Encryption/decryption for data storage system with snapshot capability

US 9,679,165 B2
Filed: 03/18/2015
Issued: 06/13/2017
Est. Priority Date: 07/16/2012
Status: Active Grant

First Claim

Patent Images

1. A method for managing access to encrypted data of a data storage system wherein changing encryption keys are used to store write data to the data storage system, the method comprising:

providing a data storage system comprising a plurality of computer-readable drive storage devices, the data storage system storing a plurality of snapshots in at least a subset of the drive storage devices, wherein each snapshot or combination of snapshots provides a previous point-in-time copy of data in a volume of the data storage system, wherein a given snapshot identifies write data for the volume between a time when the snapshot is committed to disk as read-only and a time when a previous snapshot was committed to disk as read-only;

storing in each snapshot, encrypted snapshot data comprising the write data for that particular snapshot;

associating a decryption key identifier with each snapshot, the decryption key identifier identifying a decryption key corresponding to an encryption key utilized to encrypt the encrypted snapshot data for a particular snapshot, wherein the decryption key identifier is an identifier of the decryption key while not being or storing a decryption key itself and wherein the decryption key is not accessible to the data storage system;

storing, with each snapshot, its associated decryption key identifier; and

upon request for the encrypted snapshot data, providing access to the encrypted snapshot data and the decryption key identifier;

wherein associating a decryption key identifier with each snapshot ensures accessibility to historical snapshot data if changing encryption keys are utilized.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for managing access to encrypted data of a data storage system storing snapshot data, a snapshot providing a previous point-in-time copy of data in a volume of the data storage system, wherein the data storage system utilizes changing encryption keys for write data. For each snapshot, the method stores at least one decryption key identifier for each decryption key corresponding to an encryption key utilized to encrypt data written to a volume since a previous snapshot was committed to disk, and associates the at least one decryption key identifier with the snapshot. A key table associating decryption key identifiers with corresponding decryption keys is provided, and based on the key table and the at least one decryption key identifier associated with the snapshot, one or more decryption keys required for accessing encrypted data associated with the snapshot are determined. Decryption key identifiers may be stored in snapshot metadata.

Citations

12 Claims

1. A method for managing access to encrypted data of a data storage system wherein changing encryption keys are used to store write data to the data storage system, the method comprising:
- providing a data storage system comprising a plurality of computer-readable drive storage devices, the data storage system storing a plurality of snapshots in at least a subset of the drive storage devices, wherein each snapshot or combination of snapshots provides a previous point-in-time copy of data in a volume of the data storage system, wherein a given snapshot identifies write data for the volume between a time when the snapshot is committed to disk as read-only and a time when a previous snapshot was committed to disk as read-only;
  
  storing in each snapshot, encrypted snapshot data comprising the write data for that particular snapshot;
  
  associating a decryption key identifier with each snapshot, the decryption key identifier identifying a decryption key corresponding to an encryption key utilized to encrypt the encrypted snapshot data for a particular snapshot, wherein the decryption key identifier is an identifier of the decryption key while not being or storing a decryption key itself and wherein the decryption key is not accessible to the data storage system;
  
  storing, with each snapshot, its associated decryption key identifier; and
  
  upon request for the encrypted snapshot data, providing access to the encrypted snapshot data and the decryption key identifier;
  
  wherein associating a decryption key identifier with each snapshot ensures accessibility to historical snapshot data if changing encryption keys are utilized.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the decryption key identifier is stored in metadata for the snapshot.
  - 3. The method of claim 2, wherein the decryption key and corresponding encryption key are symmetric.
  - 4. The method of claim 2, wherein the decryption key and corresponding encryption key are asymmetric.
  - 5. The method of claim 1, wherein the encryption key is changed each time a snapshot is committed to disk as read-only, such that each snapshot is associated with a corresponding different decryption key identifier.

6. A data storage system comprising:
- a non-transitory computer-readable storage medium storing;
  
  a plurality of snapshots, wherein one or more snapshots provide a read-only previous point-in-time copy of data in a volume of the data storage system, and wherein a given snapshot identifies write data for the volume between a time when the snapshot is committed to disk as read-only and a time when a previous snapshot was committed to disk as read-only;
  
  with each snapshot, encrypted snapshot data comprising the write data for that particular snapshot;
  
  with each snapshot, an associated decryption key identifier for a decryption key corresponding to an encryption key utilized to encrypt the encrypted snapshot data for that particular snapshot, wherein the decryption key identifier is an identifier of the decryption key while not being or storing a decryption key itself and wherein the decryption key is not accessible to the data storage system; and
  
  a network connection operably connecting the data storage system with a requesting system, such that upon request for the encrypted snapshot data of a given snapshot by the requesting system, access to the encrypted snapshot data and the decryption key identifier associated with the given snapshot is provided via the network connection;
  
  wherein the decryption key identifiers associated with each snapshot ensure accessibility to historical snapshot data if changing encryption keys are utilized.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, wherein each snapshot comprises metadata and the decryption key identifier associated with a snapshot is stored in the metadata for that snapshot.
  - 8. The system of claim 7, wherein each decryption key and corresponding encryption key are symmetric.
  - 9. The system of claim 7, wherein each decryption key and corresponding encryption key are asymmetric.
  - 10. The system of claim 6, wherein the encryption key is changed each time a snapshot is committed to disk as read-only, such that each snapshot is associated with a corresponding different decryption key identifier.

11. A method for managing access to encrypted data of a data storage system storing snapshot data to a computer-readable storage medium, the data storage system utilizing changing encryption keys to store write data to the computer-readable storage medium, the method comprising:
- managing data writes to the data storage system using point-in-time copies (PITCs), an active PITC being a PITC handling all writes to a volume of the data storage system;
  
  managing one or more decryption key identifiers for one or more decryption keys corresponding to one or more encryption keys utilized to encrypt data written to the data storage system while a PITC is active, each decryption key identifier not being or storing a decryption key itself and each decryption key not being accessible to the data storage system;
  
  committing an active PITC to disk as read-only and demoting the PITC from active status;
  
  associating the one or more managed decryption key identifiers with the demoted PITC;
  
  storing the one or more managed decryption key identifiers with the demoted PITC; and
  
  upon request for encrypted data from the demoted PITC, providing access to the encrypted data of that PITC and one or more decryption key identifiers identifying one or more decryption keys corresponding to one or more encryption keys utilized to encrypt the data stored on that PITC;
  
  wherein associating the one or more managed decryption key identifiers with the demoted PITC ensures accessibility to historical PITC data if changing encryption keys are utilized.
- View Dependent Claims (12)
- - 12. The method of claim 11, wherein decryption key identifiers associated with a PITC are stored in metadata for that PITC.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dell International LLC (Dell Technologies Inc.)
Original Assignee
Dell International LLC (Dell Technologies Inc.)
Inventors
Pittelko, Michael H.
Primary Examiner(s)
Cribbs, Malcolm

Application Number

US14/661,014
Publication Number

US 20150193640A1
Time in Patent Office

818 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 11/1446   Point-in-time backing up or...

G06F 11/1448   Management of the data invo...

G06F 21/6218   to a system of files or obj...

G06F 21/78   to assure secure storage of...

G06F 21/805   using a security table for ...

G06F 2201/84   Using snapshots, i.e. a log...

G06F 2221/2107   File encryption

H04L 63/0428   wherein the data content is...

H04L 67/1097   for distributed storage of ...

Encryption/decryption for data storage system with snapshot capability

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption/decryption for data storage system with snapshot capability

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links