WO2021033007A1 - Distributed data storage with routing module - Google Patents

Distributed data storage with routing module Download PDF

Info

Publication number
WO2021033007A1
WO2021033007A1 PCT/IB2019/001294 IB2019001294W WO2021033007A1 WO 2021033007 A1 WO2021033007 A1 WO 2021033007A1 IB 2019001294 W IB2019001294 W IB 2019001294W WO 2021033007 A1 WO2021033007 A1 WO 2021033007A1
Authority
WO
WIPO (PCT)
Prior art keywords
data storage
storage device
routing module
data
distribution circuit
Prior art date
Application number
PCT/IB2019/001294
Other languages
French (fr)
Inventor
François-Xavier HANNEDOUCHE
Stéphane GOSNE
Original Assignee
Seagate Technology Sas
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Seagate Technology Sas filed Critical Seagate Technology Sas
Priority to PCT/IB2019/001294 priority Critical patent/WO2021033007A1/en
Publication of WO2021033007A1 publication Critical patent/WO2021033007A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/061Improving I/O performance
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/062Securing storage systems
    • G06F3/0622Securing storage systems in relation to access
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0629Configuration or reconfiguration of storage systems
    • G06F3/0632Configuration or reconfiguration of storage systems by initialisation or re-initialisation of storage systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0668Interfaces specially adapted for storage systems adopting a particular infrastructure
    • G06F3/067Distributed or networked storage systems, e.g. storage area networks [SAN], network attached storage [NAS]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0668Interfaces specially adapted for storage systems adopting a particular infrastructure
    • G06F3/0671In-line storage system
    • G06F3/0683Plurality of storage devices
    • G06F3/0689Disk arrays, e.g. RAID, JBOD

