Efficient storage of encrypted data in a dispersed storage network

US 9,747,457 B2
Filed: 05/06/2015
Issued: 08/29/2017
Est. Priority Date: 11/25/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A method for storing a data object, the method comprises:

identifying a plurality of data segments of the data object;

generating a plurality of key indexes for the plurality of data segments;

for a data segment of the plurality of data segments;

accessing data segment key information based on a corresponding key index of the plurality of key indexes to determine whether an encryption key has been generated for a similar data segment, wherein the encryption key is a representation of the similar data segment;

when the encryption key has been generated for the similar data segment;

using the encryption key to encrypt the data segment to produce an encrypted data segment;

compressing the encrypted data segment to produce a compressed and encrypted data segment; and

storing the compressed and encrypted data segment in a storage unit of a dispersed storage network (DSN);

when the encryption key has not been generated for the similar data segment;

generating an encryption key based on a representation of the data segment;

generating the corresponding key index based on a representation of the encryption key;

updating the data segment key information to include the corresponding key index;

dispersed storage error encoding the encryption key to produce a set of encoded key slices;

storing the set of encoded key slices in a plurality of storage units of the DSN;

encrypting the data segment using the encryption key to produce the encrypted data segment;

compressing the encrypted data segment to produce the compressed and encrypted data segment; and

storing the compressed and encrypted data segment in the storage unit.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for storing a data object includes identifying data segments of the data object. The method continues with generating key indexes for the data segments. For a data segment, the method continues with accessing data segment key information based on a corresponding key index of the plurality of key indexes to determine whether an encryption key has been generated for a similar data segment. When the encryption key has been generated for the similar data segment, the method continues with using the encryption key to encrypt the data segment to produce an encrypted data segment. The method continues with compressing the encrypted data segment to produce a compressed and encrypted data segment. The method continues with storing the compressed and encrypted data segment in a storage unit of a dispersed storage network (DSN).

90 Citations

12 Claims

1. A method for storing a data object, the method comprises:
- identifying a plurality of data segments of the data object;
  
  generating a plurality of key indexes for the plurality of data segments;
  
  for a data segment of the plurality of data segments;
  
  accessing data segment key information based on a corresponding key index of the plurality of key indexes to determine whether an encryption key has been generated for a similar data segment, wherein the encryption key is a representation of the similar data segment;
  
  when the encryption key has been generated for the similar data segment;
  
  using the encryption key to encrypt the data segment to produce an encrypted data segment;
  
  compressing the encrypted data segment to produce a compressed and encrypted data segment; and
  
  storing the compressed and encrypted data segment in a storage unit of a dispersed storage network (DSN);
  
  when the encryption key has not been generated for the similar data segment;
  
  generating an encryption key based on a representation of the data segment;
  
  generating the corresponding key index based on a representation of the encryption key;
  
  updating the data segment key information to include the corresponding key index;
  
  dispersed storage error encoding the encryption key to produce a set of encoded key slices;
  
  storing the set of encoded key slices in a plurality of storage units of the DSN;
  
  encrypting the data segment using the encryption key to produce the encrypted data segment;
  
  compressing the encrypted data segment to produce the compressed and encrypted data segment; and
  
  storing the compressed and encrypted data segment in the storage unit.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein generating the plurality of key indexes comprises:
    - generating the corresponding key index of the plurality of key indexes for the data segment by;
      
      generating an encryption key based on a representation of the data segment; and
      
      generating the corresponding key index based on a representation of the encryption key.
  - 3. The method of claim 2 further comprises:
    - generating the encryption key by one of;
      
      setting the encryption key substantially equal to the data segment;
      
      and performing a mathematical function on the data segment to produce the encryption key;
      
      generating the corresponding key index by one of;
      
      setting the corresponding key index substantially equal to the encryption key;
      
      performing a mathematical function on the corresponding key index to produce the encryption key; and
      
      performing a hash function on the corresponding key index to produce the encryption key.
  - 4. The method of claim 1, wherein the data segment key information comprises:
    - 30 one or more data segment key tables.

5. A computer device comprises:
- an interface;
  
  memory; and
  
  a processing module operably coupled to the interface and the memory, wherein the processing module is;
  
  identifying a plurality of data segments of a data object;
  
  generating a plurality of key indexes for the plurality of data segments;
  
  for a data segment of the plurality of data segments;
  
  accessing data segment key information based on a corresponding key index of the plurality of key indexes to determine whether an encryption key has been generated for a similar data segment,wherein the encryption key is are presentation of the similar data segment;
  
  when the encryption key has been generated for the similar data segment;
  
  use the encryption key to encrypt the data segment to produce an encrypted data segment;
  
  compress the encrypted data segment to produce a compressed and encrypted data segment; and
  
  outputting, via the interface, the compressed and encrypted data segment to a storage unit of a dispersed storage network (DSN) for storage therein;
  
  when the encryption key has not been generated for the similar data segment;
  
  generating an encryption key based on a representation of the data segment;
  
  generating the corresponding key index based on a representation of the encryption key;
  
  update the data segment key information to include the corresponding key index;
  
  dispersed storage error encode the encryption key to produce a set of encoded key slices;
  
  outputting, via the interface, the set of encoded key slices in a plurality of storage units of the DSN for storage therein;
  
