Protection of secret client data in a multiple client data deduplication environment

1 . A method of deduplicating and protecting secret client data in a multiple client data deduplication and storage environment, comprising: receiving in an enclave a block of secret plaintext data from a client; encrypting the block of received secret plaintext data by an application executing in a processor in said enclave to produce a corresponding ciphertext block, said enclave comprising a trusted execution environment which provides protected areas in an address space of said application for confidential information intended to be accessed only by a designated recipient, and which enclave is inaccessible by unauthorized entities and other processes even those having administrative privileges; deduplicating said ciphertext block against previously stored ciphertext by using the block of received plaintext data that produced said ciphertext block; and storing said deduplicated ciphertext block in the absence of previously stored ciphertext corresponding to said block of received plaintext data. 2 . The method of claim 1 , wherein said encrypting comprises calculating in said enclave an initialization vector that is particular to said received block of plaintext data and an encryption key that is common to a number of blocks, and encrypting said received block of plaintext data using said initialization vector and said encryption key to produce said ciphertext block, and wherein said encryption key and plaintext are inaccessible to unauthorized processes and entities. 3 . The method of claim 1 further comprising calculating a hash of data in said block of received plaintext data, and wherein said deduplicating comprises comparing said hash against hashes of previously received plaintext blocks and, upon detecting a matching hash, further comparing metadata associated with a block of ciphertext corresponding to said block of received plaintext data to metadata associated with a previously received plaintext block having said matching hash, and upon said compared metadata being different, storing said block of ciphertext. 4 . The method of claim 3 , wherein said comparing metadata comprises determining whether a key version used to encrypt said previously received plaintext block data is different from a key version used to encrypt said block of received plaintext data, and upon determining that the key versions are different, said storing comprises overwriting in storage a block of ciphertext corresponding to said previously received plaintext data block with said block of ciphertext corresponding to said block of received plaintext data. 5 . The method of claim 3 , wherein upon there being no matching hashes, storing the block of ciphertext corresponding to the received plaintext data block as non-duplicated data, and storing with said block of ciphertext said metadata associated with said block of ciphertext. 6 . The method of claim 1 , wherein said metadata comprises an identifier of a key version and an initialization vector that were used to encrypt the corresponding block of received plaintext data to produce said block of ciphertext. 7 . The method of claim 1 further comprising maintaining encryption keys used to encrypt plaintext data produce ciphertext data protected in said enclave from access. 8 . The method of claim 1 further comprising receiving a request from a client for a block of plaintext data, verifying that the requesting client is authorized to receive the requested plaintext data, and, upon confirming authorization, retrieving from storage a block of ciphertext corresponding to the requested plaintext data, decrypting the retrieved block of ciphertext to produce the requested plaintext data, and returning to the requesting client the requested plaintext data. 9 . The method of claim 1 , wherein said receiving comprises receiving from said client said plaintext data at said enclave via a secure transmission level secured communications channel, and wherein the multiple clients are in one or more deduplication domains in which data of said clients in one deduplication domain are deduplicated against data of other clients in said deduplication domain. 10 . A method of deduplicating and protecting private client data in a remote multiple client data deduplication and storage environment, comprising: encrypting private plaintext data of a client in an enclave to produce corresponding ciphertext, said enclave comprising a trusted execution environment providing protected areas for private client data in an address space of applications executing in said enclave, said address space being inaccessible except to designated entities and processes; calculating a hash of data comprising said private plaintext data; deduplicating said private plaintext data against ciphertext produced from other plaintext data by comparing said calculated hash to previously calculated hashes of said other plaintext data; and upon determining that said private plaintext data is not duplicate data, storing said ciphertext corresponding to said deduplicated private plaintext data. 11 . The method of claim 10 further comprising calculating in said enclave an initialization vector and an encryption key, and wherein said encrypting comprises using said calculated initialization vector and encryption key to encrypt said plaintext data to produce said corresponding ciphertext. 12 . The method of claim 10 , wherein said client is a member of an ensemble of multiple clients that comprise a common deduplication domain, and said deduplicating comprises deduplicating said plaintext data against ciphertext produced from plaintext data of one or more of said multiple clients in said common deduplication domain. 13 . The method of claim 10 , wherein said enclave has access to credentials for verifying clients which are authorized to send plaintext data to said enclave for encryption, deduplication and storage, and said method further comprises verifying a client before receiving, encrypting, deduplicating and storing plaintext data from such client. 14 . The method of claim 10 , wherein said encrypting and deduplicating comprises encrypting and deduplicating compressed plaintext data from a client. 15 . Computer readable non-transitory storage medium embodying executable instructions for controlling the operation of a processor to perform a method of deduplicating and protecting private client data in a remote data deduplication and storage environment, comprising: initializing an enclave in said remote environment, said enclave comprising a trusted execution environment providing protected areas for private client data in an address space of applications executing in said enclave, said address space being inaccessible except to designated entities and processes; encrypting in said enclave plaintext data of a client to produce corresponding ciphertext; calculating a hash of data comprising said plaintext data; deduplicating said corresponding ciphertext against ciphertext produced from other plaintext data by comparing said calculated hash to previously calculated hashes of said other plaintext data; and upon determining that said plaintext data is not duplicate data, storing said corresponding ciphertext of said deduplicated private plaintext data. 16 . The computer readable non-transitory storage medium of claim 15 further comprising calculating in said enclave an initialization vector and an encryption key, and said encrypting comprises using said initialization vector and said encryption key to encrypt said plaintext data to produce said corresponding ciphertext, and wherein said encryption key a