Definitions

  • a distributed data storage system connects a number of hosts to a first data storage device and a second data storage device via a network controller, a routing module, and a first distribution circuit. Identification that the first and second data storage devices are locked prompts the network controller to separate data access commands from encryption commands and the routing module to alter a data mode of the first distribution circuit.
  • the encryption commands are executed with the routing module to sequentially unlock the first and second data storage devices before setting the first distribution circuit to a distribution mode in response to the unlocking of the first data storage device and executing the data access commands with the network controller to the respective first and second data storage devices.
  • a distributed data storage system connect a number of hosts to a first data storage device and a second data storage device via a network controller, a routing module, and a distribution circuit.
  • Identification of at least the first data storage device being locked prompts the routing module to impersonate an unlocked data storage device and separate data access commands from encryption commands prior to altering a data mode of the distribution circuit.
  • the separated encryption commands are executed with the routing module to unlock the first data storage device concurrently with execution of the data access commands to the second data storage device with the network controller.
  • the distribution circuit is set to a distribution mode by the routing module in response to the unlocking of the first data storage device so that the data access commands can be executed with the network controller to the first data storage device.
  • a distributed data storage system has, in various embodiments, at least one host is connected to a first data storage device and a second data storage device via a network controller, a routing module, and a distribution circuit.
  • the network controller separates data access commands from encryption commands and the routing module alters a data mode of the distribution circuit.
  • the routing module executes the encryption commands to unlock the first data storage device then sets the distribution circuit to a distribution mode.
  • the data access commands are subsequently executed with the network controller to the first data storage device in response to the unlocking of the first data storage device.
  • FIG. 1 provides a functional block representation of an example distributed data storage system in which various embodiments can be practiced.
  • FIG. 2 diagrams aspects of an example distributed data storage system arranged in accordance with some embodiments.
  • FIG. 3 displays a functional block representation of portions of an example distributed data storage system organized in accordance with assorted embodiments.
  • FIG. 4 illustrates a functional block representation of portions of an example distributed data storage system configured in accordance with various embodiments.
  • FIG. 5 depicts a functional block representation of portions of an example distributed data storage system arranged in accordance with some embodiments.
  • FIG. 6 shows a functional block representation of portions of an example distributed data storage system organized in accordance with assorted embodiments.
  • FIG. 7 is an example system utilization routine that can be carried out with the respective embodiments of FIGS. 1-6.
  • the various embodiments disclosed herein are generally directed to a distributed data storage system employing an intelligent routing module that optimizes data storage device initialization, particularly self-encrypting data storage devices.
  • FIG. 1 conveys a block representation of an example distributed data storage network 100 in which various embodiments can be practiced.
  • the system 100 may have a number (N) of hosts 102 connected to a number (X) of data storage devices 104 via a network 106.
  • the network 106 can provide wired and/or wireless signal pathways that allow for the distribution of at least data. It is contemplated, but not required, that the network 106 can connect one or more hosts 102 with network components, such as a node 108, server 110, processor 112, or control circuitry 114 that provides computing and/or data storage capabilities to the system 100.
  • FIG. 2 displays a block representation of portions of an exemplary distributed data storage system 120 arranged in accordance with some embodiments.
  • a host 102 can be any computing component capable of generating, or receiving, data.
  • One or more hosts 102 can have a local controller 122 and memory 124 that cooperate with the local data storage controller 126 and memory 128 of at least one data storage device 104 to transfer data for temporary, or permanent, storage.
  • the transfer of data between hosts 102 and data storage devices 104 can be directed by one or more network controllers 130 that may utilize a network buffer memory 132 to distribute, and maintain, data stored in the respective data storage devices 104.
  • the network controller 130 may execute one or more data security measures prior to, during, and after data is transferred to, or from, a data storage device 104. For instance, the network controller 130 can verify a host as trusted, encrypt data, and/or delete past records in an effort to prevent data from being accessed, moved, or otherwise tampered with, by an unauthorized host 102. In some embodiments, some, or all, of the security measures conducted for the distributed data storage system 120 are carried out by the local data storage controllers 126 of the respective data storage devices 104, such as in a self-encrypting device (SED). However, the network controller 130 remains the gatekeeper that connects hosts 102 to storage devices 104 after initializing each data storage device 104 of the system 120.
  • SED self-encrypting device
  • FIG. 3 conveys portions of an example distributed data storage system 140 in which data can be transferred and stored in accordance with various embodiments. While a network controller 130 can conduct any amount of activity for the system 140, such as directing all the data storage, data retrieval, and data maintenance operations between at least one host 102 and at least one data storage device 104, the network controller 130 may selectively activate one or more supplemental network circuits and/or controllers that sequentially, or concurrently, operate with the network controller 130 to carry out assorted data storage, retrieval, and maintenance operations.
  • supplemental network circuits and/or controllers that sequentially, or concurrently, operate with the network controller 130 to carry out assorted data storage, retrieval, and maintenance operations.
  • a supplemental controller 142 can be configured for distributed data storage to multiple separate data storage devices 104 in the form of a redundant array of distributed devices/disks (RAID).
  • RAID distributed devices/disks
  • a raid controller 142 can communicate with the network controller 130 to provide unique, or redundant, capabilities that translate separate physical memories (devices 104) into one or more virtual data storage volumes.
  • the raid controller 142 may be configured to provide security capabilities that increase the reliability and/or accuracy of stored data. For instance, the raid controller 142 can mirror data, stripe data, and generate parity data that are stored in multiple data storage devices 104 of the system 140.
  • the ability to utilize one or more controllers, or other programmable circuits, to supplement the computing capabilities of the network controller 130 allows for efficient handling of data access and maintenance for relatively large numbers of hosts 102 and data storage devices 104.
  • the increasing capabilities of data storage devices 104 can interrupt, impede, or otherwise degrade data storage performance of the system 140 despite employing one or more supplemental controllers.
  • data processing such as data encryption, data maintenance, and deterministic data input/output
  • the execution of the data storage device 104 may conflict, or otherwise delay, the scheduled activity of network-level controllers 130/142.
  • the ability of data storage devices 104 to communicate without involving the network controller 130 and/or RAID controller 142, as illustrated by segmented lines, further exacerbates the performance degradation experienced when device 104 initialization is delayed.
  • system 140 performance can be particularly degraded during initialization of the devices 104. That is, the network controller 130, and/or other supplemental controllers 142, can have delayed access to a data storage device 104 while the device 104 conducts internal and/or external authentication, security, and encryption operations.
  • an SED is initialized via a predetermined sequence that involves a passphrase authentication with a network-level controller 130/142 that occupies both the SED data storage device 104 and controller 130/142 while cryptographic operations verify a trusted connection between the network- level controller(s) 13/142 and the device 104.
  • a RAID storage subsystem can be made to appear like a unique SED, which allows multiple SEDs to be in place of a single storage device for SED operations.
  • the usage could be on a local, or networked, storage environments over SATA, SAS, USB, or Firewire connections.
  • FIG. 4 displays a functional block representation of portions of an example distributed data storage system 160 in which assorted embodiments can be practiced.
  • the network controller 130 can selectively activate one or more routing modules 162 that provide intelligent network-level control circuitry in order to impersonate at least one SED 104.
  • routing module 162 configures the routing module 162 as a microcontroller (MCU) that employs a serial ATA (SATA) interface connecting to one or more hosts 102.
  • the routing module 162 can impersonate an SED capable data storage device so that device 104 initialization can be undertaken by the routing module 162 while the network controller 130 conducts other, non-initialization operations, such as host authentication, data queue maintenance, and accessing newly initialized SEDs 104.
  • the computing capabilities of the routing module 162 allows for SED 104 initialization to be conducted solely by the module 162, which frees the network controller 130 and optimizes system 160 performance.
  • Such computing capabilities of the routing module 162 can involve intelligent port multiplexing that responds to imbedded data commands, such as SATA commands that are SED related, or not, instead of responding to assigned target device 104.
  • the network controller 130, and routing module 162 can individually, or concurrently, communicate with one or more distribution circuits 164 to conduct efficient storage, retrieval, and maintenance of data via the respective SEDs 104.
  • the distribution circuits 164 can be similarly, or dissimilarly, configured to allow for the management of at least RAID operations dictated by the network controller 130 and/or routing module 162.
  • the distribution circuits 164 can be arranged in a hierarchical structure where multiple circuits 164 operate to channel data to/ffom a single SED 104 to the network controller 130 and/or routing module 162. However, such hierarchical structure is not required and a single distribution circuit 164 can service data to/ffom multiple separate SEDs 104.
  • the network controller 130 can employ the distribution circuits to effectively utilize the assorted SEDs 104 as a single virtual unit with a data capacity equal to the aggregate of the respective SEDs 104.
  • the distribution circuits 164 cannot perform cryptographic operations necessary to initialize the respective SEDs 104.
  • they cannot impersonate an SED 104 on the interface connected to the host 102 to perform SED-related activity, such as instant erase, passphrase change, device lock, or device unlock.
  • various embodiments utilize the distribution circuits 164 solely for RAID operations, such as data mirroring, striping, and parity generation, while the routing module 162 conducts SED 104 initialization by impersonating one or more SEDs 104 to at least one host 102 to streamline data flow through the network controller 130 to unlocked SED(s) 104.
  • FIG. 5 depicts a functional block representation of portions of an example distributed data storage system 180 carrying out various embodiments.
  • the system 180 responds to an unlock command from one or more hosts by routing all SED 104 commands through the routing module 162 while routing all non-SED commands to the distribution circuits 164 and underlying devices 104, as directed by the network controller 130.
  • the unlock command from a host can be a stand-alone command or embedded into a data stream involving non-command information.
  • the routing of SED commands to the routing module 162 effectively locks the SEDs 104 to be initialized so that no data read or write access will occur.
  • the routing module 162 impersonates at least one SED 104 to the host(s) to allow the network controller 130, and possibly one or more distribution circuits 164, to service non-SED commands, such as polling information, network firmware updates, and non- secure data maintenance.
  • the routing module 162 will be blocked from processing any commands from any host.
  • the routing module 162 will recursively switch the distribution circuits 164 to a mode that allows for individual access to the SEDs 104.
  • the routing module 162 can then query each SED 104 to determine the device’s status. If all the SEDs 104 of the system 180 are unlocked and initialized, the routing module 162 alters the distribution circuits 164 to a different mode that corresponds with RAID data operations, such as striping, mirroring, and parity generation.
  • the routing module 162 will change the mode of the locked SED 104 to prevent encrypted operation, return a locked answer to a host in response to a received encrypted, or otherwise secure, command, and allow unencrypted data access operations resultant to host commands.
  • an initialization corresponds to the unlocking of an SED 104.
  • the host sends one or more SED tagged commands that are sent to the routing module 162 from the network controller 130.
  • SED tagged commands are not limited to a particular data block, size, or designation, but identify the host’s intent to unlock one or more SEDs 104. It is contemplated that a SED tagged command can consist of a passphrase.
  • an SED 104 unlocking passphrase is retrieved by the routing module 162 from the host in cleartext after the routing module 162 deciphers a cryptographic sequence with the SED being unlocked.
  • the routing module 162 can activate a JBOD mode, as shown, in the respective distribution circuits 164 to allow individual access to the SEDs 104.
  • the distribution circuits 164 can operate as conduits where no data striping, mirroring, or parity generation is conducted and the SEDs 104 are individually accessible. That is, JBOD mode may correspond with the routing module 162 being able to access the physical block addresses of a single SED 104 directly.
  • a JBOD mode may alternatively allow the distribution circuits 164 to conduct selected data activities to one or more SEDs 104, such as data striping or redundant data storage.
  • the mode of the respective distribution circuits 164 can be changed at will by the routing module 162 and, as a result, different distribution circuits 164 can concurrently be in different modes. However, it is contemplated that each distribution circuit 164 is switched to a single mode together.
  • the ability to intelligently set the distribution circuit 164 mode allows the routing module 162 to optimize initialization of the respective SEDs 104 without resetting any of the respective SEDs 104, which optimizes the data access latency of the system 180.
  • the routing module 162 can negotiate a temporary cipher key so that the passphrase provided by a host can be securely sent. It is noted that the passphrase will be the same for each SED 104 being initialized by the routing module 162, but the negotiated cipher key may be different for the respective SEDs 104.
  • the routing module 162 can alter the working mode of at least one distribution circuit 164 to allow data to be transferred to and from the newly initialized SED 104. It is noted that the alteration of the working mode of a distribution circuit 164 can be executed without resetting the underlying SEDs 104.
  • the conclusion of an SED 104 initialization answers the host with an “unlock successful” reply and triggers a termination of the routing module 162 virtually impersonating the SED 104.
  • the routing module 162 may, in some embodiments, continue to impersonate an initialized SED 104 until all the SEDs 104 of the system 180 are initialized, but other embodiments sequentially stops impersonating SEDs 104 with the routing module 162 upon initialization of the SED 104 while other SEDs 104 of the system 180 are being impersonated.
