Per-volume tenant encryption and external key manager
US-2017364704-A1 · Dec 21, 2017 · US
Encrypting existing live unencrypted data using age-based garbage collection
US10659225B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10659225-B2 |
| Application number | US-201715638746-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 30, 2017 |
| Priority date | Jun 30, 2017 |
| Publication date | May 19, 2020 |
| Grant date | May 19, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A system stores data in data units in a cluster in a cloud computing system, the data stored in the data units being encrypted or unencrypted depending on whether encryption is enabled or disabled when storing data in the data units. The system identifies one or more data units to defragment and defragments the identified data units by writing the data from the identified data units to one or more new data units and by releasing the identified data units for storing new data. The system encrypts unencrypted data from the identified data units when writing the data from the identified data units to the one or more new data units.
First claim
Opening claim text (preview).
What is claimed is: 1. A system comprising: a processor; and machine readable instructions, stored on a tangible machine readable medium, when executed by the processor, configure the processor to: store data in data units in a cluster in a cloud computing system, the data stored in the data units being encrypted or unencrypted depending on whether encryption is enabled or disabled when storing data in the data units; identify one or more data units to defragment based on at least one factor selected from an age of the data stored in the one or more data units, a type of the data stored in the one or more data units, an amount of data in the one or more data units, and a customer identity; defragment the identified data units by writing the data from the identified data units in mass storage to one or more new data units in mass storage and by releasing the identified data units for storing new data; and encrypt unencrypted data from the identified data units when writing the data from the identified data units to the one or more new data units. 2. The system of claim 1 wherein the machine readable instructions configure the processor to update metadata associated with the data units to route requests for data previously stored in the identified data units to the one or more new data units. 3. The system of claim 1 wherein the machine readable instructions configure the processor to encrypt the unencrypted data from the identified data units when encryption is disabled when storing data in the data units. 4. The system of claim 1 wherein the machine readable instructions configure the processor to encrypt the unencrypted data from the identified data units when encryption is enabled when storing data in the data units. 5. The system of claim 1 wherein the machine readable instructions configure the processor to allow dynamic enabling and disabling of encryption when storing data in the data units. 6. The system of claim 1 wherein the machine readable instructions configure the processor to encrypt each data unit of the unencrypted data using a separate key so that consecutive encrypted data units appear random. 7. The system of claim 6 wherein the machine readable instructions configure the processor to generate each separate key based on a separate seed randomly generated for each data unit of the unencrypted data and a first key assigned to an account to which the unencrypted data belongs. 8. The system of claim 7 wherein the machine readable instructions configure the processor to store a seed used to encrypt a data unit of the unencrypted data in unencrypted form in a header associated with the encrypted data unit and to use the seed stored in the header associated with the encrypted data unit when decrypting the encrypted data unit. 9. The system of claim 7 wherein the machine readable instructions configure the processor to encrypt the first key using a second key associated with the cluster. 10. The system of claim 9 wherein the machine readable instructions configure the processor to rotate the second key. 11. A method comprising: storing data in data units in a cluster in a cloud computing system, the data stored in the data units including unencrypted data; identifying one or more data units to defragment based on at least one factor selected from an age of the data stored in the one or more data units, a type of the data stored in the one or more data units, an amount of data in the one or more data units, and a customer identity; defragmenting the identified data units by writing the data from the identified data units in mass storage to one or more new data units in mass storage and by releasing the identified data units for storing new data; encrypting the unencrypted data from the identified data units when writing the data from the identified data units to the one or more new data units during the defragmenting of the identified data units; and updating metadata associated with the data units to route requests for data previously stored in the identified data units to the one or more new data units. 12. The method of claim 11 further comprising updating metadata associated with the data units to route requests for data previously stored in the identified data units to the one or more new data units. 13. The method of claim 11 further comprising encrypting each data unit of the unencrypted data using a separate key so that consecutive encrypted data units appear random. 14. The method of claim 13 further comprising generating each separate key based on a separate seed randomly generated for each data unit of the unencrypted data and a first key assigned to an account to which the data belongs. 15. The method of claim 14 further comprising storing a seed used to encrypt a data unit of the unencrypted data in unencrypted form in a header associated with the encrypted data unit and to use the seed stored in the header associated with the encrypted data unit when decrypting the encrypted data unit. 16. The method of claim 14 further comprising encrypting the first key using a second key associated with the cluster. 17. A system comprising: a processor; and machine readable instructions, stored on a tangible machine readable medium, when executed by the processor, configure the processor to: based at least partially upon encryption being enabled for a storage account, defragment a mass storage device by identifying one or more data units to defragment based on at least one factor selected from an age of the data stored in the one or more data units, a type of the data stored in the one or more data units, an amount of data in the one or more data units, and a customer identity, transferring data associated with the storage account from a first portion of the storage device comprising the one or more data units to a second portion of the storage device to release the first portion of the storage device for storing new data, the data stored on the first portion of the storage device including unencrypted data; and encrypt the unencrypted data stored on the first portion of the storage device while transferring the data from the first portion of the storage device to the second portion of the storage device. 18. The system of claim 17 , further comprising machine readable instructions, stored on the tangible machine readable medium, when executed by the processor, configure the processor to update metadata associated with the one or more data units to route requests for data previously stored in the identified data units to one or more new data units of the second portion of the storage device.
Assignees
Inventors
Classifications
using key encryption key · CPC title
- H04L9/14Primary
using a plurality of keys or algorithms · CPC title
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
Revocation or update of secret information, e.g. encryption key update or rekeying · CPC title
using chaotic signals · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10659225B2 cover?
- A system stores data in data units in a cluster in a cloud computing system, the data stored in the data units being encrypted or unencrypted depending on whether encryption is enabled or disabled when storing data in the data units. The system identifies one or more data units to defragment and defragments the identified data units by writing the data from the identified data units to one or m…
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/14. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 19 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).