JP2006260491A - Storage array device, coding recording system, coding record reading method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a display array device for performing continuously data processing without interrupting it, when a trouble occurs in coding processing by actualizing efficient coding processing for reducing the processing time and simplify introduction, and to provide a coding recording device, a coding record reading method, and a coding record reading program. <P>SOLUTION: A HDDI/F part 22 of each of a plurality of HDDs 12, a host I/F part 26 of a RAID control device 23, code processors I/F 28, 43 of each of a plurality of code-processing parts 14, 42 for performing coding record or decoding reading of each HDD 12, and a code management I/F 33 of a code management part 15 for managing the code processing parts 14, 42 are connected to each another via a data line D for constituting the display array device 41a. The standards for the HDDI/F part 22, the code processors I/F 28, 43 and the code management I/F 33 are made the same. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention includes a storage array device that includes a plurality of storages that are data storage devices and performs distributed recording and reading of encrypted data, an encryption recording system, an encryption record reading method, and encryption recording It relates to a reading program.

  As shown in FIG. 12, a conventional storage array apparatus has a RAID control unit for controlling the operation of a plurality of storages (in this case, HDD: using a hard disk drive), and a host for inputting information from the outside. The I / F unit (host interface) 51 is provided, and the plurality of storages 55 are individually provided with an HDD I / F unit 53 that is an interface and an HDD control unit 54 that controls the operation of the storage. . Symbol D indicates a data line.

  The RAID control device 52 includes a RAID control unit 61, a CPU 62, and a memory 63 such as a ROM in which management software for managing RAID control is recorded. The RAID control unit 61 takes in the encrypted data from the encryption device 57 outside the disk array device 56 through the host I / F 51 based on the drive of the CPU 62 that executes the management software, and uses the data for RAID processing. Is added to the data line D and output to the data line D to be distributed and recorded on each HDD 55.

  Here, RAID (redundant array of independent disks) means a disk array device (hereinafter the same). HDD is an abbreviation for hard disk drive, which is one of data storage devices including magnetic disks.

  On the other hand, the encryption device 57 described above encrypts the data output from the server 65 via the switch 64 and outputs it to the host I / F 51, and decrypts the read data transferred from the host I / F 51 to switch the data. 64 is provided with a function of appropriately executing processing to be output to the server 65 via 64.

  In addition, in the conventional example in which data is distributed and recorded on a plurality of recording devices, there is a distributed data archive device in which a data file is divided and encrypted and stored in a plurality of data servers via a network communication means. It is known (for example, refer to Patent Document 1). In addition to receiving and storing encrypted data, a data management system is known in which the received encrypted data is transferred to another device (see, for example, Patent Document 2). Furthermore, a data protection storage method is known in which data is encrypted and then divided and stored in a plurality of servers via a network (see, for example, Patent Document 3).

WO01 / 046808 JP 2004-048336 A JP 2004-171207 A

  However, in the array type encryption recording apparatus shown in FIG. 12 and the conventional examples shown in the above-mentioned documents 1, 2, and 3, data is encrypted by one encryption apparatus. There was a problem that a bottleneck occurred and time was required. In addition, since one encryption device is used as another device, installation space, power supply, and the like are required, and it is necessary to arrange, set, and manage the encryption device. Moreover, when a failure occurs in one encryption device, data processing may have to be interrupted, and there is a problem in terms of reliability.

  The present invention improves the disadvantages of the above-mentioned conventional example, and in particular, a storage array device, an encryption recording system, an encryption record reading method, which shortens the encryption processing time, thereby improving the efficiency of encryption processing, It is another object of the present invention to provide an encrypted record reading program.

  In order to achieve the above object, the present invention includes a plurality of storages for data storage and a RAID control unit that controls allocation of data to be processed when data is recorded in each storage. Each storage is equipped with an encryption processing unit that is controlled by the RAID control unit and performs the above-described data encryption recording (recording or decryption reading) for each storage (Claims 1 and 2).

  Here, the cryptographic processing unit described above may be provided with a cryptographic management unit that manages the operation of the cryptographic processing unit (claim 3).

  Furthermore, in the present invention, the storage array apparatus provided with a plurality of storages for data storage and a RAID control unit for controlling allocation of data to be subjected to data recording or data reading to each storage is described above. A plurality of encryption processing units that perform encryption recording or decryption reading of the data for each storage based on the control of the RAID control unit, management of encryption keys used by each encryption processing unit, whether each encryption processing unit can operate And a cryptographic management unit that manages the operation of each cryptographic processing unit (claim 4).