  • the impersonation of an SED 104 corresponds with the routing module 162 separating a data stream from one or more hosts into SED commands that are delayed by the routing module 162 until an SED 104 is initialized and into data access commands that are serviced by the network controller 130, if possible. That is, the routing module 162 will send non-SED commands, like data accesses, device polling, and data maintenance operations, to the network controller 130 for execution to an initialized SED 104 before, and while, the routing module 162 initializes other SEDs 104 of the system 180. Such capability can be permitted due to the data storage scheme of the system 180 where data is redundantly stored, mirrored, or otherwise created from parity information stored in initialized SEDs 104. If, however, no SEDs 104 are initialized and accessible by the network controller 130, the SED impersonation conducted by the routing module 162 can involve separating data stream while preventing, or pausing, SED operations by the network controller 130.
  • FIG. 6 conveys portions of an example distributed data storage system 200 once the routing module 162 has initialized the assorted SEDs 104 in accordance with some embodiments.
  • the initialized SEDs 104 are accessed by the network controller 130 without interference from the routing module 162.
  • the routing module 162 can be considered a passthrough, or bypassed, component once the SEDs 104 are initialized and the respective distribution circuits 164 are set in a distribution mode, such as the RAID mode shown in FIG. 6 or some other mode where data is distributed to multiple different SEDs 104. It is contemplated that the routing module 162 may delay network controller 130 access to the respective distribution circuits 164 while the routing module 162 sets the circuits 164 to the new working mode.
  • the network controller 130 can proceed to service data access requests, and data maintenance, on the SEDs 104 as needed. That is, the network controller 130 can access the SEDs 104 individually, or collectively, to store data generated by a host, store data generated by the network controller 130, retrieve data, conduct garbage collection data maintenance, and conduct mapping data maintenance.
  • the initialization of the SEDs 104 further allows the network controller 130 to conduct predetermined RAID data distribution operations, such as striping, mirroring, and parity generation.
  • FIG. 7 is a flowchart of an example system utilization routine 220 that can be conducted by the various embodiments of FIGS. 1-6.
  • a distributed data storage system can be created, expanded, or contracted in step 222 with the connection of a plurality of data storage devices to at least one remote host via at least a network controller, distribution circuit, and routing module. It is contemplated, but not required, that at least one data storage device of the system is a self-encrypting device where local device circuitry provides penalty free on-the-fly encryption, and decryption, of data.
  • the data access command may be a non-SED command, such as a request to store, or retrieve, data stored on a non-SED or an initialized SED.
  • a non-SED command can be serviced by the network controller and at least one distribution circuit with the routing module being inactive, such as being powered off, paused, or in a passthrough mode.
  • a host data access command may be an SED command, such as request to unlock a device, request to access a secure portion of a device, or a change in security/encryption firmware.
  • the routing module evaluates the data access command(s) from step 224 in decision 226 and determines if the commands can be classified as SED-type.
  • the data access commands evaluated in decision 226 may be SATA commands with special tags designating SED-related information.
  • the identification of a host-sourced data access command involving SED information triggers step 228 to pause any data access command execution in the routing module and network controller while the routing module separates the SED aspects of the data access command in step 230 from the non-SED aspects.
  • the separated non-SED aspects are sent to the network controller for execution while the SED aspects are buffered in the routing module while the routing module establishes the impersonation of a downstream SED to the host and of an upstream host to the distribution circuit in step 232. That is, the routing module impersonates an SED to the host and network controller while impersonating a host by generating commands to at least one distribution circuit in step 234 to switch to a first working mode. While not required, the first working mode can be a JBOD mode, or other circuit configuration, that allows the routing module to individually access the physical block addresses of a particular SED. It is contemplated that the switching of the distribution circuits may be facilitated by custom SATA commands or through pin settings coinciding with a controller reset operation.
  • the individual device access afforded by the first distribution circuit mode allows the routing module to initialize individual data storage devices in step 236, which may occur while other devices of the distributed data storage system are being accessed by the routing module and/or network controller.
  • the initialization of a locked SED can involve the routing module being blocked from receiving, or processing, other commands from a connected host.
  • Step 236 proceeds to query the SED for a status to determine if the device is unlocked and has authenticated the host issuing the data access commands of step 224.
  • the routing module begins an unlock/initialization operation that involves relaying a passphrase from the host to the SED as part of a cryptographic sequence that results in access to the logical, and physical, data block addresses of the SED.
  • the passphrase may be the same for each SED of the system, but such configuration is not required as the routing module can handle numerous different passphrases during SED unlocking/initialization.
  • the routing module utilizes its impersonated host role for the SED in combination with the impersonated SED role for the host to conduct the unlocking/initialization of an SED without delaying, or degrading, network controller activity.
  • the unlocking/initialization of a selected number of system SEDs prompts the routing module to alter the working mode of the respective distribution circuits of the system in step 238 to allow predetermined data distribution, such as RAID level 0/1/5/10, redundant data copies in different SEDs, or hierarchical data storage.
  • the routing module becomes inactive by directing system operations and commands to the network controller, which allows the network controller to execute any number of data access operations and commands in the SEDs to service host requests in step 240.
  • the execution of data access commands and operations in step 240 may alternatively occur if the data access command from step 224 has non-SED instructions. It is noted that step 240 may occur with the network controller concurrently with steps 228-238 being executed with the routing module.
  • the network controller and/or distribution circuits can be configured with the computing capabilities to conduct the various steps of routine 220.
  • computing capability can be costly in terms of complexity, price, and operational latency.
  • a distribution circuit may be capable of impersonating some, or all, of the connected SEDs, but the impersonation of those SEDs would cause commands and operations from the upstream network controller to be delayed.
  • the distribution circuits and network controller can have reduced computing capabilities, lower price, faster operation, and reduced execution latency by providing a separate routing module configured with circuitry and programmable intelligence that can separate SED aspects of host commands, route non-SED commands to the network controller, alter the working mode of the distribution circuits, and initialize SED by impersonating a host and SED.
  • a routing module can intelligently handle the initialization of one or more data storage devices in a distributed data storage system.
  • the ability to separate commands into SED and non- SED aspects allows the network controller and routing module to operate concurrently to optimize system performance.
  • the impersonation of an SED and/or host by the routing module further optimizes the system by altering the working mode of distribution circuits to individually access, and sequentially unlock, each SED of the system, which contrasts waiting until each SED of the system is unlocked/initialized before conducting data access operations to any SED.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Human Computer Interaction (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

