Tracking replica data using key management

US 9,830,278 B1
Filed: 09/26/2016
Issued: 11/28/2017
Est. Priority Date: 03/06/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for generating a wrapped data encryption key, the method comprising:

generating, at a server, an encryption key based on a secure pseudo-random number generator;

concatenating an object identifier to the encryption key, the object identifier associated with an object to be encrypted;

generating a ciphertext by encrypting the concatenated encryption key with a key encryption key;

generating an authenticity code by encrypting the encrypted concatenated encryption key with a redundancy key; and

generating a wrapped data encryption key by concatenating the ciphertext with the authenticity code.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Source and replica data in a storage area network is tracked during management of data encryption keys. Association of source and replica data allows for all copies of customer information in an enterprise to be managed as a single entity for deletion or tracked for management purposes by using referenced data encryption keys upon creation of replicas. Any replica from a source storage object can be created using the source storage object data encryption key or an associated key and tracked by these keys as a subset of the number of replicas created. Management of the data encryption keys can control the lifetime of data on a storage array and in the storage area network without managing every replicated instance for the lifetime of the data.

Citations

9 Claims

1. A computer-implemented method for generating a wrapped data encryption key, the method comprising:
- generating, at a server, an encryption key based on a secure pseudo-random number generator;
  
  concatenating an object identifier to the encryption key, the object identifier associated with an object to be encrypted;
  
  generating a ciphertext by encrypting the concatenated encryption key with a key encryption key;
  
  generating an authenticity code by encrypting the encrypted concatenated encryption key with a redundancy key; and
  
  generating a wrapped data encryption key by concatenating the ciphertext with the authenticity code.
- View Dependent Claims (2, 3, 6)
- - 2. The method of claim 1, further comprising:
    - receiving, at a storage processor from a host processor via a storage area network, a request to write the object to a logical unit number of a disk drive set;
      
      receiving, from the server via a computer network, the wrapped data encryption key;
      
      encrypting the object with the wrapped data encryption key; and
      
      storing the object to the logical unit number.
  - 3. The method of claim 1, further comprising:
    - receiving, at a second storage processor from the first storage processor via the storage area network, a request to replicate the object;
      
      storing, by the second storage processor, the object in a second logical unit number of a second disk drive set; and
      
      transmitting, by the second storage processor to the server via a computer network, an request to associate the wrapped encryption key with the object stored in the second logical unit number of the second disk drive set.
  - 6. The system of claim 3, the instructions being adapted to cause the processor to execute steps comprising:
    - receiving, at a second storage processor from the first storage processor via the storage area network, a request to replicate the object;
      
      storing, by the second storage processor, the object in a second logical unit number of a second disk drive set; and
      
      transmitting, by the second storage processor to the server via a computer network, an request to associate the wrapped encryption key with the object stored in the second logical unit number of the second disk drive set.

4. A system for generating a wrapped data encryption key, the method comprising:
- a processor;
  
  a memory storing instructions, the instructions being adapted to cause the processor to execute steps comprising;
  
  generating, at a server, an encryption key based on a secure pseudo-random number generator;
  
  concatenating an object identifier to the encryption key, the object identifier associated with an object to be encrypted;
  
  generating a ciphertext by encrypting the concatenated encryption key with a key encryption key;
  
  generating an authenticity code by encrypting the encrypted concatenated encryption key with a redundancy key; and
  
  generating a wrapped data encryption key by concatenating the ciphertext with the authenticity code.
- View Dependent Claims (5)
- - 5. The system of claim 4, the instructions being adapted to cause the processor to execute steps comprising:
    - receiving, at a storage processor from a host processor via a storage area network, a request to write the object to a logical unit number of a disk drive set;
      
      receiving, from the server via a computer network, the wrapped data encryption key;
      
      encrypting the object with the wrapped data encryption key; and
      
      storing the object to the logical unit number.

7. A non-transitory computer readable medium including computer code adapted to be executed on electronic computer hardware, the code comprising:
- code for generating, at a server, an encryption key based on a secure pseudo-random number generator;
  
  code for concatenating an object identifier to the encryption key, the object identifier associated with an object to be encrypted;
  
  code for generating a ciphertext by encrypting the concatenated encryption key with a key encryption key;
  
  code for generating an authenticity code by encrypting the encrypted concatenated encryption key with a redundancy key; and
  
  code for generating a wrapped data encryption key by concatenating the ciphertext with the authenticity code.
- View Dependent Claims (8, 9)
- - 8. The non-transitory computer readable medium of claim 7, the code further comprising:
    - code for receiving, at a storage processor from a host processor via a storage area network, a request to write the object to a logical unit number of a disk drive set;
      
      code for receiving, from the server via a computer network, the wrapped data encryption key;
      
      code for encrypting the object with the wrapped data encryption key; and
      
      code for storing the object to the logical unit number.
  - 9. The non-transitory computer readable medium of claim 7, the code further comprising:
    - code for receiving, at a second storage processor from the first storage processor via the storage area network, a request to replicate the object;
      
      code for storing, by the second storage processor, the object in a second logical unit number of a second disk drive set; and
      
      code for transmitting, by the second storage processor to the server via a computer network, an request to associate the wrapped encryption key with the object stored in the second logical unit number of the second disk drive set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Harwood, John S., Linnell, Thomas E., Fitzgerald, John T.
Primary Examiner(s)
Zaidi, Syed

Application Number

US15/275,926
Time in Patent Office

428 Days
Field of Search

380277
US Class Current
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/00   Security arrangements for p...

G06F 21/6209   to a single file or object,...

G06F 2212/1052   Security improvement

G06F 3/0623   in relation to content

G06F 3/065   Replication mechanisms

G06F 3/067   Distributed or networked st...

G06F 3/0689   Disk arrays, e.g. RAID, JBOD

H04L 2463/062   applying encryption of the ...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/123   received data contents, e.g...

Tracking replica data using key management

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Tracking replica data using key management

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links