STORAGE SYSTEM, STORAGE CONTROL APPARATUS, AND STORAGE CONTROL METHOD
First Claim
1. A storage control apparatus comprising:
- a memory configured to store encryption-key information including encryption keys respectively associated with divided areas defined by division of one or more storage areas in one or more storage devices; and
a processor configured to perform a procedure including,acquiring from the encryption-key information one of the encryption keys associated with one of the divided areas in which data is to be written, encrypting the data to be written, by use of the one of the encryption keys, to generate encrypted data, and writing the encrypted data in the one of the divided areas, andinvalidating one or more of the encryption keys associated with one or more of the divided areas and included in the encryption-key information when the storage control apparatus receives, from a management apparatus, designation of the one or more of the divided areas and an instruction to invalidate data stored in the one or more of the divided areas, and the one or more of the divided areas are allocated as one or more physical storage areas for a virtual storage area to be invalidated.
1 Assignment
0 Petitions
Accused Products
Abstract
A storage system in which a storage control apparatus writes data in each of divided areas defined by division of one or more storage areas in one or more storage devices, after encryption of the data with an encryption key unique to each divided area. When the storage control apparatus receives, from a management apparatus, designation of one or more of the divided areas allocated as one or more physical storage areas for a virtual storage area to be invalidated and an instruction to invalidate data stored in the one or more of the divided areas, the storage control apparatus invalidates one or more encryption keys associated with the designated one or more of the divided areas. In addition, the storage control apparatus may further overwrite at least part of the designated one or more of the divided areas with initialization data for data erasion.
30 Citations
20 Claims
-
1. A storage control apparatus comprising:
-
a memory configured to store encryption-key information including encryption keys respectively associated with divided areas defined by division of one or more storage areas in one or more storage devices; and a processor configured to perform a procedure including, acquiring from the encryption-key information one of the encryption keys associated with one of the divided areas in which data is to be written, encrypting the data to be written, by use of the one of the encryption keys, to generate encrypted data, and writing the encrypted data in the one of the divided areas, and invalidating one or more of the encryption keys associated with one or more of the divided areas and included in the encryption-key information when the storage control apparatus receives, from a management apparatus, designation of the one or more of the divided areas and an instruction to invalidate data stored in the one or more of the divided areas, and the one or more of the divided areas are allocated as one or more physical storage areas for a virtual storage area to be invalidated. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A storage system comprising:
-
a management apparatus containing a first processor configured to perform a first procedure which includes sending to a storage control apparatus designation of one or more of divided areas and an instruction to invalidate data stored in the one or more of the divided areas, where the divided areas are defined by division of one or more storage areas in one or more storage devices, and the one or more of the divided areas are allocated as one or more physical storage areas for a virtual storage area to be invalidated; and the storage control apparatus containing, a memory configured to store encryption-key information including encryption keys respectively associated with the divided areas; and a second processor configured to perform a second procedure which includes, acquiring from the encryption-key information one of the encryption keys associated with one of the divided areas in which data is to be written, encrypting the data to be written, by use of the one of the encryption keys, to generate encrypted data, and writing the encrypted data in the one of the divided areas, and invalidating one or more of the encryption keys associated with one or more of the divided areas and included in the encryption-key information when the storage control apparatus receives, from the management apparatus, the designation of the one or more of the divided areas and the instruction to invalidate data stored in the one or more of the divided areas, and the one or more of the divided areas are allocated as one or more physical storage areas for a virtual storage area to be invalidated. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A storage control method comprising:
-
performing, by a storage control apparatus, operations of referring to encryption-key information including encryption keys respectively associated with divided areas defined by division of one or more storage areas in one or more storage devices, acquiring from the encryption-key information one of the encryption keys associated with one of the divided areas in which data is to be written, encrypting the data to be written, by use of the one of the encryption keys, to generate encrypted data, and writing the encrypted data in the one of the divided areas; sending, by a management apparatus, to the storage control apparatus, designation of one or more of the divided areas and an instruction to invalidate data stored in the one or more of the divided areas, where the one or more of the divided areas are allocated as one or more physical storage areas for a virtual storage area to be invalidated; and invalidating, by the storage control apparatus, one or more of the encryption keys associated with the one or more of the divided areas and included in the encryption-key information, in response to the instruction from the management apparatus. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification