Method and Apparatus for Duplicated Data Management in Cloud Computing
US-2017346625-A1 · Nov 30, 2017 · US
Optimizable full-path encryption in a virtualization environment
US10911225B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10911225-B2 |
| Application number | US-201615172952-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 3, 2016 |
| Priority date | Jun 5, 2015 |
| Publication date | Feb 2, 2021 |
| Grant date | Feb 2, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An approach for full-path data encryption, where user virtualized computers (e.g., user VMs) are configured to communicate with other virtualized computers or VMs using IPsec protocol encryption standards. The user VMs may send a first encryption or authorization key to the other VMs, which the other VMs may use to authenticate the user VMs and encrypt and decrypt data stored to storage devices using a second encryption key. In some approaches, the other VMs may interpret or decrypt the data sent via IPsec and then perform data optimizations (e.g., compression, deduplication) on the data before decrypting/encrypting with the second key.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for optimizable full-path encryption in a virtualization environment, comprising: implementing an encrypted communication over a network session between a first virtual machine and a second virtual machine, wherein the second virtual machine executes as a virtualization controller that manages a storage pool having a first local storage on a host and a second local storage on a separate host in a virtualization environment; obtaining, at the second virtual machine, data in the encrypted communication at least by decrypting the encrypted communication; performing, by the second virtual machine, an optimization or transformation operation on the data for storage onto a specific local storage in the storage pool; and determining by the second virtual machine the specific local storage in the storage pool from at least the first local storage and the second local storage based at least in part on a frequency of access to the data and a category into which the data has been categorized. 2. The method of claim 1 , wherein the optimization or transformation operation includes at least one of data deduplication, data compression, or data encoding in a different encoding scheme that is different form an encryption scheme used to encrypt the encrypted communication. 3. The method of claim 1 , wherein the optimization or transformation operation includes an encryption operation that encrypts the data using a key. 4. The method of claim 1 , wherein an Internet layer security protocol is used in encrypting or decrypting a communication over the network session, the communication corresponds to a data storage access request, a first key used in decrypting a second key comprises a key encryption key (“KEK”), and the second key comprises a data encryption key (“DEK”). 5. The method of claim 4 , wherein the KEK authenticates network communications for an entire network session between the first virtual machine and the second virtual machine. 6. The method of claim 5 , wherein a subsequent write request is issued after an initial iSCSI request in the network session, and the method further comprises: encrypting IPsec decrypted data, which is received as a separate encrypted communication and upon which the optimization or transformation operation has been performed, into encrypted data using the second key for storage in the storage pool. 7. A computer program product embodied on a non-transitory computer readable medium having stored thereon a sequence of instructions which, when executed by a processor, causes the processor to execute a set of acts, the set of acts comprising: implementing an encrypted communication over a network session between a first virtual machine and a second virtual machine, wherein the second virtual machine executes as a virtualization controller that manages a storage pool having a first local storage on a host and a second local storage on a separate host in a virtualization environment; obtaining, at the second virtual machine, data in the encrypted communication at least by decrypting the encrypted communication; and performing, by the second virtual machine, an optimization or transformation operation on the for storage onto a specific local storage in the storage pool; and determining by the second virtual machine the specific local storage in the storage pool from at least the first local storage and the second local storage based at least in part on a frequency of access to the data and a category into which the data has been categorized. 8. The computer program product of claim 7 , wherein the optimization or transformation operation comprises at least one of data deduplication, data compression, or data encoding in a different encoding scheme that is different form an encryption scheme used to encrypt the encrypted communication. 9. The computer program product of claim 7 , wherein an Internet layer security protocol is used in encrypting a communication over the network session the communication corresponds to a data storage access request, a first key used in decrypting a second key comprises a key encryption key (“KEK”), and the second key comprises a data encryption key (“DEK”). 10. The computer program product of claim 9 , wherein the KEK authenticates network communications for an entire network session between; the first virtual machine and the second virtual machine. 11. The computer program product of claim 10 , wherein a subsequent write request is issued after an initial iSCSI request in the network session, and the set of acts further comprises: encrypting IPsec decrypted data, which is received as a separate encrypted communication and upon which the optimization or transformation operation has been performed, into encrypted data using the second key for storage in the storage pool. 12. A system, comprising: a computer processor to execute a set of program code instructions; and a memory to hold the set of program code instructions which, when executed by the computer processor, causes the computer processor at least to: implement an encrypted communication over a network session between a first virtual machine and a second virtual machine, wherein the second virtual machine executes as a virtualization controller that manages a storage pool having a first local storage on a host and a second local storage on a separate host in a virtualization environment; obtain, at the second virtual machine, data in the encrypted communication at least by decrypting the encrypted communication; and performing, by the second virtual machine, an optimization or transformation operation on the data for storage onto a specific local storage in the storage pool; and determining by the second virtual machine the specific local storage in the storage pool from at least the first local storage and the second local storage based at least in part on a frequency of access to the data and a category into which the data has been categorized. 13. The system of claim 12 , wherein the optimization or transformation operation comprises at least one of data deduplication, data compression, or data encoding in a different encoding scheme. 14. The system of claim 12 , wherein the memory holds the set of program code instructions which, when executed by the computer processor, further causes the computer processor at least to encrypt the data using a key after performing the optimization or transformation operation. 15. The system of claim 12 , wherein an Internet layer security protocol is used in encrypting or decrypting a communication over the network session, the communication corresponds to a data storage access request, a first key used in decrypting a second key comprises a key encryption key (“KEK”), and the second key comprises a data encryption key (“DEK”). 16. The system of claim 15 , wherein the KEK authenticates network communications for an entire network session between the first virtual machine and the second virtual machine. 17. The system of claim 16 , wherein a subsequent write request issued after an initial iSCSI request in the network session, and the method further comprises: encrypting IPsec decrypted data which is received as a separate encrypted communication and upon which the optimization or transformation operation has been performed into encrypted data using the second key for storage in the storage pool. 18. A computer program product embodied on a non-transitory computer readable medium having stored thereon a sequence of instructions which, when executed by a processor, cau
Assignees
Inventors
Classifications
applying encryption of the keys · CPC title
at the network layer · CPC title
Network integration; Enabling network access in virtual machine instances · CPC title
Isolation or security of virtual machine instances · CPC title
Virtual private networks · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10911225B2 cover?
- An approach for full-path data encryption, where user virtualized computers (e.g., user VMs) are configured to communicate with other virtualized computers or VMs using IPsec protocol encryption standards. The user VMs may send a first encryption or authorization key to the other VMs, which the other VMs may use to authenticate the user VMs and encrypt and decrypt data stored to storage devices…
- Who is the assignee on this patent?
- Nutanix Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/0822. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 02 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).