US2016191247A1PendingUtilityA1

Client-side encryption in a deduplication backup system

44
Assignee: STORAGECRAFT TECHNOLOGY CORPPriority: Oct 7, 2014Filed: Mar 3, 2016Published: Jun 30, 2016
Est. expiryOct 7, 2034(~8.2 yrs left)· nominal 20-yr term from priority
G06F 11/1453G06F 3/065G06F 3/067H04L 9/3263G06F 3/0608G06F 3/0619H04L 9/3236G06F 3/0641H04L 9/3226G06F 16/90335G06F 21/6218G06F 21/62G06F 11/1451G06F 21/602G06F 11/1469G06F 11/1446
44
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Client-side encryption in a deduplication backup system. In one example embodiment, a method includes a backup phase in which various steps are performed for each allocated plain text block stored in a source storage. One step includes hashing, using a first cryptographic hash function, the plain text block to generate a first hash. Another step includes hashing, using a second cryptographic hash function, the first hash to generate a second hash. Another step includes searching a key-value table of a deduplication storage to determine whether the second hash matches any key in the key-value table. Another step includes, upon determining that the second hash does not match any key in the key-value table, encrypting, using an encrypt/decrypt function, the plain text block using the first hash as an encryption password and inserting a key-value pair into the key-value table with the key being the second hash and the value being the encrypted block.

Claims

exact text as granted — not AI-modified
1 . A method for client-side encryption in a deduplication backup system, the method comprising:
 a backup phase in which the following steps are performed for each allocated plain text block stored in a source storage at a point in time:
 hashing, using a first cryptographic hash function, the plain text block to generate a first hash; 
 hashing, using a second cryptographic hash function, the first hash to generate a second hash; 
 searching a key-value table of a deduplication storage to determine whether the second hash matches any key in the key-value table, each key-value pair in the key-value table including a key that is a hash and a value that is an encrypted block; 
 upon determining that the second hash does not match any key in the key-value table, encrypting, using an encrypt/decrypt function, the plain text block using the first hash as an encryption password and inserting a key-value pair into the key-value table with the key being the second hash and the value being the encrypted block; and 
 inserting an entry into an image map corresponding to the source storage that includes the first hash and a position of the plain text block as stored in the source storage. 
   
     
     
         2 . The method as recited in  claim 1 , further comprising:
 encrypting the image map; and   storing the encrypted image map in the deduplication storage.   
     
     
         3 . The method as recited in  claim 1 , wherein the image map is stored in the source storage. 
     
     
         4 . The method as recited in  claim 1 , further comprising a restore phase in which the following steps are performed for each entry in the image map:
 hashing, using the second cryptographic hash function, the first hash included in the entry to generate the second hash;   searching the key-value table to retrieve the encrypted block of the key-value pair having a key that matches the second hash;   decrypting, using the encrypt/decrypt function, the encrypted block using the first hash as a decryption password; and   storing the decrypted block in a restore storage at the position included in the entry.   
     
     
         5 . The method as recited in  claim 4 , further comprising:
 encrypting the image map subsequent to the backup phase; and   decrypting the image map prior to the restore phase.   
     
     
         6 . The method as recited in  claim 1 , wherein each of the first cryptographic hash function and the second cryptographic hash function is one of a SHA-1, SHA-2, SHA-3, or MD5 cryptographic hash function. 
     
     
         7 . The method as recited in  claim 1 , wherein the first cryptographic hash function is different from the second cryptographic hash function. 
     
     
         8 . The method as recited in  claim 1 , further comprising:
 a second backup phase in which the following steps are performed for each allocated plain text block stored in a second source storage at a second point in time:
 hashing, using the first cryptographic hash function, the plain text block to generate a fourth hash; 
 hashing, using the second cryptographic hash function, the fourth hash to generate a fifth hash; 
 searching the key-value table to determine whether the fifth hash matches any key in the key-value table; 
 upon determining that the fifth hash does not match any key in the key-value table, encrypting, using the encrypt/decrypt function, the plain text block using the fourth hash as an encryption password and inserting a key-value pair into the key-value table with the key being the fifth hash and the value being the encrypted block; and 
 inserting an entry into a second image map corresponding to the second source storage that includes the fourth hash and a position of the plain text block in the second source storage. 
   