A distributed data storage System can consist of a number of hosts (102) connected to a number of data storage devices (104) via at least one network controller, a routing module, and a distribution circuit. In response to a data storage device (104) being locked, the network controller can separate encryption commands from data access commands and send the encryption commands to the routing module. The routing module may alter a data mode of a distribution circuit to allow individual unlocking of the data storage devices (104) with the encryption commands.

Description

DISTRIBUTED DATA STORAGE WITH ROUTING MODULE
Summary
A distributed data storage system, in accordance with some embodiments, connects a number of hosts to a first data storage device and a second data storage device via a network controller, a routing module, and a first distribution circuit. Identification that the first and second data storage devices are locked prompts the network controller to separate data access commands from encryption commands and the routing module to alter a data mode of the first distribution circuit. The encryption commands are executed with the routing module to sequentially unlock the first and second data storage devices before setting the first distribution circuit to a distribution mode in response to the unlocking of the first data storage device and executing the data access commands with the network controller to the respective first and second data storage devices.
Other embodiments of a distributed data storage system connect a number of hosts to a first data storage device and a second data storage device via a network controller, a routing module, and a distribution circuit. Identification of at least the first data storage device being locked prompts the routing module to impersonate an unlocked data storage device and separate data access commands from encryption commands prior to altering a data mode of the distribution circuit. The separated encryption commands are executed with the routing module to unlock the first data storage device concurrently with execution of the data access commands to the second data storage device with the network controller. The distribution circuit is set to a distribution mode by the routing module in response to the unlocking of the first data storage device so that the data access commands can be executed with the network controller to the first data storage device.
A distributed data storage system has, in various embodiments, at least one host is connected to a first data storage device and a second data storage device via a network controller, a routing module, and a distribution circuit. In response to the first data storage device being locked, the network controller separates data access commands from encryption commands and the routing module alters a data mode of the distribution circuit. The routing module executes the encryption commands to unlock the first data storage device then sets the distribution circuit to a distribution mode. The data access commands are subsequently executed with the network controller to the first data storage device in response to the unlocking of the first data storage device.
These and other features which may characterize various embodiments can be understood in view of the following detailed discussion and the accompanying drawings.
Brief Description of the Drawings
FIG. 1 provides a functional block representation of an example distributed data storage system in which various embodiments can be practiced.
FIG. 2 diagrams aspects of an example distributed data storage system arranged in accordance with some embodiments.
FIG. 3 displays a functional block representation of portions of an example distributed data storage system organized in accordance with assorted embodiments.
FIG. 4 illustrates a functional block representation of portions of an example distributed data storage system configured in accordance with various embodiments.
FIG. 5 depicts a functional block representation of portions of an example distributed data storage system arranged in accordance with some embodiments.
FIG. 6 shows a functional block representation of portions of an example distributed data storage system organized in accordance with assorted embodiments.
FIG. 7 is an example system utilization routine that can be carried out with the respective embodiments of FIGS. 1-6.
Detailed Description
Without limitation, the various embodiments disclosed herein are generally directed to a distributed data storage system employing an intelligent routing module that optimizes data storage device initialization, particularly self-encrypting data storage devices.
As data storage systems have become more sophisticated to provide greater data capacity and increased data access speeds, the security of data stored in a system has been stressed. That is, greater amounts of data can be more quickly copied, moved, stolen, or otherwise compromised by a nefarious third party due to the accumulation of data into centralized data storage systems. The debut of self-encrypting data storage devices can provide enhanced data security. However, such security capability can stress the processing power and memory of a distributed network, which degrades data storage latency performance.
FIG. 1 conveys a block representation of an example distributed data storage network 100 in which various embodiments can be practiced. The system 100 may have a number (N) of hosts 102 connected to a number (X) of data storage devices 104 via a network 106. The network 106 can provide wired and/or wireless signal pathways that allow for the distribution of at least data. It is contemplated, but not required, that the network 106 can connect one or more hosts 102 with network components, such as a node 108, server 110, processor 112, or control circuitry 114 that provides computing and/or data storage capabilities to the system 100.
FIG. 2 displays a block representation of portions of an exemplary distributed data storage system 120 arranged in accordance with some embodiments. A host 102 can be any computing component capable of generating, or receiving, data. One or more hosts 102 can have a local controller 122 and memory 124 that cooperate with the local data storage controller 126 and memory 128 of at least one data storage device 104 to transfer data for temporary, or permanent, storage. The transfer of data between hosts 102 and data storage devices 104 can be directed by one or more network controllers 130 that may utilize a network buffer memory 132 to distribute, and maintain, data stored in the respective data storage devices 104.
The network controller 130 may execute one or more data security measures prior to, during, and after data is transferred to, or from, a data storage device 104. For instance, the network controller 130 can verify a host as trusted, encrypt data, and/or delete past records in an effort to prevent data from being accessed, moved, or otherwise tampered with, by an unauthorized host 102. In some embodiments, some, or all, of the security measures conducted for the distributed data storage system 120 are carried out by the local data storage controllers 126 of the respective data storage devices 104, such as in a self-encrypting device (SED). However, the network controller 130 remains the gatekeeper that connects hosts 102 to storage devices 104 after initializing each data storage device 104 of the system 120.
The functional block representation of FIG. 3 conveys portions of an example distributed data storage system 140 in which data can be transferred and stored in accordance with various embodiments. While a network controller 130 can conduct any amount of activity for the system 140, such as directing all the data storage, data retrieval, and data maintenance operations between at least one host 102 and at least one data storage device 104, the network controller 130 may selectively activate one or more supplemental network circuits and/or controllers that sequentially, or concurrently, operate with the network controller 130 to carry out assorted data storage, retrieval, and maintenance operations.
In the non-limiting embodiment shown in FIG. 3, a supplemental controller 142 can be configured for distributed data storage to multiple separate data storage devices 104 in the form of a redundant array of distributed devices/disks (RAID). A raid controller 142 can communicate with the network controller 130 to provide unique, or redundant, capabilities that translate separate physical memories (devices 104) into one or more virtual data storage volumes. The raid controller 142 may be configured to provide security capabilities that increase the reliability and/or accuracy of stored data. For instance, the raid controller 142 can mirror data, stripe data, and generate parity data that are stored in multiple data storage devices 104 of the system 140.
The ability to utilize one or more controllers, or other programmable circuits, to supplement the computing capabilities of the network controller 130 allows for efficient handling of data access and maintenance for relatively large numbers of hosts 102 and data storage devices 104. However, the increasing capabilities of data storage devices 104 can interrupt, impede, or otherwise degrade data storage performance of the system 140 despite employing one or more supplemental controllers. For example, when individual data storage devices 104 conduct data processing, such as data encryption, data maintenance, and deterministic data input/output, the execution of the data storage device 104 may conflict, or otherwise delay, the scheduled activity of network-level controllers 130/142. The ability of data storage devices 104 to communicate without involving the network controller 130 and/or RAID controller 142, as illustrated by segmented lines, further exacerbates the performance degradation experienced when device 104 initialization is delayed.