  For this reason, in the present invention, there is a gist in providing an encryption processing unit for each storage, and it is possible to record the data encrypted and distributed for each encryption processing unit for each storage. . As a result, even if the amount of data is large, the entire encryption can be performed in a short time, and the efficiency of distributed recording processing to each storage can be promoted more effectively. As a result, the recording processing can be shortened. It becomes possible to plan. Needless to say, the concept of storage includes all recording media such as a hard disk, an optical disk, a magnetic tape, and a storage device, and the technical idea of the present invention includes it.

  Here, the storage interfaces of the plurality of storages, the host interface of the RAID control unit, the cryptographic processing interfaces of the plurality of cryptographic processing units, and the cryptographic management interface of the cryptographic management unit are connected through a single data line. The standards of at least each storage interface, each cryptographic processing interface, and each cryptographic management interface may be the same standard.

  In this way, since the standards of at least each storage interface, each cryptographic processing interface, and cryptographic management interface are the same, it is possible to easily cope with an increase in storage, cryptographic processing unit, etc. The burden can be greatly reduced.

  In addition, a key management computer that collectively manages the encryption key managed by the encryption management unit and the data indicating whether the operation is possible may be provided.

  In this way, the key management computer can collectively manage the encryption key and operation availability data and delete it from the encryption management unit, so that the safety of the data can be improved. The timing of transferring the encryption key and the operational availability data to the key management computer is arbitrary, and may be performed during the data processing or after the data processing ends. The contents of the operation availability data can be determined by classifying or leveling from IP address information of a server or the like that requests access (encrypted recording or decryption reading), for example.

  Here, a configuration may be adopted in which two or more encryption processing units are provided for each storage described above.

  In this way, even if a failure occurs in one encryption processing unit, the data processing (encrypted recording or decryption reading) is continued without interruption in order to immediately activate the other encryption processing unit. There is an advantage that can be.

  Further, each of the above-mentioned storages may be constituted by a hard disk drive (HDD).

  Furthermore, the invention described in claim 9 includes an arbitrary number of servers connected to the network and a switch for arbitrarily accessing the arbitrary number of servers. At the same time, each storage interface of a plurality of storages and at least one of the above-mentioned arbitrary number of servers control the allocation for each storage of data acquired through the above-described switch and read from each storage. The host interface of the RAID control unit that performs control to assemble data and transmit it to the destination server via the switch described above, and performs encryption recording or decryption reading of data for each storage based on the control of the RAID control unit Each cryptographic processing interface of a plurality of cryptographic processing units and a cryptographic management unit that manages the cryptographic keys used by the cryptographic processing units described above, manages the operation of each cryptographic processing unit, and manages the operation of each cryptographic processing unit A storage array connected to the cryptographic management interface via a single data line And location, and a key management computer collectively manages the data encryption key and the operation permission described above.

  The respective standards of each storage interface, each cryptographic processing interface, and cryptographic management interface described above are the same standard (claim 9).

  In this way, since at least each storage interface, each encryption processing interface, and each encryption management interface standard is the same, even when adding storage, encryption processing unit, etc. can be handled simply and easily, The burden on the user can be greatly reduced.

  In the encrypted recording / reading method according to the present invention, an allocation or assembly process for controlling allocation or assembly of data at the time of recording or reading with respect to a plurality of storages, and the plurality of storages based on the control of the allocation or assembly. Each of the allocated data is individually encrypted and recorded in parallel, or each of the plurality of storages is individually decrypted and read in parallel, an encrypted recording or decryption reading step; A management step of deleting the encryption key at the time of encryption recording or decryption reading from the storage and the data indicating whether the encryption recording or decryption reading operation is possible after being separately transferred to a computer and managing the data by the computer It was set as the structure (Claim 10).

  In the above invention, the allocation or assembling process controls the data allocation or assembling at the time of recording or reading with respect to the plurality of storages, and the data allocated to each of the plurality of storages during the encryption recording or decryption reading process. Are individually encrypted and recorded in parallel, or individually decrypted and read from each of the plurality of storages.

  Further, in the management process, the encryption key and the data indicating whether the encrypted recording or decryption read operation is possible are separately transferred to a computer and then deleted and managed by the computer. The assigning or assembling process is a process of performing either the assigning process or the assembling process, and is referred to for the purpose of simplifying the description. The encryption recording or decryption reading process is also a process of performing either the encryption recording process or the decryption reading process, which is also referred to in the sense of simplifying the description.

  In the encrypted recording / reading program according to the present invention, the step of controlling the allocation or assembly of data at the time of recording or reading to / from a plurality of storages and the allocation to each of the plurality of storages based on the control of the allocation or assembly. The data is individually encrypted and recorded in parallel, or is individually decrypted and read from each of the plurality of storages in parallel.

  Further, a step of deleting the encryption key at the time of encryption recording or decryption reading with respect to each storage and the data indicating whether or not the operation of encryption recording or decryption reading is separately transferred to a computer and managing the data by the computer Are executed by the CPU (claim 11).

