Encryption solution for protecting file systems in multi-host clusters

摘要

A method of managing file security in a cluster environment is provided. The method includes passing a request for a file from a secure file system layer to a secure volume manager layer and locking at least a portion of the file as affected by the request, at a cluster file system layer. The method includes passing one or more keys from the secure file system layer to the secure volume manager layer. The method includes decrypting the file as received, in response to the request for the file including a read request for the file, prior to sending the decrypted file to the secure file system layer. The method includes encrypting the file as received, in response to the request for the file including a write request for the file, prior to sending the encrypted file to the input/output layer.

主权项

1. A method of managing file security in a multi-host cluster environment, comprising:
passing a request for a file from a secure file system layer process local to one of a plurality of hosts in the multi-host cluster environment through a cluster file system layer process local to the one of the plurality of hosts to a secure volume manager layer process local to the one of the plurality of hosts, wherein the file is to be written to or read from a network shared storage coupled to the plurality of hosts; locking at least a portion of the file as affected by the request, at the cluster file system layer process, the locking preventing access by other requests; passing one or more keys from the secure file system layer process to the secure volume manager layer process; decrypting, via application of the one or more keys at the secure volume manager layer process, the file as received, in response to the request for the file including a read request for the file, prior to sending the decrypted file to the secure file system layer process; and encrypting, via application of the one or more keys at the secure volume manager layer process, the file as received, in response to the request for the file including a write request for the file, prior to sending the encrypted file to an input/output layer process, wherein at least one method operation is executed through a processor.