Host based rekeying

US 9,774,445 B1
Filed: 09/04/2007
Issued: 09/26/2017
Est. Priority Date: 09/04/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a computing device, a re-key command issued by a host computer for one or more stored ciphertexts each associated with one of a plurality of designated data blocks stored on one or more disk storage devices, wherein the issuing of the re-key command is initiated based on one or more re-writing policies that tracks thresholds associated with one or more old encryption key attributes stored on the host computer; and

generating, by the computing device, a plurality of new encryption keys, upon receipt of the re-key command issued from the host computer, wherein the plurality of new encryption keys are adapted to apply to the one or more stored ciphertexts;

reading, by the computing device, the one or more stored ciphertexts;

decrypting, by the computing device, the one or more stored ciphertexts using one or more old encryption keys to produce a decrypted data file comprising content;

re-encrypting, by the computing device, a portion of the decrypted data file using a first one of new encryption keys and re-encrypting another portion of the data file using a second one of new encryption keys to produce re-encrypted ciphertext; and

writing, by the computing device, the re-encrypted ciphertext, into the one or more disk storage devices.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for re-keying ciphertext on a storage system is resident on a host/client communicating with a storage system. The generation of encryption keys and tracking which storage system blocks are encrypted with what keys remain with the security appliance or storage system, but the policy governing re-keying and initiating actions in accordance with that policy reside with the client/host.

Citations

20 Claims

1. A method comprising:
- receiving, by a computing device, a re-key command issued by a host computer for one or more stored ciphertexts each associated with one of a plurality of designated data blocks stored on one or more disk storage devices, wherein the issuing of the re-key command is initiated based on one or more re-writing policies that tracks thresholds associated with one or more old encryption key attributes stored on the host computer; and
  
  generating, by the computing device, a plurality of new encryption keys, upon receipt of the re-key command issued from the host computer, wherein the plurality of new encryption keys are adapted to apply to the one or more stored ciphertexts;
  
  reading, by the computing device, the one or more stored ciphertexts;
  
  decrypting, by the computing device, the one or more stored ciphertexts using one or more old encryption keys to produce a decrypted data file comprising content;
  
  re-encrypting, by the computing device, a portion of the decrypted data file using a first one of new encryption keys and re-encrypting another portion of the data file using a second one of new encryption keys to produce re-encrypted ciphertext; and
  
  writing, by the computing device, the re-encrypted ciphertext, into the one or more disk storage devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the issuing of the re-key command is initiated based on one or more re-writing policies that tracks temporal thresholds associated with one or more old encryption key attributes stored on the host computer.
  - 3. The method of claim 1 wherein the a portion of the decrypted data file comprises a data portion of the file and the first one of new encryption keys comprises a file key.
  - 4. The method of claim 3 wherein the another portion of the decrypted data file comprises a metadata portion of the file and the second one of new encryption keys comprises a cryptainer key.
  - 5. The method of claim 4 wherein the file key is encrypted and signed with the cryptainer key.
  - 6. The method of claim 1 wherein writing the re-encrypted ciphertext comprises writing into the same one of the plurality of designated data blocks from which the one or more stored ciphertexts were read.
  - 7. The method of claim 1 to providing a logical unit number that contains a location of the one or more stored ciphertexts.

8. A computing device comprising:
- a memory containing a machine readable medium comprising machine executable code having stored thereon instructions for performing a method of providing data sessions with clients that access data containers of a shared storage; and
  
  a processor coupled to the memory, the processor configured to execute the machine executable code to cause the processor to;
  
  receive a re-key command issued by a host computer for one or more stored ciphertexts each associated with one of a plurality of designated data blocks stored on one or more disk storage devices, wherein the issuing of the re-key command is initiated based on one or more re-writing policies that tracks thresholds associated with one or more old encryption key attributes stored on the host computer; and
  
  generate a plurality of new encryption keys, upon receipt of the re-key command issued from the host computer, wherein the plurality of new encryption keys are adapted to apply to the one or more stored ciphertexts;
  
  read the one or more stored ciphertexts;
  
  decrypt the one or more stored ciphertexts using one or more old encryption keys to produce a decrypted data file comprising content;
  
  re-encrypt a portion of the decrypted data file using a first one of new encryption keys and re-encrypting another portion of the data file using a second one of new encryption keys to produce re-encrypted ciphertext; and
  
  write the re-encrypted ciphertext, into the one or more disk storage devices.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The device of claim 8 wherein the processor is further configured to execute the machine executable code to cause the processor to write the re-encrypted ciphertext into a same one or more blocks from which the stored ciphertext were read.
  - 10. The device of claim 8 wherein the processor is further configured to execute the machine executable code to cause the processor to provide a logical unit number that contains a location of the ciphertext.
  - 11. The device of claim 8 wherein the issuing of the re-key command is initiated based on one or more re-writing policies that tracks temporal thresholds associated with one or more old encryption key attributes stored on the host computer.
  - 12. The device of claim 8 wherein the a portion of the decrypted data file comprises a data portion of the file and the first one of new encryption keys comprises a file key.
  - 13. The device of claim 12 wherein the another portion of the decrypted data file comprises a metadata portion of the file and the second one of new encryption keys comprises a cryptainer key.
  - 14. The device of claim 13 wherein the file key is encrypted and signed with the cryptainer key.

15. A non-transitory machine readable medium having stored thereon instructions for performing a method comprising executable code that, when executed by at least one machine, causes the machine to:
- receive a re-key command issued by a host computer for one or more stored ciphertexts each associated with one of a plurality of designated data blocks stored on one or more disk storage devices, wherein the issuing of the re-key command is initiated based on one or more re-writing policies that tracks thresholds associated with one or more old encryption key attributes stored on the host computer; and
  
  generate a plurality of new encryption keys, upon receipt of the re-key command issued from the host computer, wherein the plurality of new encryption keys are adapted to apply to the one or more stored ciphertexts;
  
  read the one or more stored ciphertexts;
  
  decrypt the one or more stored ciphertexts using one or more old encryption keys to produce a decrypted data file comprising content;
  
  re-encrypt a portion of the decrypted data file using a first one of new encryption keys and re-encrypting another portion of the data file using a second one of new encryption keys to produce re-encrypted ciphertext; and
  
  write the re-encrypted ciphertext, into the one or more disk storage devices.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The medium of claim 15 wherein the issuing of the re-key command is initiated based on one or more re-writing policies that tracks temporal thresholds associated with one or more old encryption key attributes stored on the host computer.
  - 17. The medium of claim 15 wherein the a portion of the decrypted data file comprises a data portion of the file and the first one of new encryption keys comprises a file key;
    - wherein the another portion of the decrypted data file comprises a metadata portion of the file and the second one of new encryption keys comprises a cryptainer key.
  - 18. The medium of claim 17 wherein the file key is encrypted and signed with the cryptainer key.
  - 19. The medium of claim 15 wherein to write the re-encrypted ciphertext comprises writing into the same one of the plurality of designated data blocks from which the one or more stored ciphertexts were read.
  - 20. The medium of claim 15 to provide a logical unit number that contains a location of the ciphertext.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Gandhasri, Rajamohan
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Debnath, Suman

Application Number

US11/772,447
Time in Patent Office

3,675 Days
Field of Search

380372, 380273, 380277
US Class Current
CPC Class Codes

H04L 9/08   Key distribution or managem...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

Host based rekeying

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Host based rekeying

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links