Method and Apparatus for Duplicated Data Management in Cloud Computing
US-2017346625-A1 · Nov 30, 2017 · US
Optimizable full-path encryption in a virtualization environment
US2016359622A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2016359622-A1 |
| Application number | US-201615172952-A |
| Country | US |
| Kind code | A1 |
| Filing date | Jun 3, 2016 |
| Priority date | Jun 5, 2015 |
| Publication date | Dec 8, 2016 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An approach for full-path data encryption, where user virtualized computers (e.g., user VMs) are configured to communicate with other virtualized computers or VMs using IPsec protocol encryption standards. The user VMs may send a first encryption or authorization key to the other VMs, which the other VMs may use to authenticate the user VMs and encrypt and decrypt data stored to storage devices using a second encryption key. In some approaches, the other VMs may interpret or decrypt the data sent via IPsec and then perform data optimizations (e.g., compression, deduplication) on the data before decrypting/encrypting with the second key.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method for optimizable full-path encryption in a virtualization environment, comprising: receiving a network communication encrypted via an internet layer security protocol, the network communication structured as a data storage access request, the network communication comprising a first key; decrypting the network communication via the internet layer security protocol; decrypting a second key using the first key; performing one or more data optimization operations on the decrypted network communication; encrypting the network communication using the second key; and storing the encrypted network communication as encrypted data in one or more data storage devices. 2 . The method of claim 1 , wherein the one or more data optimization operations is data deduplication. 3 . The method of claim 1 , wherein the one or more data optimization operations is data compression. 4 . The method of claim 1 , wherein encrypting the network communication using the second key occurs after the one or more data optimization operations. 5 . The method of claim 1 , wherein the internet layer security protocol is an internet protocol security (“IPsec”), the data storage access request is an iSCSI request, the first key is a key encryption key (“KEK”) and the second key is a data encryption key (“DEK”). 6 . The method of claim 5 , wherein the KEK authenticates network communications for an entire session. 7 . The method of claim 6 , wherein for the entire session, subsequent write requests after an initial iSCSI request further comprises: receiving a second network communication as IPsec decrypted data; performing one or more data optimization operations on the second decrypted network communication; encrypting the second network communication using the second key; and storing the encrypted second network communication as encrypted data in the one or more data storage devices. 8 . A method for optimizable full-path encryption in a virtualization environment, comprising receiving a network communication encrypted via an internet layer security protocol, the network communication structured as a data storage access request, the network communication comprising a first key; decrypting the network communication via the internet layer security protocol; decrypting a second key using the first key; receiving encrypted data from a storage pool, the encrypted data corresponding to the network communication; decrypting the encrypted data using the second key; performing one or more data optimization operations on the decrypted data; and sending the decrypted data as an encrypted data via the internet layer security protocol. 9 . The method of claim 8 , wherein the one or more data optimization operations is data decompression. 10 . The method of claim 8 , wherein decrypting the encrypted data occurs before performing the one or more data optimization operations. 11 . The method of claim 8 , wherein the internet layer security protocol is an internet protocol security (“IPsec”), the data storage access request is an iSCSI request, the first key is a key encryption key (“KEK”) and the second key is a data encryption key (“DEK”). 12 . The method of claim 11 , wherein the KEK authenticates network communications for an entire session. 13 . The method of claim 12 , wherein for the entire session, subsequent read requests after an initial iSCSI request further comprises: receiving a second network communication as IPsec decrypted data; receiving a second encrypted data from the storage pool, the second encrypted data corresponding to the second network communication; decrypting the second encrypted data using the second key; performing the one or more data optimization operations on the second decrypted data; and sending the second decrypted data as a second encrypted data via the IPsec. 14 . A computer program product embodied on a computer readable medium, the computer readable medium having stored thereon a sequence of instructions which, when executed by a processor causes the processor to execute a method for optimizable full-path encryption in a virtualization environment, the method comprising: receiving a network communication encrypted via an internet layer security protocol, the network communication structured as a data storage access request, the network communication comprising a first key; decrypting the network communication via the internet layer security protocol; decrypting a second key using the first key; performing one or more data optimization operations on the decrypted network communication; encrypting the network communication using the second key; and storing the encrypted network communication as encrypted data in one or more data storage devices. 15 . The computer program product of claim 14 , wherein the one or more data optimization operations is data deduplication. 16 . The computer program product of claim 14 , wherein the one or more data optimization operations is data compression. 17 . The computer program product of claim 14 , wherein encrypting the network communication using the second key occurs after the one or more data optimization operations. 18 . The computer program product of claim 14 , wherein the internet layer security protocol is an internet protocol security (“IPsec”), the data storage access request is an iSCSI request, the first key is a key encryption key (“KEK”) and the second key is a data encryption key (“DEK”). 19 . The computer program product of claim 18 , wherein the KEK authenticates network communications for an entire session. 20 . The computer program product of claim 19 , wherein for the entire session, subsequent write requests after an initial iSCSI request further comprises: receiving a second network communication as IPsec decrypted data; performing one or more data optimization operations on the second decrypted network communication; encrypting the second network communication using the second key; and storing the encrypted second network communication as encrypted data in the one or more data storage devices. 21 . A computer program product embodied on a computer readable medium, the computer readable medium having stored thereon a sequence of instructions which, when executed by a processor causes the processor to execute a method for optimizable full-path encryption in a virtualization environment, the method comprising: receiving a network communication encrypted via an internet layer security protocol, the network communication structured as a data storage access request, the network communication comprising a first key; decrypting the network communication via the internet layer security protocol; decrypting a second key using the first key; receiving encrypted data from a storage pool, the encrypted data corresponding to the network communication; decrypting the encrypted data using the second key; performing one or more data optimization operations on the decrypted data; and sending the decrypted data as an encrypted data via the internet layer security protocol. 22 . The computer program product of claim 21 , wherein the one or more data optimization operations is data decompression. 23 . The method of claim 21 , wherein decrypting the encrypted data occurs before performing the one or more data optimization operations. 24 . The method of claim 21 , wherein the inter
Assignees
Inventors
Classifications
Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these (network architectures or network communication protocols for key exchange in a packet data network H04L63/061) · CPC title
- H04L9/0822Primary
using key encryption key · CPC title
Compression (speech analysis-synthesis for redundancy reduction G10L19/00; for image communication H04N); Expansion; Suppression of unnecessary data, e.g. redundancy reduction · CPC title
Saving storage space on storage systems · CPC title
Single storage device · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2016359622A1 cover?
- An approach for full-path data encryption, where user virtualized computers (e.g., user VMs) are configured to communicate with other virtualized computers or VMs using IPsec protocol encryption standards. The user VMs may send a first encryption or authorization key to the other VMs, which the other VMs may use to authenticate the user VMs and encrypt and decrypt data stored to storage devices…
- Who is the assignee on this patent?
- Nutanix Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/0822. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Dec 08 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).