Achieving strong cryptographic correlation between higher level semantic units and lower level components in a secure data storage system

摘要

A data storage architecture for networked access by clients includes a file server capable of communication with the clients via the network, physical storage organized as a plurality of logical volumes, and an encryption device in communication with both the file server and the physical storage. The encryption device is operable in response to signaling from the file server, including an indication of a range of blocks of data, to cause encryption of the range of blocks with an encryption key that is unique within the physical storage. The encryption device includes nested tables mapping block ranges to encryption keys. Consequently, undesirable key sharing across files, file systems, and other units can be avoided down to the block level.

主权项

1. Data storage apparatus available to at least one client via a network, comprising:
a file server capable of communication with the client via the network; physical storage; an encryption device in communication with both the file server and the physical storage; wherein the encryption device is operable in response to signaling from the file server, including an indication of a range of blocks of data, to cause encryption of the range of blocks with an encryption key that is unique within the physical storage; wherein the file server includes at least one nested table indicative of a mapping of component ID to block range; wherein the file server is operative to signal a block map indicative of a range of blocks corresponding to a component ID to the encryption device via an out-of-band control channel.