Apparatus, system, and method for transparent end-to-end security of storage data in a client-server environment
First Claim
1. An apparatus for transparent end-to-end security of storage data in a client-server environment, the apparatus comprising:
- a key generator configured to generate a random storage key for each storage construct associated with a storage session, the storage key uniquely associated with the storage construct;
an encryption module configured to encrypt the storage construct using the storage key and to encrypt the storage key using a transmission key known to a receiver; and
a communication interface configured to transmit the encrypted storage construct and the encrypted storage key to the receiver, the receiver configured to store the encrypted storage construct on a first storage device, decrypt the encrypted storage key using the transmission key, and store the storage key on a second storage device physically distinct from the first storage device.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention includes one or more clients in communication with a server. The client desires to send a storage construct to the server for storage. The client negotiates a transmission key with the server. The client generates a storage key associated specifically with the storage construct. The client encrypts the storage construct using the storage key and encrypts the storage key using the transmission key. The encrypted storage construct and encrypted storage key are sent to the server. The server decrypts the storage key using the transmission key. The server stores the storage construct on a storage device separate from a storage device storing the storage key. Preferably, any changes to the storage construct location, the storage key location, or the storage construct name are tracked and proper modifications are made to an association relating the location of the storage construct and the location for the corresponding storage key.
60 Citations
40 Claims
-
1. An apparatus for transparent end-to-end security of storage data in a client-server environment, the apparatus comprising:
-
a key generator configured to generate a random storage key for each storage construct associated with a storage session, the storage key uniquely associated with the storage construct;
an encryption module configured to encrypt the storage construct using the storage key and to encrypt the storage key using a transmission key known to a receiver; and
a communication interface configured to transmit the encrypted storage construct and the encrypted storage key to the receiver, the receiver configured to store the encrypted storage construct on a first storage device, decrypt the encrypted storage key using the transmission key, and store the storage key on a second storage device physically distinct from the first storage device. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus for transparent end-to-end security of storage data in a client-server environment, the apparatus comprising:
-
a communication interface configured to receive an encrypted storage construct and an encrypted storage key from a sender, the storage construct encrypted by the sender using a storage key generated by the sender, the storage key uniquely associated with the storage construct, the storage construct encrypted using a transmission key shared with the sender;
a storage module configured to store the encrypted storage construct on a first storage device and the storage key on a second storage device physically distinct from the first storage device; and
an association module configured to manage an association between the encrypted storage construct on the first storage device and the encrypted storage key on the second storage device. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system for transparent end-to-end security of storage data in a client-server environment, the system comprising:
-
a plurality of backup-archive clients, each client configured to generate a unique storage key for a specific storage construct, encrypt the storage construct using the storage key, encrypt the storage key using a shared transmission key, wherein the storage construct comprises a physical file defined on a host of at least one of the backup-archive clients;
a storage server configured to receive the encrypted storage construct and the encrypted storage key from one of the clients, decrypt the storage key using the shared transmission key, store the encrypted storage construct on a first storage device separate from a second storage device that stores the storage key; and
a network that operatively connects the clients and the server for network communications. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A signal bearing medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus to perform operations for transparent end-to-end security of storage data in a client-server environment, the operations comprising:
-
an operation to generate a unique storage key for a specific storage construct;
an operation to encrypt the storage construct using the storage key;
an operation to encrypt the storage key using a transmission key known to a sender and a receiver;
an operation to transmit the encrypted storage construct and the encrypted storage key from the sender to the receiver;
an operation to decrypt the storage key using the transmission key; and
an operation to store the encrypted storage construct on a first storage device and the decrypted storage key on a second storage device physically distinct from the first storage device. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
-
37. A method for deploying computing infrastructure, comprising integrating computer readable code into a computing system, wherein the code in combination with the computing system is capable of performing the following:
-
generating a unique storage key for a specific storage construct;
encrypting the storage construct using the storage key;
encrypting the storage key using a transmission key known to a sender and a receiver;
transmitting the encrypted storage construct and the encrypted storage key from the sender to the receiver;
decrypting the storage key using the transmission key; and
storing the encrypted storage construct on a first storage device and the decrypted storage key on a second storage device physically distinct from the first storage device. - View Dependent Claims (38, 39)
-
-
40. An apparatus for transparent end-to-end security of storage data in a client-server environment, the apparatus comprising:
-
means for generating a unique storage key for a specific storage construct;
means for encrypting the storage construct using the storage key;
means for encrypting the storage key using a transmission key known to a sender and a receiver;
means for transmitting the encrypted storage construct and the encrypted storage key from the sender to the receiver;
means for decrypting the storage key using the transmission key; and
means for storing the encrypted storage construct on a first storage device and the decrypted storage key on a second storage device physically distinct from the first storage device.
-
Specification