Discarding sensitive data from persistent point-in-time image
First Claim
Patent Images
1. A method, comprising:
- creating a first Persistent Point-in-time Image (PPI) based on an Active File System (AFS), wherein the AFS references an existing dataset that is encrypted with an existing encryption key and the first PPI provides a read-only reference to the existing dataset;
generating a new encryption key in response to creating a PPI of the AFS, wherein the new encryption key is used to encrypt subsequent data writes into the AFS; and
in response to identifying a request to discard data that is stored in the existing dataset, included in the first PPI, and encrypted with the existing encryption key;
re-keying the existing dataset, other than the data to be discarded, that is referenced by the AFS and encrypted by the existing encryption key;
wherein said re-keying includes re-encrypting the existing dataset, other than the data to be discarded, with the generated new encryption key different from the existing encryption key;
writing the rekeyed data to the AFS;
shredding the existing encryption key; and
wherein the existing encryption key is encrypted with a wrapping key and wherein shredding the existing encryption key includes shredding the wrapping key.
1 Assignment
0 Petitions
Accused Products
Abstract
A network storage server implements a method to discard sensitive data from a Persistent Point-In-Time Image (PPI). The server first efficiently identifies a dataset containing the sensitive data from a plurality of datasets managed by the PPI. Each of the plurality of datasets is read-only and encrypted with a first encryption key. The server then decrypts each of the plurality of datasets, except the dataset containing the sensitive data, with the first encryption key. The decrypted datasets are re-encrypted with a second encryption key, and copied to a storage structure. Afterward, the first encryption key is shredded.
44 Citations
8 Claims
-
1. A method, comprising:
-
creating a first Persistent Point-in-time Image (PPI) based on an Active File System (AFS), wherein the AFS references an existing dataset that is encrypted with an existing encryption key and the first PPI provides a read-only reference to the existing dataset; generating a new encryption key in response to creating a PPI of the AFS, wherein the new encryption key is used to encrypt subsequent data writes into the AFS; and in response to identifying a request to discard data that is stored in the existing dataset, included in the first PPI, and encrypted with the existing encryption key; re-keying the existing dataset, other than the data to be discarded, that is referenced by the AFS and encrypted by the existing encryption key;
wherein said re-keying includes re-encrypting the existing dataset, other than the data to be discarded, with the generated new encryption key different from the existing encryption key;writing the rekeyed data to the AFS; shredding the existing encryption key; and wherein the existing encryption key is encrypted with a wrapping key and wherein shredding the existing encryption key includes shredding the wrapping key. - View Dependent Claims (2, 3, 4)
-
-
5. A data storage system comprising:
-
a network interface configured to receive a request to specify a target dataset to be discarded; a storage interface configured to provide access to an Active File System (AFS) and one or more Persistent Point-in-time Images (PPIs), wherein each of the PPIs is created from the AFS and at least some of which are read-only; one or more computer processors configured to identify one or more PPIs referencing the target dataset to be discarded, wherein the target dataset to be discarded is encrypted with a first encryption key; at least one of the computer processors configured to; for each of the identified PPIs, identify a subset of datasets referenced by the identified PPIs and the AFS, at least some of the datasets in the subset having been encrypted with the first encryption key; wherein the target dataset to be discarded is excluded from the identified subset, and re-key at least some of the datasets of the subset, previously encrypted with the first encryption key, by re-encrypting the at least some of the datasets with a second encryption key different from the first encryption key; and wherein at least one of the computer processors is configured to shred the first encryption key. - View Dependent Claims (6, 7, 8)
-
Specification