Abstract: A computer-implemented method according to one aspect includes creating an initialization vector, utilizing an instance of plaintext and a secret key; encrypting the instance of plaintext, utilizing the initialization vector, the secret key, and the instance of plaintext; combining the initialization vector and the encrypted instance of plaintext to create a ciphertext string; and outputting the ciphertext string.

Abstract: A computer-implemented method according to one embodiment includes compressing an uncompressed instance of data to create a compressed instance of data; encrypting the compressed instance of data in response to determining that a size of the compressed instance of data is less than a predetermined threshold; creating a message authentication code (MAC) for the encrypted compressed instance of data; and adding a variable-length zero pad and the MAC to the encrypted compressed instance of data to create a formatted string.

Abstract: Encrypting data blocks by receiving blocks of compressed data, determining a size, in bytes, of the compressed data, appending a trailer to the compressed data, the trailer associated with the size in bytes of the compressed data, encrypting the compressed data and trailer, yielding encrypted data, where a header of the encrypted data comprises a number of complete encrypted data blocks, and providing the encrypted data to a user.

Abstract: A computer-implemented method according to one aspect includes creating an initialization vector, utilizing an instance of plaintext and a secret key; encrypting the instance of plaintext, utilizing the initialization vector, the secret key, and the instance of plaintext; combining the initialization vector and the encrypted instance of plaintext to create a ciphertext string; and outputting the ciphertext string.

Abstract: A computer-implemented method according to one aspect includes creating an initialization vector, utilizing an instance of plaintext and a secret key; encrypting the instance of plaintext, utilizing the initialization vector, the secret key, and the instance of plaintext; combining the initialization vector and the encrypted instance of plaintext to create a ciphertext string; and sending the ciphertext string to a storage device performing deduplication.

Abstract: Live migration of a virtual machine (VM) includes establishing multipath connections between the VM and functions of host interface on a source host. The multipath connections include a passthrough path and a software-virtualized (or emulated) path provided by a hypervisor of the source host. A failover of the passthrough path to the emulated path is executed, and a state of the emulated path is thereafter saved. On a host interface of a destination host, functions corresponding to those of the source host are exposed. The VM is then migrated from the source host to the destination host. The VM resumes host interface communication with the host interface of the destination host from the saved state via an emulated path provided by a hypervisor of the destination host. After resuming communication, a passthrough path of communication between the VM and the host interface of the destination host is established.

Abstract: Encrypting data blocks by receiving blocks of compressed data, determining a size, in bytes, of the compressed data, appending a trailer to the compressed data, the trailer associated with the size in bytes of the compressed data, encrypting the compressed data and trailer, yielding encrypted data, where a header of the encrypted data comprises a number of complete encrypted data blocks, and providing the encrypted data to a user.

Abstract: A computer-implemented method according to one embodiment includes identifying a plurality of storage systems within a storage environment, determining characteristics of each of the plurality of storage systems, the characteristics including one or more data reduction techniques implemented by each of the plurality of storage systems, performing a plurality of storage simulations of one or more data volumes, utilizing the characteristics of each of the plurality of storage systems, and determining one of the plurality of storage systems to store the one or more data volumes, based on results of the plurality of storage simulations.

Abstract: Embodiments of the present systems and methods may provide techniques to provide host side encryption while maintaining compression and deduplication benefits and providing communication between the host and the storage system that does not leak information about the data compressibility/deduplication properties. For example, in an embodiment, a method may comprise compressing, at a computer system, an original sector of data, generating a new sector of data including a first part including metadata and padding data, and a second part including the original sector of data that has been compressed and encrypted using a data encryption key (DEK), encrypting, at the computer system, the new sector of data using a data reduction key (DRK), and transmitting, at the computer system, the encrypted new sector of data to a storage system.

Abstract: A computer-implemented method according to one embodiment includes compressing an uncompressed instance of data to create a compressed instance of data; encrypting the compressed instance of data in response to determining that a size of the compressed instance of data is less than a predetermined threshold; creating a message authentication code (MAC) for the encrypted compressed instance of data; and adding a variable-length zero pad and the MAC to the encrypted compressed instance of data to create a formatted string.

Abstract: A computer-implemented method according to one aspect includes creating an initialization vector, utilizing an instance of plaintext and a secret key; encrypting the instance of plaintext, utilizing the initialization vector, the secret key, and the instance of plaintext; combining the initialization vector and the encrypted instance of plaintext to create a ciphertext string; and sending the ciphertext string to a storage device performing deduplication.

Abstract: A mechanism is provided for dispersed location-based data storage. A request is received to write a data file to a referrer memory region in a set of memory regions. For each data chunk of the data file, responsive to a comparison of a hash value for the data chunk to other hash values for other stored data chunks referenced in the referrer memory region indicating that the data chunk fails to exist in the referrer memory region, responsive to the data chunk existing in another memory region in the set of memory regions, responsive to the memory region failing to be one of the predetermined number N of owner memory regions associated with the referrer memory region, and responsive to the predetermined number N of owner memory regions failing to have been met, a reference to the data chunk is stored in the referrer memory region.