In the event multiple data storage devices 104 are SEDs, system 140 performance can be particularly degraded during initialization of the devices 104. That is, the network controller 130, and/or other supplemental controllers 142, can have delayed access to a data storage device 104 while the device 104 conducts internal and/or external authentication, security, and encryption operations. As an example, an SED is initialized via a predetermined sequence that involves a passphrase authentication with a network-level controller 130/142 that occupies both the SED data storage device 104 and controller 130/142 while cryptographic operations verify a trusted connection between the network- level controller(s) 13/142 and the device 104.
It is contemplated that a RAID storage subsystem can be made to appear like a unique SED, which allows multiple SEDs to be in place of a single storage device for SED operations. For instance, the usage could be on a local, or networked, storage environments over SATA, SAS, USB, or Firewire connections.
It can be appreciated that conducting RAID data operations with multiple different SEDs 104 can further degrade system 140 performance because each device 104 of a RAID group will need to be initialized before data can be mirrored, striped, and parity processed. Hence, various embodiments are directed to impersonating an SED with a network-level control circuitry that allows for optimized SED initialization and system 140 data storage performance. FIG. 4 displays a functional block representation of portions of an example distributed data storage system 160 in which assorted embodiments can be practiced. The network controller 130 can selectively activate one or more routing modules 162 that provide intelligent network-level control circuitry in order to impersonate at least one SED 104.
While not required, various embodiments configure the routing module 162 as a microcontroller (MCU) that employs a serial ATA (SATA) interface connecting to one or more hosts 102. The routing module 162 can impersonate an SED capable data storage device so that device 104 initialization can be undertaken by the routing module 162 while the network controller 130 conducts other, non-initialization operations, such as host authentication, data queue maintenance, and accessing newly initialized SEDs 104. The computing capabilities of the routing module 162 allows for SED 104 initialization to be conducted solely by the module 162, which frees the network controller 130 and optimizes system 160 performance. Such computing capabilities of the routing module 162 can involve intelligent port multiplexing that responds to imbedded data commands, such as SATA commands that are SED related, or not, instead of responding to assigned target device 104.
The network controller 130, and routing module 162 can individually, or concurrently, communicate with one or more distribution circuits 164 to conduct efficient storage, retrieval, and maintenance of data via the respective SEDs 104. The distribution circuits 164 can be similarly, or dissimilarly, configured to allow for the management of at least RAID operations dictated by the network controller 130 and/or routing module 162. The distribution circuits 164 can be arranged in a hierarchical structure where multiple circuits 164 operate to channel data to/ffom a single SED 104 to the network controller 130 and/or routing module 162. However, such hierarchical structure is not required and a single distribution circuit 164 can service data to/ffom multiple separate SEDs 104.
Regardless of the number, and configuration, of the various distribution circuits 164, the network controller 130 can employ the distribution circuits to effectively utilize the assorted SEDs 104 as a single virtual unit with a data capacity equal to the aggregate of the respective SEDs 104. In yet, the distribution circuits 164 cannot perform cryptographic operations necessary to initialize the respective SEDs 104. Despite the computing capabilities of the distribution circuits 164, they cannot impersonate an SED 104 on the interface connected to the host 102 to perform SED-related activity, such as instant erase, passphrase change, device lock, or device unlock. Hence, various embodiments utilize the distribution circuits 164 solely for RAID operations, such as data mirroring, striping, and parity generation, while the routing module 162 conducts SED 104 initialization by impersonating one or more SEDs 104 to at least one host 102 to streamline data flow through the network controller 130 to unlocked SED(s) 104.
FIG. 5 depicts a functional block representation of portions of an example distributed data storage system 180 carrying out various embodiments. The system 180 responds to an unlock command from one or more hosts by routing all SED 104 commands through the routing module 162 while routing all non-SED commands to the distribution circuits 164 and underlying devices 104, as directed by the network controller 130. The unlock command from a host can be a stand-alone command or embedded into a data stream involving non-command information.
The routing of SED commands to the routing module 162 effectively locks the SEDs 104 to be initialized so that no data read or write access will occur. As such, the routing module 162 impersonates at least one SED 104 to the host(s) to allow the network controller 130, and possibly one or more distribution circuits 164, to service non-SED commands, such as polling information, network firmware updates, and non- secure data maintenance.
In an exemplary system 180 startup operation, the routing module 162 will be blocked from processing any commands from any host. The routing module 162 will recursively switch the distribution circuits 164 to a mode that allows for individual access to the SEDs 104. The routing module 162 can then query each SED 104 to determine the device’s status. If all the SEDs 104 of the system 180 are unlocked and initialized, the routing module 162 alters the distribution circuits 164 to a different mode that corresponds with RAID data operations, such as striping, mirroring, and parity generation. However, if any of the SEDs 104 are locked or otherwise uninitialized, the routing module 162 will change the mode of the locked SED 104 to prevent encrypted operation, return a locked answer to a host in response to a received encrypted, or otherwise secure, command, and allow unencrypted data access operations resultant to host commands.
It is to be understood that an initialization corresponds to the unlocking of an SED 104. When a host begins to initialize a locked SED, the host sends one or more SED tagged commands that are sent to the routing module 162 from the network controller 130. SED tagged commands are not limited to a particular data block, size, or designation, but identify the host’s intent to unlock one or more SEDs 104. It is contemplated that a SED tagged command can consist of a passphrase. In some embodiments, an SED 104 unlocking passphrase is retrieved by the routing module 162 from the host in cleartext after the routing module 162 deciphers a cryptographic sequence with the SED being unlocked.
As part of the initialization process, the routing module 162 can activate a JBOD mode, as shown, in the respective distribution circuits 164 to allow individual access to the SEDs 104. During a JBOD mode, the distribution circuits 164 can operate as conduits where no data striping, mirroring, or parity generation is conducted and the SEDs 104 are individually accessible. That is, JBOD mode may correspond with the routing module 162 being able to access the physical block addresses of a single SED 104 directly.
A JBOD mode may alternatively allow the distribution circuits 164 to conduct selected data activities to one or more SEDs 104, such as data striping or redundant data storage. The mode of the respective distribution circuits 164 can be changed at will by the routing module 162 and, as a result, different distribution circuits 164 can concurrently be in different modes. However, it is contemplated that each distribution circuit 164 is switched to a single mode together. The ability to intelligently set the distribution circuit 164 mode allows the routing module 162 to optimize initialization of the respective SEDs 104 without resetting any of the respective SEDs 104, which optimizes the data access latency of the system 180.
Once the routing module 162 has access to an individual SED 104 via one or more distribution circuits 164, the routing module 162 can negotiate a temporary cipher key so that the passphrase provided by a host can be securely sent. It is noted that the passphrase will be the same for each SED 104 being initialized by the routing module 162, but the negotiated cipher key may be different for the respective SEDs 104. Upon a successful initialization of an SED 104, the routing module 162 can alter the working mode of at least one distribution circuit 164 to allow data to be transferred to and from the newly initialized SED 104. It is noted that the alteration of the working mode of a distribution circuit 164 can be executed without resetting the underlying SEDs 104.
