Abstract: Authentication is performed on a plurality of links of a computing environment. One node requests generation of a shared key by a key server coupled to the one node. The one node obtains the shared key and an identifier of the shared key and sends the identifier from the one node to another node. A message encrypted with the shared key is sent from the one node to the other node via one link of the plurality of links. The one node receives via the one link an indication that the other node decrypted the encrypted message using the shared key obtained by the other node. The sending the encrypted message and the receiving the indication that the other node decrypted the encrypted message are repeated on one or more other links of the plurality of links using the shared key previously obtained.

Abstract: Access between a plurality of nodes of the computing environment is controlled by a key server. The key server receives from one node of the plurality of nodes, a request for a shared key, in which the shared key is created for a selected node pair. A determination is made by the key server as to whether the one node is a node of the selected node pair. In one example, the determining checks an alternate name of the one node to determine whether it matches an alternate name associated with the shared key. Based on determining the one node is a node of the selected node pair, the key server provides the shared key to the one node.

Abstract: A path is secured from one node to another node of the computing environment. The one node obtains a first encryption key and one or more first parameters for transmission of data, and a second encryption key and one or more second parameters for reception of data. A shared key is obtained by the one node from a key server, and the shared key is used to encrypt a message. The encrypted message includes the first encryption key, the one or more first parameters, the second encryption key and the one or more second parameters. The encrypted message and an identifier of the shared key is sent from the one node to the other node, and a response message is received by the one node. The response message at least provides an indication that the other node received the encrypted message and obtained the shared key.

Abstract: Authentication is performed on a plurality of links to be used to couple one node of the computing environment and another node of the computing environment. The performing authentication includes obtaining, by the other node from the one node via one link of the plurality of links, an identifier of a shared key maintained by a key server. The other node uses the identifier to obtain the shared key from the key server. An indication that the other node decrypted a message received from the one node using the shared key is sent from the other node via the one link. The sending the indication on one or more other links of the plurality of links is repeated for subsequent messages decrypted by the other node using the shared key previously obtained.

Abstract: Authentication is performed on a plurality of links coupling one node of the computing environment and another node of the computing environment. The performing authentication includes obtaining by the one node a shared key from a key server coupled to the one node and another node of the computing environment. A message encrypted with the shared key is sent from the one node to the other node via one link of the plurality of links. An indication that the other node decrypted the message using the shared key obtained by the other node is received from the other node via the one link. The sending and the receiving are repeated on one or more other links of the plurality of links using the shared key previously obtained.

Abstract: A method for more efficiently utilizing storage space in a set of storage drives is disclosed. In one embodiment, such a method implements, in a set of storage drives, a first RAID utilizing data striping with distributed parity values. The method further implements, in a subset of the set of storage drives, a second RAID using residual storage space in storage drives belonging to the subset. Storage drives belonging to the subset may have a storage capacity that is larger than storage drives not belonging to the subset. In certain embodiments, the method adaptively alters a parity rotation of the first RAID to provide an increased concentration of parity values in certain storage drives of the first RAID compared to other storage drives of the first RAID. A corresponding system and computer program product are also disclosed.

Abstract: A method for more efficiently utilizing storage space in a redundant array of independent disks (RAID) is disclosed. In one embodiment, such a method implements a RAID from multiple storage drives. The RAID utilizes data striping with distributed parity values to provide desired data protection/redundancy. The distributed parity values are placed on selected storage drives of the RAID in accordance with a designated parity rotation. The method further adaptively alters the parity rotation of the RAID to provide an increased concentration of parity values in certain storage drives of the RAID compared to other storage drives of the RAID. This parity rotation may be adapted based on residual storage capacity in each storage drive, consumed space in each storage drive, or the like. A corresponding system and computer program product are also disclosed.

Abstract: A data handling system includes a block-based storage device. An encryption key structure block includes key structure locations that may store encryption key structures. A key structure may take on at least three states: an erased state, an active state, and a zeroized state. The key structure includes error control data fields that are configured to contain error control data that independently protect data of the key structure in the active and the zeroized state. Key structures may be stored to key structure locations within a first encryption key block until each key structure location has stored a key structure in the active or zeroized state. Subsequently, the key structures in the active state may be copied and stored in key structure locations within a second encryption key block.

Abstract: A system includes a processor and logic integrated with the processor, executable by the processor, or integrated with and executable by the processor, or integrated with and executable by the processor. The logic is configured to receive a request to store data on media and obtain a data key. The logic is configured to generate an encryption encapsulated data key using the data key and generate a session encrypted data key using the data key. The logic is further configured to provide the session encrypted data key to a machine configured to write encrypted data to the data storage media for use by the machine in writing encrypted data to the data storage media. The logic is configured to provide the encryption encapsulated data key to the machine for enabling the machine to store the encryption encapsulated data key with the data on the data storage media.

Abstract: A method according to one embodiment includes receiving a request to store data on media, and generating a data key. An encryption encapsulated data key is generated using the data key. A session encrypted data key is generated using the data key. The encryption encapsulated data key and session encrypted data key are provided for use in writing encrypted data to the media. A method according to another embodiment includes receiving a request to read data from media, and receiving an encryption encapsulated data key. The encryption encapsulated data key is processed to obtain a data key. A session encrypted data key is generated using the data key. The encryption encapsulated data key and session encrypted data key are provided for use in reading the encrypted data from the media.