  For this reason, in the present invention, in the data recording mode, data is allocated for recording to a plurality of storages in one step, and the allocated data is individually assigned to each of the plurality of storages in the next step. In parallel, the encrypted key is recorded in the next step, and the encryption key and the data indicating whether or not the encrypted recording is operable are transferred to the key management computer and managed by the computer. In the mode of reading data, the data is individually decrypted and read in parallel from each of the plurality of storages in one step, and the read data is appropriately assembled and transmitted in the next step, and encrypted in the next step. The key and the data indicating whether or not the encrypted recording is operable are transferred to the key management computer and managed by the computer.

  As described above, according to the present invention, since the encryption processing unit is provided for each storage, it is possible to improve the efficiency of the encryption processing and shorten the recording or reading processing time. In addition, since the interface standards of each storage, each cryptographic processing unit, and cryptographic management unit are made the same, the introduction can be simplified, and the addition of storage and cryptographic processing units is simplified and easy. The burden on the user can be greatly reduced. In addition, since each storage has two or more encryption processing units, even if a failure occurs in one encryption processing unit during encryption processing or decryption processing, the other encryption processing unit is activated immediately and the data Processing can be continued without interruption, and reliability can be greatly improved.

  As described above, according to the present invention, since the encryption processing unit is provided for each storage and the encryption is processed in parallel, the encryption process can be executed efficiently, thereby enabling the recording or reading process. There is an unprecedented excellent effect that the time can be shortened.

  An array type encryption recording apparatus as an encryption recording apparatus according to the first embodiment of the present invention will be described below with reference to the drawings. FIG. 1 is a functional block diagram showing an outline of a functional configuration of the array type encryption recording apparatus according to the first embodiment.

  As shown in FIG. 1, the array type encryption recording apparatus 11 of this example includes a plurality of storages 12 and a RAID control unit 13A that controls data allocation or link at the time of recording or reading for each storage 12. A plurality of encryption processing units 14 that perform encryption recording or decryption reading of the data for each storage 12 based on the control of the RAID control unit 13A, management of encryption keys used by each encryption processing unit 14, It includes a storage array device 16 that includes a cryptographic management unit 15 that manages whether the cryptographic processing unit 14 can operate and manages the operation of each cryptographic processing unit 14. The encryption management unit 15 is connected to a key management computer 17 that collectively manages encryption keys managed by the encryption management unit 15 and server classification information (corresponding to operation availability data). Here, reference numeral 13 denotes a RAID control device.

  The disk array device 16 is connected via a switch 18 to a network 20 to which a plurality of servers 19 are subscribed. The switch 18 is appropriately switched based on, for example, the IP address information of the server 19 in order to select and specify the server 19 that transmits / receives predetermined data to / from the disk array device 16 among the plurality of servers 19. The switch 18 may be configured to transmit and receive predetermined data in parallel between the disk array device 16 and the plurality of servers 19 by, for example, time division multiplexing.

  When the RAID control unit 13AA acquires data including a data recording request from any of the servers 19 via the switch 18, the RAID control unit 13AA allocates the data to each divided data so as to divide the data into, for example, predetermined units. The RAID information is added and transferred to the encryption management unit 15. The encryption management unit 15 adds server classification information and encryption instruction information indicating the server level, class, and the like to each divided data, and transfers the data to each encryption processing unit 14. Each encryption processing unit 14 has a one-to-one correspondence with each storage 12, and sequentially encrypts data assigned to itself based on the encryption key used by the encryption management unit 15 and records it in the storage 12 having a corresponding relationship. (Distributed recording). After the data recording is completed, the encryption management unit 15 transfers the server classification information, the encryption information, and the encryption key to the key management computer 17 to be collectively managed, and erases each piece of information for ensuring safety.

  When the RAID control unit 13AA receives a data read request from any of the servers 19 via the switch 18, the RAID control unit 13AA outputs information to that effect to the encryption management unit 15. The encryption management unit 15 determines whether or not the data related to the read request is encrypted, and whether or not the current server 19 is the read-permitted server 19 from the server classification information acquired from the key management computer 17. If all the determination results are affirmative, the key information is acquired from the key management computer 17 and transferred to each encryption processing unit 14, and each encryption processing unit 14 is requested to read and decrypt the data. To do. Each encryption processing unit 14 reads the encrypted data from the storage 12 corresponding to itself, decrypts (decrypts) it, and transmits it to the RAID control unit 13A. As a result, the RAID control unit 13A links the read data in an appropriate order, adds the IP address information and the like of the server 19, and transmits the read request to the server 19 via the switch 18.

  Next, a specific configuration of the array type encryption recording apparatus 11 will be described. FIG. 2 is a block diagram showing a specific configuration of the array type encryption recording apparatus 11 according to the first embodiment. In FIG. 2, the network 20 is not shown.