The conclusion of an SED 104 initialization answers the host with an “unlock successful” reply and triggers a termination of the routing module 162 virtually impersonating the SED 104. The routing module 162 may, in some embodiments, continue to impersonate an initialized SED 104 until all the SEDs 104 of the system 180 are initialized, but other embodiments sequentially stops impersonating SEDs 104 with the routing module 162 upon initialization of the SED 104 while other SEDs 104 of the system 180 are being impersonated.
It is noted that the impersonation of an SED 104 corresponds with the routing module 162 separating a data stream from one or more hosts into SED commands that are delayed by the routing module 162 until an SED 104 is initialized and into data access commands that are serviced by the network controller 130, if possible. That is, the routing module 162 will send non-SED commands, like data accesses, device polling, and data maintenance operations, to the network controller 130 for execution to an initialized SED 104 before, and while, the routing module 162 initializes other SEDs 104 of the system 180. Such capability can be permitted due to the data storage scheme of the system 180 where data is redundantly stored, mirrored, or otherwise created from parity information stored in initialized SEDs 104. If, however, no SEDs 104 are initialized and accessible by the network controller 130, the SED impersonation conducted by the routing module 162 can involve separating data stream while preventing, or pausing, SED operations by the network controller 130.
FIG. 6 conveys portions of an example distributed data storage system 200 once the routing module 162 has initialized the assorted SEDs 104 in accordance with some embodiments. As shown, the initialized SEDs 104 are accessed by the network controller 130 without interference from the routing module 162. Hence, the routing module 162 can be considered a passthrough, or bypassed, component once the SEDs 104 are initialized and the respective distribution circuits 164 are set in a distribution mode, such as the RAID mode shown in FIG. 6 or some other mode where data is distributed to multiple different SEDs 104. It is contemplated that the routing module 162 may delay network controller 130 access to the respective distribution circuits 164 while the routing module 162 sets the circuits 164 to the new working mode.
With the various initialized SEDs 104, the network controller 130 can proceed to service data access requests, and data maintenance, on the SEDs 104 as needed. That is, the network controller 130 can access the SEDs 104 individually, or collectively, to store data generated by a host, store data generated by the network controller 130, retrieve data, conduct garbage collection data maintenance, and conduct mapping data maintenance. The initialization of the SEDs 104 further allows the network controller 130 to conduct predetermined RAID data distribution operations, such as striping, mirroring, and parity generation.
FIG. 7 is a flowchart of an example system utilization routine 220 that can be conducted by the various embodiments of FIGS. 1-6. A distributed data storage system can be created, expanded, or contracted in step 222 with the connection of a plurality of data storage devices to at least one remote host via at least a network controller, distribution circuit, and routing module. It is contemplated, but not required, that at least one data storage device of the system is a self-encrypting device where local device circuitry provides penalty free on-the-fly encryption, and decryption, of data.
At some time after connecting the data storage devices, at least one host sends a data access command to be serviced by the system in step 224. The data access command may be a non-SED command, such as a request to store, or retrieve, data stored on a non-SED or an initialized SED. A non-SED command can be serviced by the network controller and at least one distribution circuit with the routing module being inactive, such as being powered off, paused, or in a passthrough mode. Alternatively, a host data access command may be an SED command, such as request to unlock a device, request to access a secure portion of a device, or a change in security/encryption firmware. The routing module evaluates the data access command(s) from step 224 in decision 226 and determines if the commands can be classified as SED-type. The data access commands evaluated in decision 226 may be SATA commands with special tags designating SED-related information. The identification of a host-sourced data access command involving SED information triggers step 228 to pause any data access command execution in the routing module and network controller while the routing module separates the SED aspects of the data access command in step 230 from the non-SED aspects.
The separated non-SED aspects are sent to the network controller for execution while the SED aspects are buffered in the routing module while the routing module establishes the impersonation of a downstream SED to the host and of an upstream host to the distribution circuit in step 232. That is, the routing module impersonates an SED to the host and network controller while impersonating a host by generating commands to at least one distribution circuit in step 234 to switch to a first working mode. While not required, the first working mode can be a JBOD mode, or other circuit configuration, that allows the routing module to individually access the physical block addresses of a particular SED. It is contemplated that the switching of the distribution circuits may be facilitated by custom SATA commands or through pin settings coinciding with a controller reset operation.
The individual device access afforded by the first distribution circuit mode allows the routing module to initialize individual data storage devices in step 236, which may occur while other devices of the distributed data storage system are being accessed by the routing module and/or network controller. The initialization of a locked SED can involve the routing module being blocked from receiving, or processing, other commands from a connected host. Step 236 proceeds to query the SED for a status to determine if the device is unlocked and has authenticated the host issuing the data access commands of step 224.
If the SED is locked, or hasn’t authenticated the command issuing host, the routing module begins an unlock/initialization operation that involves relaying a passphrase from the host to the SED as part of a cryptographic sequence that results in access to the logical, and physical, data block addresses of the SED. It is contemplated that the passphrase may be the same for each SED of the system, but such configuration is not required as the routing module can handle numerous different passphrases during SED unlocking/initialization. As such, the routing module utilizes its impersonated host role for the SED in combination with the impersonated SED role for the host to conduct the unlocking/initialization of an SED without delaying, or degrading, network controller activity.
The unlocking/initialization of a selected number of system SEDs, such as all, or less than all of the available SEDs, prompts the routing module to alter the working mode of the respective distribution circuits of the system in step 238 to allow predetermined data distribution, such as RAID level 0/1/5/10, redundant data copies in different SEDs, or hierarchical data storage. At the conclusion of altering the working mode of the distribution circuits, the routing module becomes inactive by directing system operations and commands to the network controller, which allows the network controller to execute any number of data access operations and commands in the SEDs to service host requests in step 240. The execution of data access commands and operations in step 240 may alternatively occur if the data access command from step 224 has non-SED instructions. It is noted that step 240 may occur with the network controller concurrently with steps 228-238 being executed with the routing module.
It is noted that the network controller and/or distribution circuits can be configured with the computing capabilities to conduct the various steps of routine 220. However, such computing capability can be costly in terms of complexity, price, and operational latency. For instance, a distribution circuit may be capable of impersonating some, or all, of the connected SEDs, but the impersonation of those SEDs would cause commands and operations from the upstream network controller to be delayed. Thus, the distribution circuits and network controller can have reduced computing capabilities, lower price, faster operation, and reduced execution latency by providing a separate routing module configured with circuitry and programmable intelligence that can separate SED aspects of host commands, route non-SED commands to the network controller, alter the working mode of the distribution circuits, and initialize SED by impersonating a host and SED.
Through the various embodiments of the present disclosure, a routing module can intelligently handle the initialization of one or more data storage devices in a distributed data storage system. The ability to separate commands into SED and non- SED aspects allows the network controller and routing module to operate concurrently to optimize system performance. The impersonation of an SED and/or host by the routing module further optimizes the system by altering the working mode of distribution circuits to individually access, and sequentially unlock, each SED of the system, which contrasts waiting until each SED of the system is unlocked/initialized before conducting data access operations to any SED.