     
     
         9 . The method as recited in  claim 8 , further comprising a second restore phase in which the following steps are performed for each entry in the second image map:
 hashing, using the second cryptographic hash function, the fourth hash included in the entry to generate the fifth hash;   searching the key-value table to retrieve the encrypted block of the key-value pair having a key that matches the fifth hash;   decrypting, using the encrypt/decrypt function, the encrypted block using the fourth hash as a decryption password; and   storing the decrypted block in a second restore storage at the position included in the entry.   
     
     
         10 . One or more non-transitory computer-readable media storing one or more programs that causes one or more processors to execute the method as recited in  claim 1 . 
     
     
         11 . A method for client-side encryption in a deduplication backup system, the method comprising:
 a backup phase in which the following steps are performed for each allocated plain text block stored in a source storage at a point in time:
 hashing, using a first cryptographic hash function, the plain text block to generate a first hash; 
 encrypting, using an encrypt/decrypt function, the plain text block using the first hash as an encryption password; 
 hashing, using a second cryptographic hash function, the encrypted block to generate a third hash; 
 searching a key-value table of a deduplication storage to determine whether the third hash matches any key in the key-value table, each key-value pair in the key-value table including a key that is a hash and a value that is an encrypted block; 
 upon determining that the third hash does not match any key in the key-value table, inserting a key-value pair into the key-value table with the key being the third hash and the value being the encrypted block; and 
 inserting an entry into an image map corresponding to the source storage that includes the first hash, the third hash, and a position of the plain text block as stored in the source storage. 
   
     
     
         12 . The method as recited in  claim 11 , further comprising:
 encrypting the image map; and   storing the encrypted image map in the deduplication storage.   
     
     
         13 . The method as recited in  claim 11 , wherein the image map is stored in the source storage. 
     
     
         14 . The method as recited in  claim 11 , further comprising a restore phase in which the following steps are performed for each entry in the image map:
 searching the key-value table to retrieve the encrypted block of the key-value pair having a key that matches the third hash included in the entry;   decrypting, using the encrypt/decrypt function, the encrypted block using the first hash as a decryption password; and   storing the decrypted block in a restore storage at the position included in the entry.   
     
     
         15 . The method as recited in  claim 15 , further comprising:
 encrypting the image map subsequent to the backup phase; and   decrypting the image map prior to the restore phase.   
     
     
         16 . The method as recited in  claim 11 , wherein each of the first cryptographic hash function and the second cryptographic hash function is one of a SHA-1, SHA-2, SHA-3, or MD5 cryptographic hash function. 
     
     
         17 . The method as recited in  claim 11 , wherein the first cryptographic hash function is the same as the second cryptographic hash function. 
     
     
         18 . The method as recited in  claim 11 , further comprising:
 a second backup phase in which the following steps are performed for each allocated plain text block stored in a second source storage at a second point in time:
 hashing, using the first cryptographic hash function, the plain text block to generate a fourth hash; 
 encrypting, using the encrypt/decrypt function, the plain text block using the fourth hash as an encryption password; 
 hashing, using the second cryptographic hash function, the encrypted block to generate a sixth hash; 
 searching a key-value table of the deduplication storage to determine whether the sixth hash matches any key in the key-value table; 
 upon determining that the sixth hash does not match any key in the key-value table, inserting a key-value pair into the key-value table with the key being the sixth hash and the value being the encrypted block; and 
 inserting an entry into a second image map corresponding to the second source storage that includes the fourth hash, the sixth hash, and a position of the plain text block as stored in the second source storage. 
   
     
     
         19 . The method as recited in  claim 18 , further comprising a second restore phase in which the following steps are performed for each entry in the second image map:
 searching the key-value table to retrieve the encrypted block of the key-value pair having a key that matches the sixth hash included in the entry;   decrypting, using the encrypt/decrypt function, the encrypted block using the fourth hash as a decryption password; and   storing the decrypted block in a second restore storage at the position included in the entry.   
     
     
         20 . One or more non-transitory computer-readable media storing one or more programs that causes one or more processors to execute the method as recited in  claim 11 .

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.