  A plurality of storages (hereinafter referred to as HDD (Hard Disk Drive)) 12 of the array type encryption recording apparatus 11 of this example shown in FIG. 2 are respectively an HDD control unit 21 and a storage interface (hereinafter referred to as HDD I / F unit) 22. Each HDD I / F unit 22 is connected to one bus-type data line D, for example.

  The RAID control device 23 includes a RAID control unit 13A, a CPU 24, a memory 25 such as a ROM for recording management software, and a host interface (hereinafter referred to as a host I / F unit) 26. The host I / F unit 26 includes: Connected to data line D. The RAID control unit 13A and the host I / F unit 26 are controlled by the CPU 24 that executes management software in the memory 25 in detail for various operations to be described later. On the other hand, the host I / F unit 26 is also connected to the switch 18 via the communication cable C1. For example, the host I / F unit 26 transmits / receives various data to / from the plurality of servers 19 via the switch 18 by time division multiplexing control. It is possible.

  Each of the plurality of cryptographic processing units 14 includes a cryptographic processing interface (hereinafter referred to as cryptographic processing I / F) 28, and each cryptographic processing I / F 28 is connected to the data line D. As described above, each encryption processing unit 14 is configured to be associated with one HDD 12 on a one-to-one basis, and performs encryption recording or decryption reading exclusively for one HDD 12 having a corresponding relationship. Is.

  The cryptographic management unit 15 includes a CPU 31, management software, and a memory 32 such as a ROM for recording various necessary data to be described later, and further includes a cryptographic management interface (hereinafter referred to as a cryptographic management I / F) 33 and a key management. An interface (hereinafter referred to as a key management I / F) 34 is provided, and the encryption management I / F 33 is connected to the data line D. The key management I / F 34 is connected to a key management computer (hereinafter referred to as a key management PC) 17 via, for example, a communication cable C2.

  On the other hand, each HDD I / F unit 22, each cryptographic processing I / F 28, and key management I / F 34 are configured according to the same standard. By configuring each of the I / Fs 22, 28, and 34 to the same standard, it is possible to simplify and facilitate the addition and addition of HDDs and encryption processing units.

  The plurality of HDDs 12, each HDD control unit 21, each HDD I / F unit 22, RAID control device 23, a plurality of cryptographic processing units 14, each cryptographic processing I / F 28, a cryptographic management unit 15, a cryptographic management I / F 33, and The disk array device according to claim 1, comprising a key management I / F 34 and connecting each HDD I / F unit 22, host I / F unit 26, and each cryptographic management I / F 33 to one data line D. 16 is configured.

  Next, with reference to FIG. 3 to FIG. 5, a method for encrypting and recording predetermined data in each HDD 12 will be described as an example of the array-type encrypted record reading method according to the present embodiment. First, as indicated by symbol a in FIG. 3, when there is a write data input, that is, a predetermined data recording request from one server 19 to the host I / F unit 26 via the switch 18, for example, the RAID controller 23. The CPU 24 recognizes the recording request and activates the RAID control unit 13A, and adds RAID information to the current data to perform the distributed recording of the current series of data, as indicated by symbol b in FIG. As indicated by reference numeral c in FIG. 3, the data with the current RAID information added is transferred from the host I / F unit 26 to the encryption management I / F 33 (allocation step).

  The cryptographic processing unit 15 identifies server classification information and encryption instruction information created from, for example, the IP address information of the server 19 of the current data transferred to the cryptographic management I / F 33, and server classification information and Add encryption instruction information. Then, as indicated by a symbol d in FIG. 4, the current data is distributed and transferred to the respective cryptographic processing units 14 through the respective cryptographic processing interfaces 28 in order to distribute and record the current series of data (allocation step). 4 illustrates the case where the encryption management unit 15 is provided in the RAID control device 23, and the encryption key and the like are transferred from the key backup I / F unit (that is, the key management I / F unit 34) to the key backup PC. It is also possible to transfer to (that is, the key management PC 17).

  As a result, each encryption processing unit 14 identifies the encryption key from the encryption instruction information and performs encryption using the encryption key for the data that has been divided and transferred this time, as indicated by symbol e in FIG. In addition, as indicated by the symbol f in FIG. 5, the encrypted data is successively transferred to the HDD control unit 21 having a corresponding relationship through the encryption processing I / F 28 and the HDD I / F unit 22 (encryption). Recording process). Each HDD control unit 21 records the encrypted data this time in each HDD 12 one after another (encryption recording step).