Claims

Claims:
1. A method comprising: connecting a number of hosts connected to a first data storage device and a second data storage device via a network controller, a routing module, and a first distribution circuit; determining the first and second data storage devices are locked; separating data access commands from encryption commands with the routing module; altering a device access mode of the first distribution circuit to a first mode with the routing module in response to the data storage devices being locked; executing the encryption commands with the routing module to sequentially unlock the first and second data storage devices; setting the first distribution circuit to a distribution mode in response to the unlocking of the first data storage device; and executing the data access commands with the network controller to the respective first and second data storage devices.
2. The method of claim 1, wherein the first distribution circuit comprises a redundant array of independent devices (RAID) controller.
3. The method of claim 1, wherein the first distribution circuit is directly connected to the first data storage device and the second data storage device.
4. The method of claim 1, wherein the first data storage device is directly connected to the first distribution circuit and the second data storage device is directly connected to a second distribution circuit.
5. The method of claim 1, wherein the first mode corresponds with individual access to the first data storage device.
6. The method of claim 1, wherein the routing module sends the data access commands to the network controller for execution.
7. The method of claim 6, wherein the routing module executes the encryption commands to the second data storage device while the data access commands are executed in the first data storage device.
8. The method of claim 1, wherein a second distribution circuit is connected between the routing module and the first distribution circuit.
9. The method of claim 8, wherein the second distribution circuit is directly connected to a third distribution circuit, the second data storage device connected to the third distribution circuit.
10. A method comprising: connecting a number of hosts connected to a first data storage device and a second data storage device via a network controller, a routing module, and a distribution circuit; determining at least the first data storage device being locked; impersonating an unlocked data storage device with the routing module; separating data access commands from encryption commands with the routing module; altering a data mode of the distribution circuit with the routing module in response to the first data storage device being locked; executing the encryption commands with the routing module to unlock the first data storage device concurrently with execution of the data access commands to the second data storage device with the network controller; setting the distribution circuit to a distribution mode in response to the unlocking of the first data storage device; and executing the data access commands with the network controller to the first data storage device.
11. The method of claim 10, wherein the data mode of the distribution circuit is altered by the routing module without resetting the first data storage device or the second data storage device.
12. The method of claim 11, wherein the distribution mode is set in the distribution circuit without resetting the first data storage device or the second data storage device.
13. The method of claim 10, wherein the first data storage device is a self encrypting device (SED).
14. The method of claim 13, wherein the second data storage device is an SED
15. The method of claim 10, wherein the impersonating of the unlocked data storage device involves the routing module sending at least one reply to the host instead of the first data storage device.
16. The method of claim 10, wherein the routing module impersonates the host to the first data storage device while impersonating the first data storage device to the host.
17. The method of claim 10, wherein the unlocking of the first data storage device occurs upon startup of a distributed data storage system.
18. The method of claim 10, wherein the unlocking of the first data storage device occurs upon connection of the first data storage device to the distribution circuit while the second data storage device is unlocked.
19. A system comprising at least one host connected to a first data storage device and a second data storage device via a network controller, a routing module, and a distribution circuit, the network controller configured to separate data access commands from encryption commands in response to the first data storage device being locked, the routing module configured to alter a data mode of the distribution circuit with the in response to the data storage devices being locked and execute the encryption commands to unlock the first data storage device, the routing module sets the distribution circuit to a distribution mode and the data access commands are executed with the network controller to the first data storage device in response to the unlocking of the first data storage device.
20. The system of claim 19, wherein the routing module comprises a microcontroller and is connected to the at least one host via a serial ATA (SATA) interface.
PCT/IB2019/001294 2019-08-21 2019-08-21 Distributed data storage with routing module WO2021033007A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/IB2019/001294 WO2021033007A1 (en) 2019-08-21 2019-08-21 Distributed data storage with routing module

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IB2019/001294 WO2021033007A1 (en) 2019-08-21 2019-08-21 Distributed data storage with routing module

Publications (1)

Publication Number Publication Date
WO2021033007A1 true WO2021033007A1 (en) 2021-02-25

Family

ID=69723991

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2019/001294 WO2021033007A1 (en) 2019-08-21 2019-08-21 Distributed data storage with routing module

Country Status (1)

Country Link
WO (1) WO2021033007A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190243784A1 (en) * 2018-02-07 2019-08-08 Seagate Technology Llc Encrypted raid drive management

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190243784A1 (en) * 2018-02-07 2019-08-08 Seagate Technology Llc Encrypted raid drive management

Similar Documents

Publication Publication Date Title
US8166314B1 (en) Selective I/O to logical unit when encrypted, but key is not available or when encryption status is unknown
US8422677B2 (en) Storage virtualization apparatus comprising encryption functions
US8464073B2 (en) Method and system for secure data storage
US8417967B2 (en) Storage device data encryption using a binary large object (BLOB)
US7269743B2 (en) Method and apparatus for secure data mirroring a storage system
US7162647B2 (en) Method and apparatus for cryptographic conversion in a data storage system
US8966281B1 (en) Systems and methods for accessing storage or network based replicas of encryped volumes with no additional key management
US8261068B1 (en) Systems and methods for selective encryption of operating system metadata for host-based encryption of data at rest on a logical unit
US20170085374A1 (en) System and method for automatic key generation for self-encrypting drives
US20090046858A1 (en) System and Method of Data Encryption and Data Access of a Set of Storage Devices via a Hardware Key
US20050193182A1 (en) Method and apparatus for preventing un-authorized computer data access
KR20010109092A (en) Authenticated access to storage area network
EP1953668A2 (en) System and method of data encryption and data access of a set of storage devices via a hardware key
US11144635B2 (en) Restricted command set management in a data storage system
US8261099B1 (en) Method and system for securing network data
WO2021033007A1 (en) Distributed data storage with routing module
US11995223B2 (en) Data storage device encryption
US10936759B1 (en) Systems, methods and computer-readable media for providing enhanced encryption in a storage system
US9870481B1 (en) Associating a data encryption keystore backup with a computer system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19856474

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 14/06/2022)

122 Ep: pct application non-entry in european phase

Ref document number: 19856474

Country of ref document: EP

Kind code of ref document: A1