Abstract: Provided are a computer program product, system, and method for merging multiple point-in-time copies into a merged point-in-time copy. A repository maintains a full copy of the source data and point-in-time copies at point-in-times of the source data. Each of the point-in-time copies have change information indicating changed data in the source data that changed between the point-in-time of the point-in-time copy and a subsequent point-in-time and changed point-in-time data comprising data in the source data as of the point-in-time of the point-in-time copy indicated in the change information as changed. At least two selected of the point-in-time copies in the repository are merged into a merged point-in-time copy by: forming merged change information in the merged point-in-time copy indicating changed data indicated in change information for the selected point-in-time copies; and forming merged changed data in the merged point-in-time copy from the changed data in the selected point-in-time copies.

Abstract: Provided are a computer program product, system, and method for merging multiple point-in-time copies into a merged point-in-time copy. A repository maintains a full copy of the source data and point-in-time copies at point-in-times of the source data. Each of the point-in-time copies have change information indicating changed data in the source data that changed between the point-in-time of the point-in-time copy and a subsequent point-in-time and changed point-in-time data comprising data in the source data as of the point-in-time of the point-in-time copy indicated in the change information as changed. At least two selected of the point-in-time copies in the repository are merged into a merged point-in-time copy by: forming merged change information in the merged point-in-time copy indicating changed data indicated in change information for the selected point-in-time copies; and forming merged changed data in the merged point-in-time copy from the changed data in the selected point-in-time copies.

Abstract: Provided are a computer program product, system, and method for creating a restore copy from a copy of source data in a repository having source data at different point-in-times. All the source data as of an initial point-in-time is copied to a repository. In response to completing point-in-time copies following the initial point-in-time, change information is transmitted to the repository indicating changed data in the source data that changed between the point-in-time of the point-in-time copy and a subsequent point-in-time. For each point-in-time copy, copying changed source data comprising source data indicated in the change information for the point-in-time copy as changed to the repository. A restore request is received to restore the source data as of a restore point-in-time. The source data in the repository as of the restore point-in-time is copied from the repository to a restore copy.

Abstract: Provided are a computer program product, system, and method for creating a restore copy from a copy of source data in a repository having source data at different point-in-times. All the source data as of an initial point-in-time is copied to a repository. In response to completing point-in-time copies following the initial point-in-time, change information is transmitted to the repository indicating changed data in the source data that changed between the point-in-time of the point-in-time copy and a subsequent point-in-time. For each point-in-time copy, copying changed source data comprising source data indicated in the change information for the point-in-time copy as changed to the repository. A restore request is received to restore the source data as of a restore point-in-time. The source data in the repository as of the restore point-in-time is copied from the repository to a restore copy.

Abstract: Provided are a computer program product, system, and method for creating a restore copy from a copy of source data in a repository having source data at different point-in-times and reading data from the repository for the restore copy. The source data is copied as of an initial point-in-time to a repository. Point-in-time copies at different point-in-times of the source data are initiated following the initial point-in-time. Change information for the point-in-time copy indicating changed data in the source data that changed between the point-in-time of the point-in-time copy and a subsequent point-in-time are transmitted to the repository. For each point-in-time copy, changed source data indicated in the change information for the point-in-time copy as changed is copied to the repository. A restore copy is returned to a restore request before the source data in the repository as of a restore point-in-time is copied to the restore copy.

Abstract: In one embodiment, a system includes a processor and logic integrated with and/or executable by the processor, the logic being configured to cause the processor to receive a data stream including data for encryption, insert one or more test vectors between individual blocks of data of the data stream, encrypt the blocks of data including the one or more test vectors to produce an encrypted data stream including one or more encrypted test vectors, decrypt the encrypted data stream including the one or more encrypted test vectors, compare each decrypted test vector with a corresponding inserted test vector, and report results of the comparison. Other systems, methods, and computer program products for self testing an encryption/decryption cycle are described according to more embodiments.

Abstract: Provided is a data storage drive for encrypting data, comprising a microprocessor and circuitry coupled to the microprocessor and adapted to receive a session encrypted data key and to decrypt the session encrypted data key using a session key, wherein a result is a data key that is capable of being used to encrypt clear text and to decrypt cipher text written to a storage medium. Also provided is a system, comprising a microprocessor and circuitry coupled to the microprocessor and adapted to receive a session encrypted data key and to decrypt the session encrypted data key using a private key, wherein a result is a secret key that is capable of being used to encrypt clear text and to decrypt cipher text written to a storage medium.

Abstract: Provided are a computer program product, system, and method for generating a code alphabet for use by a deployed program to determine codewords for words. A first code alphabet has a first number of symbols that provide variable length codings of the words. A second code alphabet is generated having a second number of symbols formed by merging the symbols in the first code alphabet, wherein the second code alphabet comprises the code alphabet used by the deployed program.

Abstract: Provided are a computer program product, system, and method for generating a code alphabet for use by a deployed program to determine codewords for words. A first code alphabet has a first number of symbols that provide variable length codings of the words. A second code alphabet is generated having a second number of symbols formed by merging the symbols in the first code alphabet, wherein the second code alphabet comprises the code alphabet used by the deployed program.

Abstract: Provided is a data storage drive for encrypting data, comprising a microprocessor and circuitry coupled to the microprocessor and adapted to receive a session encrypted data key and to decrypt the session encrypted data key using a session key, wherein a result is a data key that is capable of being used to encrypt clear text and to decrypt cipher text written to a storage medium. Also provided is a system, comprising a microprocessor and circuitry coupled to the microprocessor and adapted to receive a session encrypted data key and to decrypt the session encrypted data key using a private key, wherein a result is a secret key that is capable of being used to encrypt clear text and to decrypt cipher text written to a storage medium.