  Further, each cryptographic processing unit 14 transmits the cryptographic key (key information) used for the cryptographic processing to the cryptographic management unit 15 through the cryptographic processing I / F 28 and the cryptographic management I / F 33, as indicated by symbol g in FIG. . The cipher management unit 15 transfers the cipher key (key information) acquired from each cipher processing unit 14 and the current server classification information to the key management PC 17 through the key management I / F 34, as indicated by symbol h in FIG. Let them be managed collectively (management process). Then, the encryption management unit 15 erases the key information existing inside to prevent leakage of key information from the disk array device 11a. However, the transfer and deletion of the key information and the server classification information may be performed at the stage when all of the current encrypted recording is completed.

  Next, a method for decrypting (decoding) and reading predetermined data from each HDD 12 will be described as another example of the array-type encrypted record reading method according to the present embodiment with reference to FIGS. First, as indicated by reference symbol a in FIG. 6, when there is a read command, that is, a predetermined data read request from one server 19 via the switch 18, for example, to the host I / F unit 26, the RAID controller 23. The CPU 24 recognizes the recording request, activates the RAID control unit 13A, and outputs a current data read request to the encryption management unit 15 through the host I / F unit 26 and the encryption management I / F 33, for example.

  The CPU 31 of the encryption management unit 15 first confirms whether or not the data of the current read request is encrypted, as indicated by the symbol b in FIG. If the current read data is encrypted data, the CPU 31 of the encryption management unit 15 acquires server classification information from the key management PC 17 and stores it in the memory 32, as indicated by reference numeral c in FIG. In addition, as indicated by symbol b in FIG. 6, it is confirmed whether or not the server 19 to be read this time is a server that is permitted to read.

  When the current read data is encrypted, and the server 19 of the current read request is a server that is permitted to read, the cipher management unit 15 encrypts the key management PC 17 from the key management PC 17 as indicated by reference numeral d in FIG. A key (key information) is acquired, and as indicated by symbol e in FIG. 7, the key information is distributed to each cryptographic processing unit 14 through the cryptographic management I / F 33 and each cryptographic processing I / F 28, and data is read (read). Request data type) and decryption. Each encryption processing unit 14 activates each HDD control unit 21 and sequentially reads and decrypts data from each HDD 12 (decryption read step), as indicated by reference symbol f in FIG. 7, and is indicated by reference symbol g in FIG. As described above, each decrypted data is sequentially transferred to the host I / F unit 26 of the RAID control device 23 through each encryption processing I / F 28 and data line D (decryption read step).

  As a result, the RAID control unit 13A of the RAID control device 23 assembles the data sequentially transferred from each encryption processing unit 14 in an appropriate order and adds the IP address information of the server 19 (assembly process). As shown by symbol h, the data assembled this time is transmitted to the server 19 of the current read request via the switch 18.

  Next, with reference to FIG. 9, the processing at the time of encryption recording (writing) of predetermined data to each HDD 12 of the array type encryption record reading program according to the present embodiment will be described. The program of this example may be considered to be composed of management software of the RAID control device 23 and management software of the encryption management unit 15. First, in step 901, when the RAID control unit 13A recognizes that the host I / F unit 26 has received a data write command and write data from, for example, one server 19, in step 902, the RAID control unit 13A The RAID information created by the CPU 24 is added to the data. Then, the data with the RAID information added is output to the encryption management unit 15. Steps 901 and 902 are based on the management software of the RAID controller 23.

  In step 903, the encryption management unit 15 determines whether to perform encryption processing on the current data. That is, the encryption processing unit 15 determines whether to perform encryption processing on the current data from, for example, a write command of the current data, server classification information created from the IP address information of the server 19, and encryption instruction information. . If it is determined in step 903 that the encryption management unit 15 does not perform encryption processing on the current data, the encryption management unit 15 does not add encryption information (encryption instruction information) to the current data in step 904, The current data is transmitted to each HDD I / F unit 22 and each HDD control unit 21 is activated in step 909 to record the current data in each HDD 12 without encryption. Steps 903 and 904 are based on the management software of the encryption management unit 15.

  However, if it is determined in step 903 that the encryption management unit 15 performs encryption processing on the current data, the encryption management unit 15 adds encryption information (encryption instruction information) to the current data in step 905. To each encryption processing unit 14. As a result, in step 906, each encryption processing unit 14 sequentially performs encryption processing on the current data, and transmits the encrypted data to each HDD control unit 21 through the data line D. Steps 905 and 906 are based on the management software of the encryption management unit 15.

  In step 907, each cryptographic processing unit 14 transfers the cryptographic key information to the cryptographic management unit 15 through the data line D. As a result, the cryptographic management unit 15 transmits the cryptographic key information and the current key through the key management I / F unit 34. Server classification information created from the IP address information of the server 19 of the write request is transmitted to the key management PC 17. In step 908, the encryption management unit 15 transmits the encryption key information and server partition information to the key management PC 17, and then deletes the encryption key information (encryption key) and server partition information from the memory 32 in the encryption management unit 15. In step 909, each HDD control unit 21 sequentially records the encrypted data this time on the HDD 12 corresponding to itself. Thereafter, when the distributed recording of all the encrypted data this time to each HDD 12 is completed, the process proceeds to step 901. Steps 907, 908, and 909 are based on the management software of the encryption management unit 15.

