SYSTEM AND METHOD FOR ENCRYPTING SECONDARY COPIES OF DATA

US 20100031017A1
Filed: 12/28/2007
Published: 02/04/2010
Est. Priority Date: 12/29/2006
Status: Active Grant

First Claim

Patent Images

1. A system for re-encrypting data stored as secondary copies on secondary storage media under a first encryption scheme, comprising:

an encryption tracking component, wherein the encryption tracking component monitors encryption schemes associated with data stored as secondary copies on secondary storage media;

a media retrieval component, wherein the media retrieval component receives an indication from the encryption tracking component to change an encryption scheme for a secondary copy of data associated with a first encryption scheme, and retrieves a storage medium containing the secondary copy of data associated with the first encryption scheme;

an encryption component, wherein the encryption component decrypts the secondary copy of data associated with the first encryption scheme and encrypts at least a portion of the secondary copy with a second encryption scheme.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for encrypting secondary copies of data is described. In some examples, the system encrypts a secondary copy of data after the secondary copy is created. In some examples, the system looks to information about a data storage system, and determines when and where to encrypt data based on the information.

177 Citations

View as Search Results

21 Claims

1. A system for re-encrypting data stored as secondary copies on secondary storage media under a first encryption scheme, comprising:
- an encryption tracking component, wherein the encryption tracking component monitors encryption schemes associated with data stored as secondary copies on secondary storage media;
  
  a media retrieval component, wherein the media retrieval component receives an indication from the encryption tracking component to change an encryption scheme for a secondary copy of data associated with a first encryption scheme, and retrieves a storage medium containing the secondary copy of data associated with the first encryption scheme;
  
  an encryption component, wherein the encryption component decrypts the secondary copy of data associated with the first encryption scheme and encrypts at least a portion of the secondary copy with a second encryption scheme.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the second encryption scheme was created after the secondary copy was stored on the storage medium.
  - 3. The system of claim 1, wherein the encryption tracking component monitors encryption schemes associated with classes of data stored as secondary copies of data.
  - 4. The system of claim 1, wherein a portion of the secondary copy of data is associated with the first encryption scheme and the encryption component only decrypts the portion of the secondary copy of data associated with the first encryption scheme and encrypts the decrypted portion with the second encryption scheme.

5. A method of dynamically choosing a time to encrypt a copy of data created from data included in an original data set, the method comprising:
- receiving information related to a completion time of a data storage operation starting before a first time and required to be completed before the first time, wherein the data storage operation creates copies of at least a portion of the original data set;
  
  estimating a modified completion time based on the completion time and based on a time required to encrypt the created copies of the at least portion of the data set; and
  
  when the modified completion time occurs after the first time, encrypting data contained in the created copies after creation of the copies; and
  
  when the modified completion time occurs before the first time, encrypting data contained in the created copies during creation of the copies.
- View Dependent Claims (6, 7)
- - 6. The method of claim 5, wherein encrypting data contained in the created copies after creation of the copies includes using resources used by the data storage operation.
  - 7. The method of claim 5, wherein encrypting data contained in the created copies during creation of the copies includes using resources used by the data storage operation.

8. A method of dynamically choosing a resource to encrypt a copy of data created from data included in an original data set, the method comprising:
- receiving information related to a completion time of a data storage operation starting before a first time and required to finish before the first time, wherein the data storage operation creates copies of at least a portion of the original data set;
  
  estimating a modified completion time based on the completion time and based on a time required to encrypt the created copies of the at least portion of the data set; and
  
  when the estimated completion time occurs after the first time, encrypting data contained in the created copies using resources not employed by the data storage operation.

