Identifying and enforcing strict file confidentiality in the presence of system and storage administrators in a NAS system

摘要

A data storage architecture for networked access by clients includes a file server capable of communication with the clients via the network, physical storage organized as a plurality of logical volumes, and an encryption device in communication with both the file server and the physical storage.

主权项

1. Data storage apparatus available to at least one requestor via a network, comprising:
a file server capable of communication with at least one client via the network; physical storage comprising one or more logical unit numbers (LUNs) storing data and metadata; wherein the metadata is stored unencrypted and the data is stored encrypted on the one or more LUNs; and an encryption device enabled to selectively decrypt data stored on the one or more LUNs; wherein the encryption device is in communication with both the file server and the one or more LUNs; wherein first and second logical paths are established between the file server and the encryption device without direct communication between the encryption device and the at least one client, the first path being employed for a first type of requestor and the second path being employed for a second type of requestor, and wherein the encryption device is enabled to provide decrypted data and metadata to the file server via the first path, and to provide encrypted data and unencrypted metadata to the file server via the second path; wherein the first and second logical paths are established between the file server and the one or more LUNs by way of the encryption device, the first requestor having write access to the data, wherein the first requestor is an owner of the data being provided and the second requester does not have write access to the data, wherein the second requestor is other than an owner of the data being provided.