  Next, with reference to FIG. 10, a description will be given of processing at the time of decoding (decoding) and reading (reading) predetermined data from each HDD 12 of the array type encryption record reading program according to the present embodiment. First, in step 1001, when the RAID control unit 13A recognizes that the host I / F unit 26 has received a data read command from, for example, one server 19, the server that has transmitted the read command from, for example, the RAID control unit 13A in step 1002 By transferring the 19 IP address information, the data type information, and the like to the encryption management unit 15, the encryption management unit 15 determines whether or not the current read data is encrypted. However, this determination may be performed by the RAID control unit 13A by recording the IP address information and data type information of the server 19 in the memory 25 of the RAID control device 23. Step 1001 is based on the management software of the RAID controller 23.

  If it is determined in step 1002 that the current read data has not been encrypted, in step 1003 the corresponding data is transmitted from each HDD 12 to the host I / F unit 26 of the read RAID controller 23 without being decrypted. In step 1008, the data read from each HDD 12 by the RAID control unit 13A is appropriately assembled, and the IP address information of the requested server 19 is added, and the request is made from the host I / F unit 26 via the switch 18. The data is transmitted to the previous server 19. Step 1002 is based on the management software of the RAID controller 23, and step 1003 is based on the management software of the encryption management unit 15.

  On the other hand, if it is determined in step 1002 that the current read data has been encrypted, in step 1004, the cryptographic management unit 15 reads the server classification information of the server 19 of the current read request from the key management PC 17, and In step 1005, the encryption management unit 15 determines whether or not the server 19 that issued the current read command is the server that is permitted to read the corresponding data from the server classification information. Steps 1004 and 1005 are based on the management software of the encryption management unit 15.

  If it is determined in step 1005 that the server 19 that issued the current read command is a server that is not permitted to read the corresponding data, in step 1006, for example, the encryption management unit 15 decrypts the current data. Without deciding, the read refusal is decided and notified to the RAID control unit 13A, and this flow is finished. However, if it is determined in step 1005 that the server 19 that issued the current read command is a server that is permitted to read the corresponding data, in step 1007 the encryption management unit 15 sends the encryption key of the corresponding data from the key management PC 17. Is transferred to each encryption processing unit 14, and each encryption processing unit 14 reads the corresponding data from each HDD 12 to release (decrypt) the encryption and transfer it to the host I / F unit 26. As a result, in step 1008, the RAID control unit 13A appropriately assembles the decrypted data from each encryption processing unit 14 and transmits it from the host I / F unit 26 to the server 19 that requested the current data. . Then, when transmission of all data to the server 19 is completed, the process proceeds to step 1001. Steps 1006 and 1007 are based on the management software of the RAID controller 23, and step 1008 is based on the management software of the encryption management unit 15.

  In this embodiment, since the plurality of encryption processing units 14 corresponding to the HDD 12 are connected to the array type encryption recording device 11, that is, the data line D in the disk array device 11a, the encryption processing is performed for each data line D. The processing can be performed in parallel processing distributed to each HDD 12, and as a result, the time required for the encryption processing can be shortened. In addition, since a plurality of encryption processing units 14 are provided in one disk array device 11a, an extra installation space and a power source are unnecessary, and it is not necessary to arrange, set, and manage the encryption device, which is extremely difficult to introduce. It becomes easy. In particular, since each HDD I / F unit 22, each cryptographic processing I / F 28, and cryptographic management I / F 33 have the same standard, it is possible to simplify and facilitate the addition of the cryptographic processing unit and the HDD. This can greatly reduce the burden on the user.

  In the present embodiment, since the encryption process is performed on each HDD 12, the disposal process of the HDD (hard disk) 12 can be simplified. That is, conventionally, in order to prevent data reading from the HDD alone, it has been necessary to perform data erasure processing on the HDD at the time of disposal. However, the discarded HDD cannot be read out because it is encrypted. This is because the data erasing process becomes unnecessary.

  In the present embodiment, it is also possible to select the presence or absence of encryption for each HDD 12. For this reason, for example, a simplified encryption pattern or no encryption for a parity disk where concentration of access is expected. Thus, the data read time and write time can be shortened.

  Next, an array type encryption recording apparatus according to the second embodiment of the present invention will be described with reference to FIG. FIG. 11 is a block diagram showing a specific configuration of the array type encryption recording apparatus according to the second embodiment. The same parts as those shown in FIG. 2 are denoted by the same reference numerals and detailed description thereof is omitted.

