Distributed data set encryption and decryption
First Claim
1. An apparatus comprising a processor component and a storage to store instructions that, when executed by the processor component, cause the processor component to perform operations comprising:
- transmit, to multiple node devices, a command to encrypt a data set distributed among the multiple node devices for storage;
receive, from at least one node device of the multiple node devices, at least a portion of metadata indicative of organization of data within the data set, wherein;
the data set is to be stored as multiple encrypted data blocks within a data file maintained by one or more storage devices;
each node device of the multiple node devices is to provide at least one encrypted data block of the multiple encrypted data blocks to be stored;
the organization of the multiple encrypted data blocks within the data file is to be indicated in map data that is to comprise multiple map entries;
each map entry of the multiple map entries is to correspond to an encrypted data block of the multiple encrypted data blocks; and
at least a subset of the multiple node devices are to each encrypt a portion of the data of the data set to generate at least one of the multiple encrypted data blocks at least partially in parallel;
receive, from each node device of the multiple node devices, an indication of a size of one of the multiple encrypted data blocks and data block encryption data, wherein the data block encryption data is generated by the node device and is used by the node device to encrypt a portion of the data set to generate the one of the multiple encrypted data blocks;
for each encrypted data block of the multiple encrypted data blocks for which an indication of size and data block encryption data is received, generate a corresponding one of the multiple map entries within the map data to include the indication of size and the data block encryption data; and
in response to receipt of indications of size and data block encryption data for the encrypted data blocks of the multiple encrypted data blocks, perform operations comprising;
use, by the processor component, metadata block encryption data to encrypt the metadata to generate an encrypted metadata block;
add the metadata block encryption data to the map data;
transmit the encrypted metadata block to the one or more storage devices to be stored at a first predetermined location within the data file;
use, by the processor component, first map block encryption data to encrypt a first portion of the map data to generate an encrypted map base, wherein the first portion of the map data includes at least a first subset of the multiple map entries and the metadata block encryption data; and
transmit the encrypted map base to the one or more storage devices to be stored at a second predetermined location within the data file.
1 Assignment
0 Petitions
Accused Products
Abstract
An apparatus including a processor caused to: receive sizes and data block encryption data for multiple encrypted data blocks from multiple node devices, wherein data block encryption data is separately generated and used by each node device to encrypt a portion of a data set to generate one of the multiple encrypted data blocks; for each encrypted data block, generate a corresponding map entry within map data to include size and data block encryption data; and in response to receiving size and data block encryption data for all encrypted data blocks, encrypt a portion of the map data to generate an encrypted map base, wherein the portion of map data includes at least a subset of the multiple map entries, and transmit the encrypted map base to one or more storage devices to be stored within a data file along with the multiple encrypted data blocks.
-
Citations
30 Claims
-
1. An apparatus comprising a processor component and a storage to store instructions that, when executed by the processor component, cause the processor component to perform operations comprising:
-
transmit, to multiple node devices, a command to encrypt a data set distributed among the multiple node devices for storage; receive, from at least one node device of the multiple node devices, at least a portion of metadata indicative of organization of data within the data set, wherein; the data set is to be stored as multiple encrypted data blocks within a data file maintained by one or more storage devices; each node device of the multiple node devices is to provide at least one encrypted data block of the multiple encrypted data blocks to be stored; the organization of the multiple encrypted data blocks within the data file is to be indicated in map data that is to comprise multiple map entries; each map entry of the multiple map entries is to correspond to an encrypted data block of the multiple encrypted data blocks; and at least a subset of the multiple node devices are to each encrypt a portion of the data of the data set to generate at least one of the multiple encrypted data blocks at least partially in parallel; receive, from each node device of the multiple node devices, an indication of a size of one of the multiple encrypted data blocks and data block encryption data, wherein the data block encryption data is generated by the node device and is used by the node device to encrypt a portion of the data set to generate the one of the multiple encrypted data blocks; for each encrypted data block of the multiple encrypted data blocks for which an indication of size and data block encryption data is received, generate a corresponding one of the multiple map entries within the map data to include the indication of size and the data block encryption data; and in response to receipt of indications of size and data block encryption data for the encrypted data blocks of the multiple encrypted data blocks, perform operations comprising; use, by the processor component, metadata block encryption data to encrypt the metadata to generate an encrypted metadata block; add the metadata block encryption data to the map data; transmit the encrypted metadata block to the one or more storage devices to be stored at a first predetermined location within the data file; use, by the processor component, first map block encryption data to encrypt a first portion of the map data to generate an encrypted map base, wherein the first portion of the map data includes at least a first subset of the multiple map entries and the metadata block encryption data; and transmit the encrypted map base to the one or more storage devices to be stored at a second predetermined location within the data file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, the computer-program product including instructions operable to cause a processor component to perform operations comprising:
-
transmit, to multiple node devices, a command to encrypt a data set distributed among the multiple node devices for storage; receive, from at least one node device of the multiple node devices, at least a portion of metadata indicative of organization of data within the data set, wherein; the data set is to be stored as multiple encrypted data blocks within a data file maintained by one or more storage devices; each node device of the multiple node devices is to provide at least one encrypted data block of the multiple encrypted data blocks to be stored; the organization of the multiple encrypted data blocks within the data file is to be indicated in map data that is to comprise multiple map entries; each map entry of the multiple map entries is to correspond to an encrypted data block of the multiple encrypted data blocks; and at least a subset of the multiple node devices are to each encrypt a portion of the data of the data set to generate at least one of the multiple encrypted data blocks at least partially in parallel; receive, from each node device of the multiple node devices, an indication of a size of one of the multiple encrypted data blocks, and data block encryption data, wherein the data block encryption data is generated by the node device and is used by the node device to encrypt a portion of the data set to generate the one of the multiple encrypted data blocks; for each encrypted data block of the multiple encrypted data blocks for which an indication of size and data block encryption data is received, generate a corresponding one of the multiple map entries within the map data to include the indication of size and the data block encryption data; and in response to receipt of indications of size and data block encryption data for the encrypted data blocks of the multiple encrypted data blocks, perform operations comprising; use, by the processor component, metadata block encryption data to encrypt the metadata to generate an encrypted metadata block; add the metadata block encryption data to the map data; transmit the encrypted metadata block to the one or more storage devices to be stored at a first predetermined location within the data file; use, by the processor component first map block encryption data to encrypt a first portion of the map data to generate an encrypted map base, wherein the first portion of the map data includes at least a first subset of the multiple map entries and the metadata block encryption data; and transmit the encrypted map base to the one or more storage devices to be stored at a second predetermined location within the data file. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A computer-implemented method comprising:
-
transmitting, to multiple node devices via a network, a command to encrypt a data set distributed among the multiple node devices for storage; receiving, from at least one node device of the multiple node devices, at least a portion of metadata indicative of organization of data within the data set, wherein; the data set is to be stored as multiple encrypted data blocks within a data file maintained by one or more storage devices; each node device of the multiple node devices is to provide at least one encrypted data block of the multiple encrypted data blocks to be stored; the organization of the multiple encrypted data blocks within the data file is to be indicated in map data that is to comprise multiple map entries; each map entry of the multiple map entries is to correspond to an encrypted data block of the multiple encrypted data blocks; and at least a subset of the multiple node devices are to each encrypt a portion of the data of the data set to generate at least one of the multiple encrypted data blocks at least partially in parallel; receiving, from each node device of the multiple node devices, an indication of a size of one of the multiple encrypted data blocks, and data block encryption data, wherein the data block encryption data is generated by the node device and is used by the node device to encrypt a portion of the data set to generate the one of the multiple encrypted data blocks; for each encrypted data block of the multiple encrypted data blocks for which an indication of size and data block encryption data is received, generating, by a processor component, a corresponding one of the multiple map entries within the map data to include the indication of size and the data block encryption data; and in response to receipt of indications of size and data block encryption data for the encrypted data blocks of the multiple encrypted data blocks, performing operations comprising; using, by the processor component, the metadata block encryption data to encrypt the metadata to generate an encrypted metadata block; adding, by the processor component, the metadata block encryption data to the map data; transmitting, via the network, the encrypted metadata block to the one or more storage devices to be stored at a first predetermined location within the data file; using, by the processor component, the first map block encryption data to encrypt a first portion of the map data to generate an encrypted map base, wherein the first portion of the map data includes at least a first subset of the multiple map entries and the metadata block encryption data; and transmitting, via the network, the encrypted map base to the one or more storage devices to be stored at a second predetermined location within the data file. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification