Discarding sensitive data from persistent point-in-time image

US 8,589,697 B2
Filed: 04/30/2008
Issued: 11/19/2013
Est. Priority Date: 04/30/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

encrypting an Active File System (AFS) with a corresponding encryption key;

generating a new encryption key in response to creating a Persistent Point-in- time Image (PPI) of the AFS, wherein data written to the AFS after the PPI is created is encrypted with the new encryption key;

identifying data to be discarded and data not to be discarded, the data to be discarded being read-only, encrypted with a first encryption key, and selected from a first plurality of datasets included in a first PPI;

determining whether to re-encrypt a portion of datasets in the AFS corresponding to a subset of the first plurality of datasets in the first PPI by comparing the first plurality of datasets with the AFS to determine whether the AFS references the subset both encrypted with the first encryption key and corresponding to the data not to be discarded;

decrypting each dataset of the subset corresponding to ˜

the data not to be discarded, with the first encryption key;

re-encrypting each of the decrypted datasets of the first PPI with the new encryption key;

in response to determining whether to re-encrypt the portion of datasets in the AFS corresponding to the subset of the first plurality of datasets in the first PPI, copying each of the re-encrypted datasets of the first PPI to the AFS; and

shredding the first encryption key to render the data to be discarded unrecoverable.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network storage server implements a method to discard sensitive data from a Persistent Point-In-Time Image (PPI). The server first efficiently identifies a dataset containing the sensitive data from a plurality of datasets managed by the PPI. Each of the plurality of datasets is read-only and encrypted with a first encryption key. The server then decrypts each of the plurality of datasets, except the dataset containing the sensitive data, with the first encryption key. The decrypted datasets are re-encrypted with a second encryption key, and copied to a storage structure. Afterward, the first encryption key is shredded.

39 Citations

View as Search Results

22 Claims

1. A method comprising:
- encrypting an Active File System (AFS) with a corresponding encryption key;
  
  generating a new encryption key in response to creating a Persistent Point-in- time Image (PPI) of the AFS, wherein data written to the AFS after the PPI is created is encrypted with the new encryption key;
  
  identifying data to be discarded and data not to be discarded, the data to be discarded being read-only, encrypted with a first encryption key, and selected from a first plurality of datasets included in a first PPI;
  
  determining whether to re-encrypt a portion of datasets in the AFS corresponding to a subset of the first plurality of datasets in the first PPI by comparing the first plurality of datasets with the AFS to determine whether the AFS references the subset both encrypted with the first encryption key and corresponding to the data not to be discarded;
  
  decrypting each dataset of the subset corresponding to ˜
  
  the data not to be discarded, with the first encryption key;
  
  re-encrypting each of the decrypted datasets of the first PPI with the new encryption key;
  
  in response to determining whether to re-encrypt the portion of datasets in the AFS corresponding to the subset of the first plurality of datasets in the first PPI, copying each of the re-encrypted datasets of the first PPI to the AFS; and
  
  shredding the first encryption key to render the data to be discarded unrecoverable.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as recited in claim 1, further comprising:
    - shredding key encryption keys used to encrypt the first encryption key.
  - 3. The method as recited in claim 1, further comprising:
    - deleting the first PPI.
  - 4. The method as recited in claim 1, further comprising:
    - deleting storage structures that contain datasets encrypted with the first encryption key.
  - 5. The method as recited in claim 1, further comprising:
    - responding with a data-not-available indication to requests for datasets encrypted with the first encryption key.
  - 6. The method as recited in claim 1, further comprising:
    - identifying a second plurality of datasets that includes the data to be discarded, wherein the second plurality of datasets are included in a second PPI; and
      
      comparing the second plurality of datasets with the first plurality of datasets to determine whether the second plurality of datasets includes datasets not included in the first plurality of datasets that are encrypted with the first encryption key corresponding to active data not to be discarded.

7. A method, comprising:
- creating a Persistent Point-in-time Image (PPI) based on an Active File System (AFS), wherein the AFS references a plurality of datasets each of which is encrypted with a corresponding encryption key, and the PPI provides read-only references to the plurality of datasets;
  
  generating a new encryption key in response to the creation of the PPI, wherein the new encryption key is to encrypt newly allocated datasets in the AFS;
  
  in response to a user request to discard sensitive data stored in a dataset included in a first PPI encrypted with a first encryption key;
  
  determining whether to re-encrypt a portion of the AFS by comparing the first PPI with the AFS to determine whether the AFS references data, other than the sensitive data in the first PPI, that is encrypted with the first encryption key;
  
  in response to determining whether to re-encrypt the portion of the AFS, re-keying the data referenced by the AFS, other than the sensitive data, with the new encryption key;
  
  writing the re-keyed data to the AFS; and
  
  shredding the first encryption key to render the sensitive data unrecoverable.
- View Dependent Claims (8, 9)
- - 8. The method as recited in claim 7, further comprising:
    - encrypting the new encryption key with a wrapping key associated with the AFS.
  - 9. The method as recited in claim 7, further comprising:
    - decrypting a dataset, selected from the plurality of datasets, with its corresponding encryption key in response to a user request for the dataset.

10. A method to discard a dataset, comprising:
- encrypting an Active File System (AFS) with a first encryption key;
  
  generating a new encryption key in response to creating a Persistent Point-in- time Image (PPI) of the AFS, wherein data written to the AFS after the PPI is created is encrypted with the new encryption key;
  
  identifying data to be discarded, wherein the data to be discarded is read-only and is encrypted with the first encryption key;
  
  identifying a first PPI referencing the data to be discarded, wherein the first PPI references a plurality of datasets each of which is read-only and encrypted with the first encryption key;
  
  determining whether to re-encrypt a portion of the AFS by comparing the first PPI referencing the data to be discarded with the AFS to identify a subset of datasets referenced by the first PPI and the AFS, wherein the data to be discarded identified in the first PPI is not part of the subset, and each dataset in the subset is encrypted with the first encryption key;
  
  decrypting each dataset of the subset with the first encryption key;
  
  encrypting each dataset of the subset with the new encryption key;
  
  in response to determining whether to re-encrypt the portion of the AFS, writing each re-encrypted dataset of the subset to the AFS; and
  
  shredding the first encryption key to render the data to be discarded unrecoverable.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method as recited in claim 10, further comprising:
    - shredding key encryption keys used to encrypt the first encryption key.
  - 12. The method as recited in claim 10, further comprising:
    - deleting the PPI.
  - 13. The method as recited in claim 10, further comprising:
    - deleting any PPI that contains datasets encrypted with the first encryption key.
  - 14. The method as recited in claim 10, further comprising:
    - responding with a data-not-available indication to requests for datasets in the PPI that are encrypted with the first encryption key.

15. A storage server system comprising:
- a network interface through which to receive data access requests from a plurality of storage clients;
  
  a storage interface through which to communicate with a storage facility that stores one or more Persistent Point-in-time Images (PPIs) and an Active File System (AFS), wherein each of the PPIs is created from the AFS and references a corresponding plurality of datasets on the storage facility, each of the corresponding plurality of datasets being read-only;
  
  a processor; and
  
  a machine-readable medium that stores instructions which, when executed by the processor, cause the processor to perform a process comprising;
  
  encrypting an Active File System (AFS);
  
  generating a new encryption key in response to creating a Persistent Point-in-time Image (PPI) of the AFS, wherein data written to the AFS after the PPI is created is encrypted with the new encryption key;
  
  identifying all PPIs referencing data to be discarded, wherein the data to be discarded is encrypted with a first encryption key;
  
  for each of the identified PPIs,determining whether to re-encrypt the portion of the AFS by comparing an identified PPI with the AFS to identify a subset of datasets referenced by the identified PPI and the AFS, wherein the data to be discarded referenced in the identified PPI is not part of the subset, and each dataset of the subset is encrypted with the first encryption key;
  
  decrypting each dataset of the subset with the first encryption key;
  
  encrypting each dataset of the subset with the new encryption key uniquely associated with the AFS;
  
  in response to determining whether to re-encrypt a portion of the AFS, writing each re-encrypted dataset of the subset to the AFS; and
  
  shredding the first encryption key.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The storage server system as recited in claim 15, wherein the process further comprises:
    - searching the PPIs for any of the PPIs that references the dataset to be discarded by narrowing down a search range of the PPIs with an encryption key identifier of the first encryption key; and
      
      deleting any of the PPIs that references the dataset to be discarded.
  - 17. The storage server system as recited in claim 15, wherein the process further comprises:
    - deleting any of the PPIs that contain datasets encrypted with the first encryption key.
  - 18. The storage server system as recited in claim 15, wherein the process further comprises:
    - responding with a data-not-available indication to requests of the datasets in any of the identified PPIs.
  - 19. The storage server system as recited in claim 15, wherein the process further comprises:
    - shredding key encryption keys used to encrypt the first encryption key.

20. A data storage system, comprising:
- a storage unit that stores one or more Persistent Point-in-time Images (PPIs) and an Active File System (AFS), wherein each of the PPIs is created from the AFS and references a corresponding plurality of datasets on the storage unit, each of the corresponding plurality of datasets being read-only;
  
  an encryption engine to encrypt the AFS with a corresponding encryption key, generate a new encryption key in response to the creation of a PPI, wherein data written to the AFS after the PPI is created is encrypted with the new encryption key, and to decrypt a dataset with the dataset'"'"'s corresponding encryption key in response to a request for the dataset; and
  
  wherein, in response to a request to discard sensitive data referenced by a first PPI and stored in a dataset that is encrypted with a first encryption key, the encryption engine;
  
  determines whether to re-encrypt the portion of the AFS by comparing the first PPI with the AFS to identify a subset of the plurality of datasets in the AFS wherein the subset does not include the sensitive data referenced in the first PPI;
  
  decrypts the subset of the plurality of datasets using the first encryption key;
  
  re-encrypts the subset of the plurality of datasets with a second encryption key; and
  
  in response to determining whether to re-encrypt a portion of the AFS, writing each re-encrypted dataset of the subset of the plurality of datasets to the AFS.
- View Dependent Claims (21, 22)
- - 21. The data storage system as recited in claim 20, wherein the encryption engine shreds the first encryption key to render the sensitive data unrecoverable.
  - 22. The data storage system as recited in claim 20, wherein each of the corresponding plurality of datasets includes a CP_COUNT field for identifying the corresponding encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Subramanian, Ananthan
Primary Examiner(s)
Colin, Carl
Assistant Examiner(s)
ELMORE, JOHN E

Application Number

US12/113,143
Publication Number

US 20090276514A1
Time in Patent Office

2,029 Days
Field of Search

713/189, 713/193
US Class Current

713/189
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

Discarding sensitive data from persistent point-in-time image

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

39 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Discarding sensitive data from persistent point-in-time image

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links