9. A system for encrypting secondary copies of a data store created by a file system, comprising:
- two or more data reception components, wherein the two or more data reception components communicate with a data server containing the data store and receive data from the data store to be stored into secondary copies;
  
  two or more data storage components, wherein the two or more data storage components receive the data to be stored into secondary copies, create the secondary copies, and transfer the secondary copies to be stored to storage media; and
  
  an encryption component, wherein the encryption component receives at least a portion of the secondary copies from the two or more data storage components;
  
  encrypts at least a portion of the secondary copies; and
  
  transfers the at least portion of the secondary copies to the storage media.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The system of claim 9, wherein the data storage components transfer at least a portion of the secondary copies to be encrypted to the encryption component and at least a portion of the secondary copies not to be encrypted directly to the storage media.
  - 11. The system of claim 9, wherein the encryption component determines the at least portion of the secondary copies to encrypt based on information related to a type of data of the received data.
  - 12. The system of claim 9, further comprising:
    - an index component, wherein the index component includes an index that relates the secondary copies with encryption schemes used to encrypt the secondary copies.
  - 13. The system of claim 9, wherein the data store is contained on a server within a first network, and the encryption component is contained on a server within a second, distinct network.

14. A method of producing a secondary copy of data from an original set of data, the method comprising:
- creating a first copy of the data from the original set of the data, wherein the first copy contains data in a format similar to a format of the data contained in the original data set;
  
  creating a second copy of the data from the first copy, wherein the second copy contains data in a different format than the format of the data contained in the original data set; and
  
  encrypting the second copy the data after the second copy of the data has been created.
- View Dependent Claims (15, 16, 17)
- - 15. The method of claim 14, wherein the second copy of the data includes a backup copy of the original set of data.
  - 16. The method of claim 14, wherein the second copy of the data includes an archive copy of the original set of data.
  - 17. The method of claim 14, wherein the second copy of the data is created within a pre-determined time period, and the second copy of the data is encrypted after the pre-determined time period has lapsed.

18. A method of encrypting data to be stored as a secondary copy of a data set, the method comprising:
- determining storage operations to be performed in creating the secondary copy of the data set, wherein determining storage operations includes identifying storage resources to be utilized by the storage operations;
  
  identifying from amongst the determined storage operations one or more storage operations to be used to encrypt the secondary copy;
  
  calculating a time to performing the determined storage operations including the identified storage operations to be used to encrypt the secondary copy;
  
  when the calculated time exceeds a threshold time for creating the secondary copy of the data set;
  
  identifying data within the data set to be stored without encryption, wherein identifying the data includes reviewing characteristics of the data to determine whether the data requires encryption under a pre-determined encryption criteria;
  
  storing the identified data within the data set to be stored without encryption, wherein storing the identified data includes utilizing the identified storage resources; and
  
  encrypting the non-identified data within the data set using storage resources not utilized by the storage operations.
- View Dependent Claims (19, 20, 21)
- - 19. The method of claim 18, further comprising:
    - calculating the time to perform the determined storage operations after storing the identified data within the data set to be stored without encryption; and
      
      when the calculated time to perform the determined storage operations after storing the identified data within the data set to be stored without encryption exceeds the threshold time;
      
      identifying, from amongst the data to be stored with encryption, data to be stored without encryption, wherein identifying the data includes reviewing second characteristics of the data to determine whether the data requires encryption under the pre-determined encryption criteria; and
      
      encrypting the non-identified data within the data set using storage resources not utilized by the storage operations.
  - 20. The method of claim 18, wherein the characteristics of the data include a classification of the data.
  - 21. The method of claim 18, further comprising:
    - storing the encrypted non-identified data utilizing the identified storage resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CommVault Systems Incorporated
Original Assignee
CommVault Systems Incorporated
Inventors
Gokhale, Parag, Erofeev, Andrei, Muller, Marcus S.

Granted Patent

US 8,775,823 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

G06F 21/1073   Conversion

G06F 21/602   Providing cryptographic fac...

G06F 21/6209   to a single file or object,...

G06F 21/6272   by registering files or doc...

G06F 21/78   to assure secure storage of...

G06F 2221/2107   File encryption

H04L 12/40176   involving redundancy error ...

H04L 2209/605   Copy protection

H04L 63/0428   wherein the data content is...

H04L 9/00   Cryptographic mechanisms or...

SYSTEM AND METHOD FOR ENCRYPTING SECONDARY COPIES OF DATA

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

177 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR ENCRYPTING SECONDARY COPIES OF DATA

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

177 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links