Host based rekeying
First Claim
Patent Images
1. A method comprising:
- receiving, by a computing device, a re-key command issued by a host computer for one or more stored ciphertexts each associated with one of a plurality of designated data blocks stored on one or more disk storage devices, wherein the issuing of the re-key command is initiated based on one or more re-writing policies that tracks thresholds associated with one or more old encryption key attributes stored on the host computer; and
generating, by the computing device, a plurality of new encryption keys, upon receipt of the re-key command issued from the host computer, wherein the plurality of new encryption keys are adapted to apply to the one or more stored ciphertexts;
reading, by the computing device, the one or more stored ciphertexts;
decrypting, by the computing device, the one or more stored ciphertexts using one or more old encryption keys to produce a decrypted data file comprising content;
re-encrypting, by the computing device, a portion of the decrypted data file using a first one of new encryption keys and re-encrypting another portion of the data file using a second one of new encryption keys to produce re-encrypted ciphertext; and
writing, by the computing device, the re-encrypted ciphertext, into the one or more disk storage devices.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method for re-keying ciphertext on a storage system is resident on a host/client communicating with a storage system. The generation of encryption keys and tracking which storage system blocks are encrypted with what keys remain with the security appliance or storage system, but the policy governing re-keying and initiating actions in accordance with that policy reside with the client/host.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving, by a computing device, a re-key command issued by a host computer for one or more stored ciphertexts each associated with one of a plurality of designated data blocks stored on one or more disk storage devices, wherein the issuing of the re-key command is initiated based on one or more re-writing policies that tracks thresholds associated with one or more old encryption key attributes stored on the host computer; and generating, by the computing device, a plurality of new encryption keys, upon receipt of the re-key command issued from the host computer, wherein the plurality of new encryption keys are adapted to apply to the one or more stored ciphertexts; reading, by the computing device, the one or more stored ciphertexts; decrypting, by the computing device, the one or more stored ciphertexts using one or more old encryption keys to produce a decrypted data file comprising content; re-encrypting, by the computing device, a portion of the decrypted data file using a first one of new encryption keys and re-encrypting another portion of the data file using a second one of new encryption keys to produce re-encrypted ciphertext; and writing, by the computing device, the re-encrypted ciphertext, into the one or more disk storage devices. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computing device comprising:
-
a memory containing a machine readable medium comprising machine executable code having stored thereon instructions for performing a method of providing data sessions with clients that access data containers of a shared storage; and a processor coupled to the memory, the processor configured to execute the machine executable code to cause the processor to; receive a re-key command issued by a host computer for one or more stored ciphertexts each associated with one of a plurality of designated data blocks stored on one or more disk storage devices, wherein the issuing of the re-key command is initiated based on one or more re-writing policies that tracks thresholds associated with one or more old encryption key attributes stored on the host computer; and generate a plurality of new encryption keys, upon receipt of the re-key command issued from the host computer, wherein the plurality of new encryption keys are adapted to apply to the one or more stored ciphertexts; read the one or more stored ciphertexts; decrypt the one or more stored ciphertexts using one or more old encryption keys to produce a decrypted data file comprising content; re-encrypt a portion of the decrypted data file using a first one of new encryption keys and re-encrypting another portion of the data file using a second one of new encryption keys to produce re-encrypted ciphertext; and write the re-encrypted ciphertext, into the one or more disk storage devices. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory machine readable medium having stored thereon instructions for performing a method comprising executable code that, when executed by at least one machine, causes the machine to:
-
receive a re-key command issued by a host computer for one or more stored ciphertexts each associated with one of a plurality of designated data blocks stored on one or more disk storage devices, wherein the issuing of the re-key command is initiated based on one or more re-writing policies that tracks thresholds associated with one or more old encryption key attributes stored on the host computer; and generate a plurality of new encryption keys, upon receipt of the re-key command issued from the host computer, wherein the plurality of new encryption keys are adapted to apply to the one or more stored ciphertexts; read the one or more stored ciphertexts; decrypt the one or more stored ciphertexts using one or more old encryption keys to produce a decrypted data file comprising content; re-encrypt a portion of the decrypted data file using a first one of new encryption keys and re-encrypting another portion of the data file using a second one of new encryption keys to produce re-encrypted ciphertext; and write the re-encrypted ciphertext, into the one or more disk storage devices. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification