encryption key from a storage system
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- HEWLETT PACKARD ENTERPRISE DEV LP
- Filing Date
- 2021-04-14
- Publication Date
- 2026-06-30
Smart Images

Figure CN114186245B_ABST
Abstract
Description
Background Technology
[0001] Data stored in a storage system can be encrypted to protect it from unauthorized access. Data can be encrypted using a data encryption key. To mitigate risks to the data, protection can be provided both during flight (when data is transmitted over a network) and at rest (when data is stored on the storage medium of the storage system). Attached Figure Description
[0002] Some embodiments of this disclosure are described with reference to the following figures.
[0003] Figure 1 It is a block diagram based on some examples of the layout of storage systems, host systems, and key manager systems.
[0004] Figure 2 It is a message flow diagram based on some example processes.
[0005] Figure 3 It is a block diagram based on some example storage systems.
[0006] Figure 4 It is a block diagram based on some example host systems.
[0007] Figure 5 It is a block diagram based on some examples of a storage medium storing machine-readable instructions.
[0008] Throughout the accompanying drawings, the same reference numerals denote similar but not necessarily identical elements. The drawings are not necessarily to scale, and some parts may be enlarged to illustrate the examples more clearly. Furthermore, the drawings provide examples and / or embodiments consistent with the description; however, the description is not limited to the examples and / or embodiments provided in the drawings. Detailed Implementation
[0009] In this disclosure, unless the context clearly indicates otherwise, the terms “a / an” or “the” are intended to include the plural form as well. Similarly, when used in this disclosure, the terms “includes / including / comprises / comprising” or “have / having” indicate the presence of the said element but do not exclude the presence or addition of other elements.
[0010] Several different methods can be used to provide data encryption. The first method involves controlling data encryption at the storage system. With this method, data is encrypted by the storage system and stored in encrypted form on the storage medium. However, data sent from the host system to the storage system is unprotected during flight. Therefore, unencrypted data in flight may be exposed to attackers, including unauthorized users, malware, etc.
[0011] A host system includes a computing device (or multiple computing devices) capable of issuing requests to access data stored in the storage medium of a storage system. A host system may also be referred to as an initiator system. A host system may include any one or a combination of the following: a desktop computer, a laptop computer, a tablet computer, a server computer, a smartphone, an Internet of Things (IoT) device, a vehicle or a controller within a vehicle, a communication node, or any other type of electronic device.
[0012] A storage system can refer to a computing device (or multiple computing devices) that manages access to data stored in a storage medium. The storage medium can include one or more storage devices, which can include disk-based storage devices, solid-state storage devices, etc.
[0013] Variations of the first approach can allow for the encryption of in-flight data, such as by using secure protocols that manage data communications over a network. For example, security protocols include Internet Protocol Security (IPSec) or other security protocols. In this variation, the data is encrypted by the host system's transport layer using a first data encryption key before communication over the network, and the encrypted data is transmitted over the network to a storage system. At the storage system, the received encrypted data is decrypted, and then the decrypted data is encrypted using a second data encryption key to produce further encrypted data. The further encrypted data is then stored in the storage medium of the storage system. The process of encrypting data, transmitting encrypted data, decrypting encrypted data at the storage system, and re-encrypting decrypted data increases the complexity of the data storage operation initiated by the host system to the storage system. Moreover, the multiple operations involved can increase the latency associated with the data storage operation.
[0014] The second approach involves controlling data encryption at the application layer of the host system using a data encryption key managed by the host system. Using this approach, a single data encryption key can be used for both in-flight data (data transmitted over a network) and stationary data (data stored on storage media in a storage system). However, in computing environments with a large number of host systems, complexity increases because different host systems may use different data encryption keys, and one host system may require access to another host system's data encryption key to access encrypted data. In some cases, security mechanisms may prevent the sharing of data encryption keys between host systems. In other examples, multiple host systems may each have to register with a key manager system, which can be complex when there are a large number of host systems.
[0015] According to some embodiments of this disclosure, encryption key management is provided through a storage system while still allowing the use of a common data encryption key for both in-flight data (which is between the host system and the storage system) and stationary data (data stored by the storage system). The storage system receives a request for a data encryption key from the host system and, in response to the request, retrieves the data encryption key for the host system from a key manager system. The data encryption key may be associated with an individual host system or with a cluster of host systems. In some examples, a first data encryption key associated with a first individual host system or a first host system cluster is different from a second data encryption key associated with a second individual host system or a second host system cluster. A data encryption key associated with an individual host system may be associated with an identifier of the individual host system. A data encryption key associated with a host system cluster may be associated with an identifier of the host system cluster. An “identifier” may refer to any one or a combination of the following: network address, name, hardware identifier, serial number, Uniform Resource Locator (URL), etc.
[0016] Alternatively, the data encryption key can be associated with a storage object or a set of storage objects. A "storage object" can refer to any individually accessible amount of storage, such as a storage space identified by a Logical Unit Number (LUN), network address, namespace, etc. In some examples, the first data encryption key associated with a first individual storage object or a first set of storage objects is different from the second data encryption key associated with a second individual storage object or a second set of storage objects.
[0017] More generally, in some examples, different data encryption keys are associated with different host systems, different host system clusters, different storage objects, or different sets of storage objects.
[0018] The storage system encrypts the data encryption key using a first key (such as the host system's public key) to generate an encrypted data encryption key. This first key can also be called the "key encryption key." The storage system sends the encrypted data encryption key to the host system. The encrypted data encryption key can be decrypted using a second key (such as the host system's private key). The storage system receives the encrypted data, encrypted using the data encryption key, from the host system.
[0019] In some examples where the first key is a public key and the second key is a private key, the public and private keys are part of a public-private key pair. Examples of algorithms that can be used to generate public-private key pairs include the Rivest-Shamir-Adleman (RSA) algorithm. In other examples, other types of algorithms can be used to generate public-private key pairs.
[0020] Figure 1 This is a block diagram of an example arrangement including a storage system 102 and a host system 104 capable of accessing (reading or writing) the data stored by the storage system 102. The example storage system 102 may include a storage array, storage devices, etc.
[0021] Storage system 104 can communicate with storage system 102 via network 106. Examples of network 106 may include any one or a combination of the following: local area network (LAN), wide area network (WAN), storage area network (SAN), public network such as the Internet, etc. Network 106 can be implemented using wired and / or wireless networks.
[0022] In some examples, host system 104 can send Small Computer System Interface (SCSI) commands to storage system 102 to access data. In other examples, host system 104 can send Non-Volatile Memory Standard (NVMe) commands. TM The host system 104 can send commands to the storage system 102 to access the data in the storage system 102, according to other protocols (whether standardized, proprietary, or open source).
[0023] Storage system 102 is associated with one or more storage devices 108. A storage device can refer to a disk-based storage device, a solid-state storage device, etc. In some examples, storage devices 108 are part of storage system 102. In other examples, storage devices 108 are external to storage system 102 but connected to it via a communication link.
[0024] Storage system 102 includes storage controller 110, which manages access to data in storage devices(s)108 in response to commands received from host system 104. Storage controller 110 can manage reading data from or writing data to storage devices(s)108.
[0025] As used herein, "controller" can refer to hardware processing circuitry, which may include any or a combination of a microprocessor, a core of a multi-core microprocessor, a microcontroller, a programmable integrated circuit, a programmable gate array, or other hardware processing circuitry. Alternatively, "controller" can refer to a combination of hardware processing circuitry and machine-readable instructions (software and / or firmware) executable on the hardware processing circuitry.
[0026] In some examples, the storage controller 110 includes a target key management engine 112 according to some embodiments of the present disclosure. The target key management engine 112 may be implemented using a portion of the hardware processing circuitry of the storage controller 110, or alternatively, may be implemented as machine-readable instructions executable by the storage controller 110.
[0027] Although Figure 1 The target key management engine 112 is shown as part of the storage controller 110. In other examples, the target key management engine 112 may be implemented as part of a controller separate from the storage controller 110.
[0028] The target key management engine 112 manages access to and retrieval of data encryption keys used to encrypt in-flight data between host system 104 and storage system 102, as well as stationary data stored in storage devices(s) 108. More specifically, for a given host system 104, a given cluster of host systems 104, a given storage object, or a given set of storage objects, the target key management engine 112 can provide data encryption keys for both in-flight data encryption and stationary data encryption. The generation of data encryption keys can be performed using any of a variety of different encryption key generation techniques.
[0029] In some examples, the data encryption key can be unique to a single host system, a cluster of host systems, a single storage object, or a collection of storage objects. In such examples, the data encryption key of the first host system may differ from the data encryption key of the second host system, or the data encryption key of the first host system cluster may differ from the data encryption key of the second host system cluster, or the data encryption key of the first storage object may differ from the data encryption key of the second storage object, or the data encryption key of the first collection of storage objects may differ from the data encryption key of the second collection of storage objects.
[0030] In other examples, the data encryption key does not need to be unique to the host system (or storage system cluster) or the storage object (or collection of storage objects).
[0031] In some examples, a given host system 104 may send a request for a data encryption key to storage system 102. The request may include an identifier associated with the given host system 104 or an identifier associated with a storage object to be accessed. The identifier associated with the given host system 104 may include: the name of the given host system 104, the network address of the given host system 104, the hardware identifier of the given host system 104, the serial number of the given host system 104, the URL of the given host system 104, the global name of the given host system 104, the NVMe qualified name of the given host system 104, a Universally Unique Identifier (UUID) (described in Request for Comments 4122 entitled "Universally Unique Identifier (UUID) URN Namespace" dated July 2005), or any other information that can provide some form of identification for the given host system 104. The identifier associated with a storage object may include the name of the storage object, the URL of the storage object, etc.
[0032] It should be further noted that the identifier associated with the host system can refer to the identifier of a single host system or the identifier of a cluster of host systems, and the identifier associated with the storage object can refer to the identifier of a single storage object or the identifier of a collection of storage objects.
[0033] Based on the identifier associated with a given host system 104 or the identifier associated with the storage object to be accessed, the target key management engine 112 can obtain the data encryption key corresponding to the identifier associated with the host system or storage object from the key manager system 114.
[0034] Key manager system 114 may maintain a key repository 116 containing data encryption keys. Key repository 116 may associate different key identifiers with corresponding data encryption keys. The key identifiers associated with the corresponding data encryption keys by key repository 116 may be identifiers associated with the host systems or storage objects listed above, or may be determined based on identifiers associated with host systems or storage objects. Key repository 116 may be stored in one or more storage devices, which may be part of key manager system 114 or separate from key manager system 114. Key manager system 114 may be implemented using one or more computing devices and is separate from storage system 102.
[0035] Key manager system 114 can be connected to storage system 102 via a communication link such as network 106 or another communication link. Typically, key manager systems are used to securely store data encryption keys to protect them from unauthorized access and data loss. An example of a key manager system is Utimaco's Utimaco Enterprise Security Key Manager. TM (ESKM), Thales' KeySecure TM Etc. Although examples of key manager systems have been provided, it should be noted that different key manager systems may be used in other examples.
[0036] In some examples, in response to a request for a data encryption key received from host system 104, target key management engine 112 sends a key identifier to key manager system 114, which retrieves the corresponding data encryption key from key repository 116 based on the association between the key identifier and the corresponding data encryption key. As described above, the key identifier may be an identifier associated with the host system or storage object included in the request, or alternatively, the key identifier may be derived from an identifier associated with the host system or storage object, or looked up based on an identifier associated with the host system or storage object, or determined in a different manner.
[0037] The key manager system 114 returns the data encryption key to the target key management engine 112, which then encrypts the data encryption key received from the key manager system 114 using the corresponding public key 118 associated with the given host system 104. For example... Figure 1 As shown, memory 120 stores public keys 118 associated with corresponding different host systems 104. The public keys may have been provided by the corresponding host system 104 to storage system 102 for storage in memory 120. Alternatively, the public keys 118 may have been received from an entity different from host system 104.
[0038] The memory 120 can be implemented using any of a variety of storage devices, including volatile memory devices (such as dynamic random access memory (DRAM), static random access memory (SRAM) and / or non-volatile memory devices (such as flash memory devices).
[0039] The encryption key for the encrypted data is sent by the target key management engine 112 to the given host system 104 via network 106. For example... Figure 1As shown, each host system 104 includes a corresponding host key engine 122. The host key engine 122 may refer to hardware processing circuitry, which may include any or a combination of a microprocessor, a core of a multi-core microprocessor, a microcontroller, a programmable integrated circuit, a programmable gate array, or other hardware processing circuitry. Alternatively, the host key engine 122 may refer to a combination of hardware processing circuitry and machine-readable instructions (software and / or firmware) executable on the hardware processing circuitry.
[0040] The host key engine 122 in the given host system 104 encrypts the received encrypted data encryption key using the private key 124 of the given host system 104. The private key 124 may be stored in the storage device 126 of the host system 104. The storage device 126 may be implemented using a disk-based storage device, a solid-state storage device, or the like. Alternatively, instead of storing the private key 124 in a storage device, the private key 124 may be stored in a non-volatile memory device.
[0041] Once the encrypted data encryption key received by the given host system 104 is decrypted by the host key engine 122, the decrypted data encryption key can be used to encrypt data to be written to the storage system 102, or alternatively, it can be used to decrypt encrypted data read from the storage system 102.
[0042] In some examples, host key engine 122 may be part of storage drive 140 or network interface controller (NIC) 142 of host system 104. Storage drive 140 may be part of operating system (OS) of host system 104. NIC 142 may be a smart NIC, which includes a processor for performing intelligent tasks other than data communication over network 106. For example, a smart NIC may receive encrypted data encryption keys from storage system 102, decrypt the data encryption keys, and use the decrypted data encryption keys in write and read operations without higher layers (including the OS or applications) being aware of the data encryption or decryption.
[0043] Figure 2This is a message flow diagram illustrating an example process according to some embodiments of the present disclosure. Host system 104 can perform discovery of storage system 102 (at 202). Discovery may include the exchange of information, wherein storage system 102 may send information announcing its identifier and capabilities. For example, as part of discovery, host key engine 122 in host system 104 may discover that storage system 102 supports key encryption capabilities according to some embodiments of the present disclosure, wherein storage system 102 is capable of managing data encryption keys for encrypting in-flight data and stationary data. Information indicating support for key encryption capabilities may be part of a message, information elements, etc.
[0044] Based on the discovery, host system 104 establishes (at 204) an encrypted session with storage system 102. An “encrypted session” refers to a communication session in which one or more encryption keys are exchanged.
[0045] In some examples, the host key engine 122 in host system 104 creates (at 206) a public-private key pair that includes a public key and a private key. In other examples, the public-private key pair may be created by a different entity and provided to host system 104 either as a whole key pair or separately as a public or private key.
[0046] The host key engine 122 in host system 104 sends the public key (at 208) to the target key management engine 112 in storage system 102. In some examples, the public key may be included in a field of a SCSI command, an NVMe™ command, or any other type of message. The message carrying the public key may include an identifier associated with host system 104 or an identifier associated with the storage object to be accessed. Alternatively, the identifier associated with the host system or storage object may be sent from host key engine 122 to target key management engine 112 in a separate message (different from the message carrying the public key).
[0047] The received public key can be stored by the target key management engine 112 for later use. For example, the public key can be stored in the memory 120 of the storage system 102.
[0048] Based on the identifier received from the host key engine 122, the target key management engine 112 receives the corresponding data encryption key from the key manager system 114 (at 210). The acquisition of the corresponding data encryption key can be accomplished by the target key management engine 112 in the storage system 102 sending the key identifier (as described above) to the key manager system 114. The key identifier is mapped to the key repository 116 (…). Figure 1The key manager system 114 retrieves the corresponding data encryption key from the key repository 116 and sends it to the storage system 102. In some examples, multiple data encryption keys may be associated with key identifiers. The data encryption key returned by the key manager system 114 in response to the key identifier may be one of multiple data encryption keys.
[0049] The target key management engine 112 encrypts the acquired data encryption key (at 212). The encrypted data encryption key is then sent from the target key management engine 112 (at 214) to the host key engine 122.
[0050] Upon receiving the encrypted data encryption key, the host key engine 122 uses the host system 104's private key 124 ( Figure 1 This is used to decrypt the received encrypted data using the encryption key (at position 216). Decryption produces the decrypted data encryption key.
[0051] The host system 104 then uses the decrypted data encryption key to encrypt or decrypt the data for the corresponding write and read operations (at 218).
[0052] During the write operation, host system 104 uses the decrypted data encryption key to encrypt the write data, providing encrypted in-flight data sent by host system 104 to storage system 102 via network 106. It should be noted that in some examples, the encryption of the in-flight data is not performed at the transport layer of host system 104, but at a different layer above the transport layer. Storage system 102 then stores the encrypted write data in storage device(s) 108. Figure 1 In this way, the encrypted data can be written without first decrypting it. Therefore, the decrypted data encryption key is used to protect both in-flight and stationary data. As a result, a single data encryption key managed by storage system 102 is used for both in-flight and stationary data protection.
[0053] During a read operation, the storage controller 110 in storage system 102 ( Figure 1 The system retrieves encrypted data from storage device (multiple) 108 and sends the encrypted data (without first decrypting the encrypted data) to requesting host system 104 via network 106. Requesting host system 104 then decrypts the received encrypted data using the decrypted data encryption key.
[0054] In some examples, because storage system 102 manages data encryption keys for use by host system 104, authorization of host system 104 is performed before storage system 102 sends the data encryption keys to host system 104. Authorization of host system 104 can be performed using any of a variety of techniques.
[0055] An example technique for authorizing host system 104 is to use a technique in which host system 104, which has already been granted access to a specific storage object (or set of storage objects), is also granted access to the data encryption key of the storage object (or set of storage objects). For example, an administrator can use the management interface of storage system 102 to configure storage system 102 such that storage system 102 grants a specific host system access to a set of storage objects that only the host system is authorized to access.
[0056] Alternatively, a certificate-based authorization technique can be used, in which host system 104 sends a certificate to storage system 102, which can then authorize host system 104 based on the certificate. Other example authorization techniques can be used in other examples.
[0057] In some examples, storage system 102 can decrypt encrypted data to provide data services, such as performing deduplication and data compression. In such an example, host system 104 can send an identifier associated with host system 104 to storage system 102, which can use the identifier to obtain a corresponding data encryption key from a key repository 116 of key manager system 114 or from storage devices or memory of storage system 102. The storage system uses the obtained data encryption key to decrypt the encrypted data stored in storage system 102 to provide data services.
[0058] In a further example, host system 104 may be given some control over whether storage system 102 is allowed to decrypt encrypted data. This can be achieved by host system 104 sending a key identifier, which is the data encryption key to be used to decrypt the encrypted data. If host system 104 does not send the key identifier, storage system 102 will not decrypt the encrypted data.
[0059] Figure 3 It is a storage system 300 (such as Figure 1 A block diagram of storage system 102. Storage system 300 includes a communication interface 302 for communicating with a host system (e.g., a computer) capable of accessing data stored in storage system 300. Figure 1 104 or Figure 4 (400) Communication. Communication interface 302 may include a means for communication via a network (e.g., Figure 1(106) A transceiver for sending and receiving signals. Furthermore, the communication interface 302 may further include a protocol layer that manages data communication according to appropriate communication protocols (such as Internet Protocol (IP), Transmission Control Protocol (TCP), etc.).
[0060] Storage system 300 includes a controller 304 for performing various tasks (e.g., Figure 1 (Storage controller 110). The controller 304 may include a request to receive task 306—a request to receive a data encryption key from the host system. This request may include a message containing a public key and / or an identifier associated with the host system or storage object.
[0061] The task further includes data encryption key retrieval task 308—responding to a request from a key manager system (e.g., Figure 1 (114) Obtain the encryption key for the host system. Note that the obtained data encryption key can be associated with a single host system, a cluster of host systems, a single storage object, or a collection of storage objects.
[0062] The task further includes a data encryption key encryption task 310—encrypting the data encryption key obtained from the key manager system using a first key (the host system's public key) to produce an encrypted data encryption key. In some examples, the first key may be received by the host system from the storage system 300.
[0063] The task further includes task 312, which involves sending the encrypted data encryption key to the host system.
[0064] The task further includes an encrypted data reception task 314—receiving encrypted data encrypted using a data encryption key from the host system. The encrypted data is encrypted using the data encryption key, which is determined by the host system from the encrypted data encryption key by decrypting the encrypted data encryption key using a second key of the host system (e.g., a private key).
[0065] The storage system 300 can store received encrypted data in its storage medium without first decrypting the received encrypted data. In this way, a single data encryption key can be used to protect both in-flight data and stationary data.
[0066] In some examples where storage system 300 provides data services (e.g., data compression), if storage system 300 receives information associated with a data encryption key as part of data access (read or write) performed by the host system, storage system 300 can decrypt the encrypted data associated with the data service. Data services include any type of service (such as compression) applied to the decrypted data. Storage system 300 decrypts the encrypted data associated with the data service in response to receiving information associated with the data encryption key.
[0067] In some examples, the information associated with the data encryption key includes a key identifier for the data encryption key. For example, for a write initiated by the host system, storage system 300 receives encrypted data (encrypted using the data encryption key) from the host system. Storage system 300 also receives a key identifier from the host system. Based on the key identifier, storage system 300 obtains the corresponding data encryption key (which may have been stored at storage system 300). Storage system 300 uses the data encryption key to decrypt the encrypted data and applies a data service (e.g., compression) to the decrypted data. The data service applied to the decrypted data produces processed data (e.g., compressed data). Storage system 300 then encrypts the processed data to produce encrypted processed data, which is then written to the storage medium of storage system 300.
[0068] In response to a read initiated by the host system, storage system 300 uses a key identifier provided by the host system to obtain the corresponding data encryption key. Storage system 300 reads encrypted processed data from its storage medium and decrypts the encrypted processed data. Decryption of the encrypted processed data produces decrypted processed data (e.g., decrypted compressed data). Storage system 300 then reverses the data service applied to the decrypted compressed data (e.g., performs decompression) to produce unprocessed data (e.g., uncompressed data). "Unprocessed data" refers to data to which data services have not yet been applied, or data to which data services have been reversed. Storage system 300 then encrypts the resulting data using the data encryption key to produce encrypted unprocessed data, which is sent by storage system 300 to the host system. The host system can decrypt the encrypted unprocessed data using the data encryption key.
[0069] In both the write and read examples described above, if the host system does not provide the storage system 300 with information associated with the data encryption key (e.g., a key identifier), the controller 304 may not perform decryption of the encrypted data (encrypted data received from the host system at write time, or encrypted processed data obtained from the storage medium of the storage system 300 at read time).
[0070] It should also be noted that if the storage system 300 does not perform data services, the storage system 300 will not perform the above decryption for write or read operations.
[0071] In a further example, the information associated with the data encryption key includes an identifier associated with the host system.
[0072] Figure 4 It is the host system 400 (e.g.) Figure 1 A block diagram of host system 400 (104). Host system 400 includes components for use with storage systems (e.g., storage systems). Figure 1 Storage system 102 or Figure 3 The storage system 300) communicates with the communication interface 402.
[0073] The host system 400 includes a hardware processor 404 (or multiple hardware processors). The hardware processor may include a microprocessor, the core of a multi-core microprocessor, a microcontroller, a programmable integrated circuit, a programmable gate array, or another hardware processing circuit.
[0074] Hardware processor 404 can perform various tasks. The execution of a task by the hardware processor can refer to a single hardware processor performing a task or multiple hardware processors performing a task. In some examples, the tasks of hardware processor 404 can be executed by machine-readable instructions that can be executed on hardware processor 404. Machine-readable instructions that can be executed on hardware processors can refer to instructions that can be executed on a single hardware processor or instructions that can be executed on multiple hardware processors.
[0075] The task of hardware processor 404 includes request sending task 406—sending a request for a data encryption key to the storage system.
[0076] The task of the hardware processor 404 further includes an encrypted data encryption key receiving task 408—receiving an encrypted data encryption key from the storage system at the host system 400 in response to a request. This encrypted data encryption key is generated by encrypting the data encryption key obtained by the storage system from the key manager system in response to a request using a first key of the host system.
[0077] In some examples, the first key is a public key sent from the host system 400 to the storage system.
[0078] The hardware processor 404 further includes an encrypted data encryption key decryption task 410—using a second key to decrypt the received encrypted data encryption key to generate a decrypted data encryption key. In some examples, the second key is the private key of the host system 400.
[0079] The hardware processor 404 further includes a data encryption task 412—encrypting data using a decrypted data encryption key to produce encrypted data for write operations.
[0080] The hardware processor 404 further includes an encrypted data transmission task 414 for write operations—sending encrypted data to the storage system for storage on the storage medium of the storage system.
[0081] In some examples, hardware processor 404 is part of the smart NIC, or hardware processor 404 is used to execute tasks 406, 408, 410, and 412 from the storage drive.
[0082] For read operations, the hardware processor 404 can receive encrypted data from the storage system and decrypt the received encrypted data using the decrypted data encryption key.
[0083] Figure 5 This is a block diagram of a non-transitory machine-readable or computer-readable storage medium 500 storing machine-readable instructions, which, when executed, cause the storage system (e.g., Figure 1 102 or Figure 3 (300) performs various tasks.
[0084] Machine-readable instructions include public key reception instruction 502, for receiving data from a host system (e.g., Figure 1 104 or Figure 4 (400) Receive public key.
[0085] The machine-readable instructions further include a data encryption key receiving instruction 504 for receiving a request for a data encryption key from the host system.
[0086] The machine-readable instructions further include a data encryption key retrieval instruction 506, for retrieving a data encryption key from a key manager system for the host system in response to a request.
[0087] The machine-readable instructions further include data encryption key encryption instructions 508 for encrypting the data encryption key using a public key to produce an encrypted data encryption key.
[0088] The machine-readable instructions further include an encrypted data encryption key sending instruction 510 for sending the encrypted data encryption key to the host system.
[0089] The machine-readable instructions further include an encrypted data receiving instruction 512 for receiving encrypted data encrypted using a data encryption key from the host system, the data encryption key being determined by the host system by decrypting the encrypted data encryption key using the host system's private key.
[0090] The machine-readable instructions further include encrypted data storage instructions 514 for storing encrypted data into the storage medium of the storage system.
[0091] Storage media (e.g., Figure 5 The 500 in the specification can include any one or a combination of the following: semiconductor memory devices such as dynamic or static random access memory (DRAM or SRAM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), and flash memory or other types of non-volatile memory devices; disks such as fixed floppy disks and removable disks; another magnetic medium, including magnetic tape; optical media such as optical discs (CDs) or digital video discs (DVDs); or another type of storage device. It should be noted that the instructions discussed above can be provided on a single computer-readable or machine-readable storage medium, or alternatively, on multiple computer-readable or machine-readable storage media distributed across a large system having potentially multiple nodes. Such one or more computer-readable or machine-readable storage media are considered part of an article (or article of manufacture). An article or article of manufacture can refer to any single or multiple manufactured components. One or more storage media can be located in a machine that executes the machine-readable instructions, or at a remote site from which the machine-readable instructions can be downloaded via a network for execution.
[0092] In the foregoing description, numerous details have been set forth to facilitate understanding of the subject matter disclosed herein. However, embodiments may be practiced without some of these details. Other embodiments may include modifications and variations of the details discussed above. The appended claims are intended to cover such modifications and variations.
Claims
1. A storage system, comprising: A communication interface for communicating with a host system capable of accessing data stored by the storage system; as well as Controller, used for: The system receives a request for a data encryption key from the host system over a network. The request includes an identifier of the host system or an identifier of the storage object to be accessed. In response to the request, the controller obtains the data encryption key from the key manager system for the host system, wherein the controller is configured to obtain the data encryption key from the key manager system for the host system by sending a request to the key manager system including a key identifier based on the identifier of the host system or the identifier of the storage object to be accessed, and wherein the storage system is separate from each of the host system and the key manager system. The data encryption key obtained from the key manager system is encrypted using the first key to generate an encrypted data encryption key; Send the encrypted data encryption key to the host system; and Receive encrypted data from the host system, encrypted using the data encryption key.
2. The storage system of claim 1, wherein, The encrypted data encryption key is sent to the network interface controller or storage drive of the host system, and the encrypted data received from the host system is encrypted by the network interface controller or the storage drive using the data encryption key.
3. The storage system of claim 1, wherein, The controller converts the host system's identifier into the key identifier included in the request sent to the key manager system.
4. The storage system of claim 1, wherein, The controller converts the identifier of the storage object into the key identifier included in the request sent to the key manager system.