  In the array type encryption recording apparatus 41 of this example shown in FIG. 11, another encryption processing unit 42 corresponding to each HDD is installed on a one-to-one basis, and each encryption processing I / F 43 of each encryption processing unit 42 is installed. This is connected to the data line D described above. Each cryptographic processing unit 42 and each cryptographic processing I / F 43 have the same configuration as the cryptographic processing unit 14 and cryptographic processing I / F 28 described in the first embodiment. Therefore, each HDD 12 includes two cryptographic processing units. 14 and 42 are provided with redundancy.

  Activation of each cryptographic processing unit 42 added in this example is selectively controlled by the cryptographic management unit 15. Specifically, if any of the cryptographic processing units 14 described with reference to FIG. 2 fails, the cryptographic management unit 15 recognizes this and assists with it, such as an encryption key from the cryptographic management unit 15. In response to the transmission and activation command, the other encryption processing unit 42 added in this example starts activation in place of the encryption processing unit 14. For this reason, encryption recording or decryption reading can be continued without interruption. By including this configuration, the disk array device 41a is configured.

  The array type encryption record reading method and the array type encryption record reading program of the present embodiment are basically the same as those described in the first embodiment, but the encryption management unit 15 The state or step of monitoring the state of each encryption processing unit 14 and switching to the activation of the other added encryption processing unit 42 to continue the encrypted recording or decryption (decryption) reading if there is an abnormality. Including points are different.

  Each HDD 12 may be provided with a combination of a plurality of three or more cryptographic processing units and cryptographic processing I / Fs to provide higher redundancy.

  In the present embodiment, each HDD 12 is provided with a plurality of encryption processing units 14 and 42, so that even if one of the encryption processing units 14 fails, the encrypted recording or decryption (decryption) reading is interrupted. The reliability of the array type encryption recording apparatus (disk array apparatus) can be improved.

  Next, an array type encryption recording system according to a third embodiment of the invention will be described. The array type encryption recording system of the present example first includes a network 20, a plurality of servers 19 connected to the network 20, and a switch 18 for arbitrarily accessing the plurality of servers 19 (FIG. 1). And FIG. 2). Secondly, a plurality of HDDs 12, a plurality of HDD control units 21, a RAID control device 23, a plurality of cryptographic processing units 14, and a cryptographic management unit 23 are provided, and the HDD I / F unit 22 of each HDD 12 and the RAID control device 23. The disk I / F unit 26, the cryptographic processing I / F 28 of each cryptographic processing unit 14, and the cryptographic management I / F 33 of the cryptographic management unit 15 are connected to one data line D. Thirdly, a key management PC 17 connected to the key management I / F unit 34 of the encryption management unit 15 via the communication cable C2 is provided. As shown in FIG. 11, the disk array device 41 a includes another encryption processing unit 42 for each HDD 12 and connects each encryption processing I / F 43 of each encryption processing unit 42 to the data line D. The disk array device 41a may be used instead.

  Here, regarding the encryption record reading method and the encryption record reading program employed in the array type encryption recording system of the present embodiment, the encryption record reading method and the encryption record reading program in the first embodiment described above are used. It is the same content as.

  The present invention relates to an array-type encryption recording apparatus and array in which an HDD is used as a storage, and is distributed and encrypted and recorded on a plurality of sets of storage media such as an optical disk, a storage device, and a magnetic tape. It can be used for a type-encrypted recording system.

It is a block diagram which shows the outline | summary of 1st Embodiment concerning this invention. It is a block diagram which shows the specific structure of 1st Embodiment concerning this invention. It is explanatory drawing which shows the process sequence of the front | former stage at the time of the data recording in the encryption recording / reading method of 1st Embodiment concerning this invention. It is explanatory drawing which shows the process sequence of the middle stage at the time of the data recording in the encryption recording / reading method of 1st Embodiment concerning this invention. It is explanatory drawing which shows the process sequence of the back | latter stage at the time of the data recording in the encryption recording / reading method of 1st Embodiment concerning this invention. It is explanatory drawing which shows the process sequence of the front | former stage at the time of the data reading of the encryption recording / reading method of 1st Embodiment concerning this invention. It is explanatory drawing which shows the process sequence of the middle stage at the time of the data reading of the encryption recording / reading method of 1st Embodiment concerning this invention. It is explanatory drawing which shows the process sequence of the back | latter stage at the time of the data reading of the encryption recording / reading method of 1st Embodiment concerning this invention. It is a flowchart which shows the process sequence at the time of the data encryption recording of the encryption recording reading program of 1st Embodiment concerning this invention. It is a flowchart which shows the process sequence at the time of the decryption reading of the data of the encryption recording reading program of 1st Embodiment concerning this invention. It is a block diagram which shows the specific structure of the encryption recording system of 2nd Embodiment concerning this invention. It is a block diagram which shows a prior art example.