  encrypting the data segment using the encryption key to produce the encrypted data segment;
  
  compressing the encrypted data segment to produce the compressed and encrypted data segment; and
  
  outputting, via the interface, the compressed and encrypted data segment to the storage unit for storage therein.
- View Dependent Claims (6, 7, 8)
- - 6. The computing device of claim 5, wherein the processing module furthergenerates the plurality of key indexes by:
    - generating the corresponding key index of the plurality of key indexes for the data segment by;
      
      generating an encryption key based on a representation of the data segment; and
      
      generating the corresponding key index based on a representation of the encryption key.
  - 7. The computing device of claim 6, wherein the processing module is further:
    - generating the encryption key by one of;
      
      setting the encryption key substantially equal to the data segment; and
      
      performing a mathematical function on the data segment to produce the encryption key;
      
      generating the corresponding key index by one of;
      
      setting the corresponding key index substantially equal to the encryption key;
      
      performing a mathematical function on the corresponding key index to produce the encryption key; and
      
      performing a hash function on the corresponding key index to produce the encryption key.
  - 8. The computing device of claim 5, wherein the data segment key information comprises:
    - one or more data segment key tables.

9. A non-transitory computer readable storage device comprises:
- a first memory section that stores operational instructions that, when executed by a computing device, causes the computing device to;
  
  identify a plurality of data segments of a data object;
  
  a second memory section that stores operational instructions that, when executed by the computing device, causes the computing device to;
  
  generate a plurality of key indexes for the plurality of data segments;
  
  a third memory section that stores operational instructions that, when executed by the computing device, causes the computing device to;
  
  for a data segment of the plurality of data segments;
  
  access data segment key information based on a corresponding key index of the plurality of key indexes to determine whether an encryption key has been generated for a similar data segment, wherein the encryption key is a representation of the similar data segment;
  
  when the encryption key has been generated for the similar data segment;
  
  use the encryption key to encrypt the data segment to produce an encrypted data segment;
  
  compress the encrypted data segment to produce a compressed and encrypted data segment; and
  
  output, via an interface, the compressed and encrypted data segment to a storage unit of a dispersed storage network (DSN) for storage therein;
  
  wherein the third memory section further stores operational instructions that, when executed by the computing device, causes the computing device to;
  
  when the encryption key has not been generated for the similar data segment;
  
  generate an encryption key based on a representation of the data segment;
  
  generate the corresponding key index based on a representation of the encryption key;
  
  update the data segment key information to include the corresponding key index;
  
  dispersed storage error encode the encryption key to produce a set of encoded key slices;
  
  output, via the interface, the set of encoded key slices in a plurality of storage units of the DSN for storage therein;
  
  encrypt the data segment using the encryption key to produce the encrypted data segment;
  
  compress the encrypted data segment to produce the compressed and encrypted data segment; and
  
  output, via the interface, the compressed and encrypted data segment to the storage unit for storage therein.
- View Dependent Claims (10, 11, 12)
- - 10. The non-transitory computer readable storage device of claim 9, wherein the second memory section further stores operational instructions that, when executed by the computing device, causes the computing device to generate the plurality of key indexes by:
    - generating the corresponding key index of the plurality of key indexes for the data segment by;
      
      generating an encryption key based on a representation of the data segment; and
      
      generating the corresponding key index based on a representation of the encryption key.
  - 11. The non-transitory computer readable storage device of claim 9, wherein the second memory section further stores operational instructions that, when executed by the computing device, causes the computing device to:
    - generate the encryption key by one of;
      
      setting the encryption key substantially equal to the data segment; and
      
      performing a mathematical function on the data segment to produce the encryption key;
      
      generate the corresponding key index by one of;
      
      setting the corresponding key index substantially equal to the encryption key;
      
      performing a mathematical function on the corresponding key index to produce the encryption key; and
      
      performing a hash function on the corresponding key index to produce the encryption key.
  - 12. The non-transitory computer readable storage device of claim 9, wherein the data segment key information comprises:
    - one or more data segment key tables.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Grube, Gary W., Markison, Timothy W., Gladwin, S. Christopher, Abhijeet, Kumar, Dhuse, Greg, Resch, Jason K.
Primary Examiner(s)
Eskandarnia, Arvin

Application Number

US14/705,752
Publication Number

US 20150235032A1
Time in Patent Office

846 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/1076   Parity data used in redunda...

G06F 11/1092   Rebuilding, e.g. when physi...

G06F 16/10   File systems; File servers

G06F 16/1752   based on file chunks

G06F 16/182   Distributed file systems

G06F 16/1827   Management specifically ada...

G06F 16/27   Replication, distribution o...

G06F 21/602   Providing cryptographic fac...

G06F 21/6272   by registering files or doc...

G06F 2211/1028   Distributed, i.e. distribut...

G06F 2221/2107   File encryption

G06F 3/0608   Saving storage space on sto...

G06F 3/0619   in relation to data integri...

G06F 3/0641   De-duplication techniques

G06F 3/067   Distributed or networked st...

H04L 63/0428   wherein the data content is...

H04L 69/04   Protocols for data compress...

H04L 9/0861   Generation of secret inform...

Efficient storage of encrypted data in a dispersed storage network

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Efficient storage of encrypted data in a dispersed storage network

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links