Abstract: A mechanism is provided for dispersed location-based data storage. A request is received to write a data file to a referrer memory region in a set of memory regions. For each data chunk of the data file, responsive to a comparison of a hash value for the data chunk to other hash values for other stored data chunks referenced in the referrer memory region indicating that the data chunk fails to exist in the referrer memory region, responsive to the data chunk existing in another memory region in the set of memory regions, responsive to the memory region failing to be one of the predetermined number N of owner memory regions associated with the referrer memory region, and responsive to the predetermined number N of owner memory regions failing to have been met, a reference to the data chunk is stored in the referrer memory region.

Abstract: Computer program products, as well as corresponding systems and methods are configured for performing deduplication in conjunction with random read and write operations, and include: computing a fingerprint of data included in a write request; determining whether a short term dictionary comprises an entry corresponding to the fingerprint; in response to determining the short term dictionary comprises the entry corresponding to the fingerprint, writing the data to a data store in a deduplicating manner; in response to determining the short term dictionary does not comprise the entry, determining whether a long term dictionary corresponding to the namespace comprises the entry; in response to determining the long term dictionary comprises the entry, writing the data to the data store in the deduplicating manner; and in response to determining the long term dictionary does not comprise the entry, writing the data to the data store in a non-deduplicating manner.

Abstract: In one embodiment, a deduplicating storage system includes a processor and logic integrated with and/or executable by the processor. The logic is configured to cause the processor to perform a method which includes: computing a fingerprint of a data chunk, and determining whether a short term dictionary corresponding to the namespace comprises an entry corresponding to the fingerprint. In response to determining the short term dictionary does not comprise the entry, a determination is made whether a long term dictionary corresponding to the namespace comprises the entry. In response to determining the long term dictionary comprises the entry: the data chunk is written to the data store in the deduplicating manner, and the short term dictionary is repopulated with the entry. Moreover, in response to determining the long term dictionary does not comprise the entry, the data chunk is written to the data store in a non-deduplicating manner.

Abstract: A computer program product and a system comprising: a cluster of Secure Execution Platforms (SEPs) having connectivity to a data storage, each SEP of said cluster is configured to maintain, using a key, confidentiality of data while processing thereof; the key is shared among the SEPs of said cluster, the key is automatically generated by the cluster or portion thereof and is unavailable to any non-cluster entity; the data storage retains encrypted data that is encrypted using the key; a first SEP of the cluster is configured to encrypt client data using the key to obtain encrypted client data and store the encrypted client data in the data storage; and a second SEP of the cluster is configured to retrieve encrypted stored data from the data storage, decrypt the encrypted stored data using the key to obtain non-encrypted form of the encrypted stored data.

Abstract: In some examples, a system for executing instructions can include a processor to detect data to be transmitted to a storage device in response to a write operation. The processor can also determine that the data comprises a compressible characteristic that enables compression of the data to a size below a threshold value. Additionally, the processor can generate a modified data block by encrypting the compressed data, and adding a padding to the compressed and encrypted data. Furthermore, the processor can transmit the modified data block to the storage device.

Abstract: A computer-implemented method, computerized apparatus and computer program product for supporting fairness in secure computations. A trusted execution platform with remote attestation (“enclave”) is provided to each of a plurality of participants. An authenticated public ledger accessible by all participants is also provided. Each of the enclaves is configured for obtaining at least a portion of an input to a function for computing a joint secret output, complementing the input by obtaining any remainder portion(s) thereof from one or more other enclaves, and, responsive to obtaining an indication from the ledger that the output can be computed by each of the enclaves, providing to the owner participant the output computed using the function and input. At least one of the enclaves is further configured for providing the indication to the ledger responsive to obtaining knowledge that the output can be computed by each of the enclaves.

Abstract: Embodiments of the present systems and methods may provide techniques to provide host side encryption while maintaining compression and deduplication benefits and providing communication between the host and the storage system that does not leak information about the data compressibility/deduplication properties. For example, in an embodiment, a method may comprise compressing, at a computer system, an original sector of data, generating a new sector of data including a first part including metadata and padding data, and a second part including the original sector of data that has been compressed and encrypted using a data encryption key (DEK), encrypting, at the computer system, the new sector of data using a data reduction key (DRK), and transmitting, at the computer system, the encrypted new sector of data to a storage system.

Abstract: An apparatus, a computer program and a method for prefetching a predetermined number of data items to a cache. The method comprises obtaining a list of candidate data items and associated scores thereof, that comprises more candidate data items than the predetermined number of data items to be prefetched to the cache. The method comprises repeatedly selecting, based on scores of the candidate data items, a candidate data item from the list and determining whether to add the candidate data item to the cache. Determining whether to add the candidate data item to the cache comprises determining whether the candidate data item is retained by the cache; and in response to determining that the candidate data item is not retained by the cache, adding the candidate data item thereto. The repeatedly selecting and determining are performed until the predetermined number of data items is added to the cache.