5. The storage system as claimed in claim 1, wherein, The controller looks up the key identifier included in the request sent to the key manager system from the identifier of the host system or the identifier of the storage object.
6. The storage system as claimed in claim 1, wherein, The first key comes from the host system and is the public key of the host system.
7. The storage system of claim 6, wherein, The encrypted data is encrypted using a data encryption key determined by the host system from the encrypted data encryption key. The host system then decrypts the encrypted data encryption key using its private key to determine the data encryption key.
8. The storage system according to claim 1, wherein, The data encryption key obtained by the storage system from the key manager system is acquired by the key manager system through accessing a key vault that associates key identifiers with corresponding data encryption keys, wherein the key identifier included in the request from the storage system to the key manager system is associated with the data encryption key in the key vault.
9. The storage system of claim 1, wherein, The controller is used for: Receive information associated with the data encryption key as part of data access performed by the host system; as well as In response to receiving the information associated with the data encryption key, the encrypted data associated with the data service of the storage system is decrypted.
10. The storage system of claim 9, wherein, The information associated with the data encryption key includes the key identifier of the data encryption key.
11. The storage system of claim 10, wherein, If the host system does not provide the information associated with the data encryption key as part of the data access performed by the host system, the controller will not decrypt the encrypted data associated with the data service.
12. The storage system of claim 9, wherein, The information associated with the data encryption key includes the identifier of the host system.
13. The storage system of claim 1, wherein, The controller is configured to manage access to the data encryption key in response to a request for the data encryption key, based on whether the host system is authorized.
14. A method for a storage system including a hardware processor, comprising: Receive the first key from the host system at the storage system; The storage system receives a request for a data encryption key from the host system, the request including an identifier of the host system or an identifier of a storage object to be accessed by the host system. In response to the request, a key identifier for the data encryption key is sent from the storage system to the key manager system via the network. The key identifier is based on the identifier of the host system or the identifier of the storage object to be accessed, wherein the storage system is separate from each of the host system and the key manager system. The storage system receives, via the network, the data encryption key obtained by the key manager system through accessing a key library that associates key identifiers with corresponding data encryption keys, wherein the key identifier sent from the storage system to the key manager system is associated with the data encryption key in the key library; The data encryption key is encrypted using the first key at the storage system to generate an encrypted data encryption key; Sending the encrypted data encryption key from the storage system to the host system; and The storage system receives encrypted data from the host system using the data encryption key, which is obtained by the host system based on decrypting the encrypted data encryption key.
15. The method of claim 14, wherein, The first key is a public key.
16. The method of claim 15, wherein, The encrypted data is encrypted using a data encryption key obtained by the host system based on the encryption key used to decrypt the encrypted data with a private key.
17. The method of claim 14, further comprising: Receive information associated with the data encryption key as part of data access performed by the host system; as well as The storage system decrypts encrypted data associated with the data service of the storage system in response to receiving the information associated with the data encryption key.
18. A non-transitory machine-readable storage medium, comprising instructions that, when executed, cause the storage system to: Receive the public key from the host system; The storage system receives a request for a data encryption key from the host system, the request including an identifier of the host system or an identifier of a storage object to be accessed by the host system. In response to the request, a key identifier for the data encryption key is sent from the storage system to the key manager system via the network. This key identifier is based on either the identifier of the host system or the identifier of the storage object to be accessed by the storage system. The storage system is separate from each of the host system and the key manager system; The storage system receives, via the network, the data encryption key obtained by the key manager system through accessing a key library that associates key identifiers with corresponding data encryption keys, wherein the key identifier sent from the storage system to the key manager system is associated with the data encryption key in the key library; The public key is used to encrypt the data encryption key to generate an encrypted data encryption key; The encryption key for the encrypted data is sent from the storage system to the host system; Receive encrypted data from the host system using the data encryption key, wherein the data encryption key is obtained by the host system by decrypting the encrypted data encryption key using the host system's private key; and The encrypted data is stored in the storage medium of the storage system.
19. The non-transitory machine-readable storage medium of claim 18, wherein, When the instruction is executed, it causes the storage system to: In response to a request for the data encryption key, access to the data encryption key is managed based on whether the host system is authorized.