Explanation of symbols

11, 41 Array type encryption recording device as encryption recording device 12 HDD (hard disk drive) as storage
13, 23 RAID control device 13A RAID control unit 14, 42 Cryptographic processing unit 15 Cryptographic management unit 16, 41a Disk array device 17 Key management PC
18 switch 19 server 20 network 21 HDD control unit 22 HDD I / F unit 24, 31 CPU
25, 32 Memory 26 Host I / F section 28, 43 Cryptographic processing I / F
33 Cryptographic management I / F
34 Key management I / F
D Data line C1, C2 Communication cable

Claims (11)

In a storage array device comprising a plurality of storages for data storage and a RAID control unit that controls allocation of data to be recorded when recording data in each storage, etc.
The storage array device, wherein each storage is equipped with an encryption processing unit that is controlled by the RAID control unit and performs encryption recording of the data for each storage. In a storage array apparatus comprising a plurality of storages for data storage, and a RAID control unit for controlling allocation of data to be subjected to data recording or data reading to each storage, etc.
The storage array device, wherein each storage is equipped with an encryption processing unit that is controlled by the RAID control unit and performs encryption recording or decryption reading of the data for each storage. In the storage array device according to claim 1 or 2,
A storage array device, wherein a cryptographic management unit that manages operations of the cryptographic processing unit is provided in the cryptographic processing unit. In a storage array apparatus comprising a plurality of storages for data storage, and a RAID control unit for controlling allocation of data to be subjected to data recording or data reading to each storage, etc.
A plurality of encryption processing units that perform encryption recording or decryption reading of the data for each storage based on the control of the RAID control unit, management of encryption keys used by the encryption processing units, and each encryption processing A storage array apparatus comprising: a cryptographic management unit that manages the operational capability of each cryptographic unit and manages the operation of each cryptographic processing unit. The storage array device according to claim 4, wherein
The storage interfaces of the plurality of storages, the host interface of the RAID control unit, the cryptographic processing interfaces of the plurality of cryptographic processing units, and the cryptographic management interface of the cryptographic management unit are connected through a single data line. And
A storage array device characterized in that at least the standards of each of the storage interfaces, the cryptographic processing interfaces, and the cryptographic management interface are the same standard. In the storage array device according to claim 4 or 5,
A storage array apparatus, further comprising a key management computer that collectively manages encryption keys managed by the encryption management unit and operation availability data.   The storage array device according to any one of claims 4 to 6, further comprising two or more encryption processing units for each storage.   8. The storage array device according to claim 4, wherein each of the storages is a hard disk. An arbitrary number of servers connected to the network, and an arbitrary number of servers and a switch for arbitrary access;
The storage interface of each of a plurality of storages and the allocation of the data obtained from at least one of the arbitrary number of servers via the switch are controlled for each storage, and the data read from each storage is A host interface of a RAID control unit that performs control to assemble and transmit to a destination server, and performs encryption recording or decryption reading of the data for each storage based on the control of the RAID control unit Each cryptographic processing interface of a plurality of cryptographic processing units, and a cryptographic management unit that manages cryptographic keys used by each cryptographic processing unit, management of whether each cryptographic processing unit is operable, and management of each cryptographic processing unit Storage controller connected to the encryption management interface via a single data line. And Lee device, and a key management computer which collectively manages data of the encryption key and the operation permission provided,
The encryption recording system according to claim 1, wherein each of the storage interface, the encryption processing interface, and the encryption management interface has the same standard. An assignment or assembly process for controlling the assignment or assembly of data during recording or reading to and from a plurality of storages;
Based on the control of allocation or assembly, the allocated data is individually encrypted and recorded in parallel for each of the plurality of storages, or is individually decrypted and read from each of the plurality of storages in parallel. An encryption record or decryption read step to be performed;
A management step of deleting the encryption key at the time of encryption recording or decryption reading with respect to each storage and the data indicating whether or not the operation of encryption recording or decryption reading is separately transferred to a computer and managing the data by the computer; ,
An encryption record reading method comprising: Controlling the allocation or assembly of data when recording or reading to and from a plurality of storages;
Based on the control of allocation or assembly, the allocated data is individually encrypted and recorded in parallel for each of the plurality of storages, or is individually decrypted and read from each of the plurality of storages in parallel. Steps to do,
The encryption key at the time of encryption recording or decryption reading to each storage and the data indicating whether or not the operation of encryption recording or decryption reading is possible are separately deleted after being transferred to the key management computer, and the key management computer Managing steps,
Encryption record reading program for causing the CPU to execute.

Images