Deduplication-based data security

What is claimed is: 1 . A secure system comprising: a storage; and a memory controller coupled to the storage, to: in response to a request to write data content to the storage, generate encrypted data content based at least in part on the data content; attempt to obtain a reference to the encrypted data content in the storage; in the event that the reference to the encrypted data content is obtained, modify a translation line to refer to the reference to the encrypted data content in the storage; and in the event that the reference to the encrypted data content is not obtained: store the encrypted data content at a new location; obtain a reference to the encrypted data content stored at the new location; and modify the translation line to refer to the reference to the encrypted data content stored at the new location. 2 . The system of claim 1 , wherein the storage includes a main memory, a secondary storage, or both. 3 . The system of claim 1 , wherein the memory controller performs a deterministic encryption function to generate the encrypted data content. 4 . The system of claim 1 , wherein the memory controller implements one or more of: Advanced Encryption Standard (AES), ECB-Mix-ECB (EME), XEX-TCB-CTS (XTS), and CBC-Mask-CBC (CMC). 5 . The system of claim 1 , further comprising a cache coupled to the memory controller, and wherein the cache stores unencrypted data. 6 . The system of claim 1 , further comprising a cache coupled to the memory controller, and wherein the cache stores deduplicated data. 7 . The system of claim 1 , further comprising a cache coupled to the memory controller, and wherein the memory controller is further to generate a secure pad on a cache miss and to use the secure pad to decrypt encrypted data fetched from the storage. 8 . The system of claim 1 , further comprising a cache coupled to the memory controller, and wherein the memory controller is further to: in response to a request to access data content at a read location, determine whether a translation line and a data line corresponding to the read location are available in the cache; and in the event that the data line is not available in the cache, to: load the data line from the storage; decrypt the data line; and save the decrypted result to the cache. 9 . The system of claim 1 , further comprising a cache coupled to the memory controller, wherein: the request to write data content is caused by a request to evict a cache line storing the data content, the cache line having been modified since it was last written to storage. 10 . The system of claim 1 , further comprising a processor to generate the request to write the data content; is the processor's address space includes multiple deduplication domains; and each deduplication domain has a corresponding key used to encrypt data content in said each deduplication domain. 11 . The system of claim 1 , wherein the translation line is encrypted. 12 . The system of claim 1 , wherein: the translation line is encrypted; and the data content and the translation line are encrypted using different keys. 13 . The system of claim 1 , wherein to attempt to obtain the reference to the encrypted data content in the storage includes to look up the encrypted data content in a content directory. 14 . The system of claim 1 , wherein: to attempt to obtain the reference to the encrypted data content in the storage includes to look up the encrypted data content in a content directory; and the content directory includes encrypted metadata. 15 . The system of claim 14 , wherein the encrypted metadata is encrypted using a common key that is shared across a plurality of protection domains sharing the content directory. 16 . The system of claim 1 , wherein a completion indication of a write operation is modified to change an indicated amount of time used to perform the write operation. 17 . The system of claim 1 , wherein on read access to a data line, the memory controller is further to perform an integrity check, including to determine whether the data content of the data line matches metadata associated with the data line. 18 . The system of claim 17 , wherein a potential security violation is reported in the event that the data content of the data line does not match the metadata associated with the data line. 19 . The system of claim 17 , wherein the metadata associated with the data line is generated using a secure keyed hash function. 20 . The system of claim 1 , wherein the storage includes a hybrid memory comprising a plurality of memories having different latencies. 21 . The system of claim 1 , wherein the storage includes a hybrid memory comprising a plurality of memories having different latencies, and a unit of encryption for a lower latency memory that is a different size than a unit of encryption for a higher latency memory. 22 . The system of claim 1 , wherein the storage includes an overflow area in which data lines having same data content have different encryption results. 23 . A method comprising: in response to a request to write data content to a storage, generating encrypted data content based on the data content; attempting to obtain a reference to the encrypted data content in the storage; in the event that the reference to the encrypted data content is obtained, modifying a translation line to refer to the reference to the encrypted data content in the storage; and in the event that the reference to the encrypted data content is not obtained: storing the encrypted data content at a new location; obtaining a reference to the encrypted data content stored at the new location; and modifying the translation line to refer to the reference to the encrypted data content stored at the new location. 24 . A computer program product for providing data security, the computer program product being embodied in a tangible computer readable storage medium and comprising computer instructions for: in response to a request to write data content to a storage, generating encrypted data content based on the data content; attempting to obtain a reference to the encrypted data content in the storage; in the event that the reference to the encrypted data content is obtained, modifying a translation line to refer to the reference to the encrypted data content in the storage; and in the event that the reference to the encrypted data content is not obtained: storing the encrypted data content at a new location; obtaining a reference to the encrypted data content stored at the new location; and modifying the translation line to refer to the reference to the encrypted data content stored at the new location.