value in response to determining the checksum and the verification checksum do not match due to a corruption of the plurality of encryption keys;
  
  repair the plurality of encryption keys; and
  
  recalculate the checksum in response to the repairing of the plurality of encryption keys.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The apparatus of claim 13, wherein the instructions further cause the host computer to:
    - determine, when calculating the checksum, that the checksum equals a reserved value; and
      
      modify the checksum to no longer equal the reserved value.
  - 15. The apparatus of claim 13, wherein the instructions further cause the host computer to:
    - determine the verification checksum equals a reserved value; and
      
      modify the verification checksum to no longer equal the reserved value.
  - 16. The apparatus of claim 13, wherein generating the encryption key is based upon a secret key and the data content.
  - 17. The apparatus of claim 13, wherein the plurality of stored encryption keys are wrapped using a secret key, wherein the portion of data is stored within a datacenter on behalf of one of a plurality of tenant groups of the datacenter, and wherein the secret key is used to wrap a plurality of encryption keys for a plurality of users within the tenant group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Wang, Wenguang, Meng, Xiaoxuan
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Zhu, Zhimei

Application Number

US14/716,768
Publication Number

US 20160342814A1
Time in Patent Office

728 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 21/6245   Protecting personal data, e...

G06F 21/64   Protecting data integrity, ...

H04L 9/0861   Generation of secret inform...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3239   involving non-keyed hash fu...

Maintaing encryption keys to provide encryption on top of data deduplication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Maintaing encryption keys to provide encryption on top of data deduplication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links