Encryption/decryption for data storage system with snapshot capability
First Claim
1. A method for managing access to encrypted data of a data storage system wherein changing encryption keys are used to store write data to the data storage system, the method comprising:
- providing a data storage system comprising a plurality of computer-readable drive storage devices, the data storage system storing a plurality of snapshots in at least a subset of the drive storage devices, wherein each snapshot or combination of snapshots provides a previous point-in-time copy of data in a volume of the data storage system, wherein a given snapshot identifies write data for the volume between a time when the snapshot is committed to disk as read-only and a time when a previous snapshot was committed to disk as read-only;
storing in each snapshot, encrypted snapshot data comprising the write data for that particular snapshot;
associating a decryption key identifier with each snapshot, the decryption key identifier identifying a decryption key corresponding to an encryption key utilized to encrypt the encrypted snapshot data for a particular snapshot, wherein the decryption key identifier is an identifier of the decryption key while not being or storing a decryption key itself and wherein the decryption key is not accessible to the data storage system;
storing, with each snapshot, its associated decryption key identifier; and
upon request for the encrypted snapshot data, providing access to the encrypted snapshot data and the decryption key identifier;
wherein associating a decryption key identifier with each snapshot ensures accessibility to historical snapshot data if changing encryption keys are utilized.
15 Assignments
0 Petitions
Accused Products
Abstract
A method for managing access to encrypted data of a data storage system storing snapshot data, a snapshot providing a previous point-in-time copy of data in a volume of the data storage system, wherein the data storage system utilizes changing encryption keys for write data. For each snapshot, the method stores at least one decryption key identifier for each decryption key corresponding to an encryption key utilized to encrypt data written to a volume since a previous snapshot was committed to disk, and associates the at least one decryption key identifier with the snapshot. A key table associating decryption key identifiers with corresponding decryption keys is provided, and based on the key table and the at least one decryption key identifier associated with the snapshot, one or more decryption keys required for accessing encrypted data associated with the snapshot are determined. Decryption key identifiers may be stored in snapshot metadata.
-
Citations
12 Claims
-
1. A method for managing access to encrypted data of a data storage system wherein changing encryption keys are used to store write data to the data storage system, the method comprising:
-
providing a data storage system comprising a plurality of computer-readable drive storage devices, the data storage system storing a plurality of snapshots in at least a subset of the drive storage devices, wherein each snapshot or combination of snapshots provides a previous point-in-time copy of data in a volume of the data storage system, wherein a given snapshot identifies write data for the volume between a time when the snapshot is committed to disk as read-only and a time when a previous snapshot was committed to disk as read-only; storing in each snapshot, encrypted snapshot data comprising the write data for that particular snapshot; associating a decryption key identifier with each snapshot, the decryption key identifier identifying a decryption key corresponding to an encryption key utilized to encrypt the encrypted snapshot data for a particular snapshot, wherein the decryption key identifier is an identifier of the decryption key while not being or storing a decryption key itself and wherein the decryption key is not accessible to the data storage system; storing, with each snapshot, its associated decryption key identifier; and upon request for the encrypted snapshot data, providing access to the encrypted snapshot data and the decryption key identifier; wherein associating a decryption key identifier with each snapshot ensures accessibility to historical snapshot data if changing encryption keys are utilized. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A data storage system comprising:
-
a non-transitory computer-readable storage medium storing; a plurality of snapshots, wherein one or more snapshots provide a read-only previous point-in-time copy of data in a volume of the data storage system, and wherein a given snapshot identifies write data for the volume between a time when the snapshot is committed to disk as read-only and a time when a previous snapshot was committed to disk as read-only; with each snapshot, encrypted snapshot data comprising the write data for that particular snapshot; with each snapshot, an associated decryption key identifier for a decryption key corresponding to an encryption key utilized to encrypt the encrypted snapshot data for that particular snapshot, wherein the decryption key identifier is an identifier of the decryption key while not being or storing a decryption key itself and wherein the decryption key is not accessible to the data storage system; and a network connection operably connecting the data storage system with a requesting system, such that upon request for the encrypted snapshot data of a given snapshot by the requesting system, access to the encrypted snapshot data and the decryption key identifier associated with the given snapshot is provided via the network connection; wherein the decryption key identifiers associated with each snapshot ensure accessibility to historical snapshot data if changing encryption keys are utilized. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method for managing access to encrypted data of a data storage system storing snapshot data to a computer-readable storage medium, the data storage system utilizing changing encryption keys to store write data to the computer-readable storage medium, the method comprising:
-
managing data writes to the data storage system using point-in-time copies (PITCs), an active PITC being a PITC handling all writes to a volume of the data storage system; managing one or more decryption key identifiers for one or more decryption keys corresponding to one or more encryption keys utilized to encrypt data written to the data storage system while a PITC is active, each decryption key identifier not being or storing a decryption key itself and each decryption key not being accessible to the data storage system; committing an active PITC to disk as read-only and demoting the PITC from active status; associating the one or more managed decryption key identifiers with the demoted PITC; storing the one or more managed decryption key identifiers with the demoted PITC; and upon request for encrypted data from the demoted PITC, providing access to the encrypted data of that PITC and one or more decryption key identifiers identifying one or more decryption keys corresponding to one or more encryption keys utilized to encrypt the data stored on that PITC; wherein associating the one or more managed decryption key identifiers with the demoted PITC ensures accessibility to historical PITC data if changing encryption keys are utilized. - View Dependent Claims (12)
-
Specification