Abstract: Securely encrypting data using a remote key management service, including: transmitting a local secret to a key management service; transforming an encryption key received from the key management service to generate a key-encrypting key, wherein the encryption key is a one-way cryptographic hash using, as input, the local secret transmitted to the key management service; and decrypting, based on the key-encrypting key, a local data encryption key for encrypting or decrypting local data.

Abstract: End-to-end encryption in a storage system with multi-tenancy, includes: performing deduplication on a first tenant dataset, the first tenant dataset including data encrypted using a first storage system encryption key; and performing deduplication on a second tenant dataset, the second tenant dataset including data encrypted using a second storage system encryption key, where deduplication is not performed between the first and second tenant datasets.

Abstract: Replicating data using inferred trust, including: receiving, by a first storage system from a computing device, data encrypted using a first encryption key; decrypting, by the first storage system, the encrypted data using the first encryption key; encrypting, by the first storage system, the decrypted data using a second encryption key; storing, on the first storage system, the data encrypted using the second encryption key; sending, from the first storage system to the second storage system, the data; and servicing, by the second storage system, an input/output (‘I/O’) operation directed to the data.

Abstract: Utilizing multiple redundancy schemes within a unified storage element, including: receiving, in a storage system at a unified storage element that integrates both fast durable storage and bulk durable storage, a data storage operation from a host computer; storing, in accordance with a first data resiliency technique that corresponds to a RAID N+R format, data corresponding to the data storage operation within the fast durable storage of the unified storage element; and responsive to determining that the complete RAID stripe has been written to the fast durable storage, moving a portion of the stored data from the fast durable storage to the bulk durable storage of the unified storage element, the bulk durable storage storing the data in accordance with a second data resiliency technique that corresponds to a RAID M+R format, wherein M is different from N.

Abstract: Creating a replica of a storage system, including: receiving, by a first storage system from a computing device, data to be stored on the first storage system; reducing, by the first storage system, the data using one or more data reduction techniques; sending, from the first storage system to the second storage system, the reduced data, wherein the reduced data is encrypted; and sending, from the second storage system to a third storage system, the reduced data, wherein the reduced data is encrypted.

Abstract: Protecting an encryption key for data stored in a storage system that includes a plurality of storage devices, including: reading, from at least a majority of the storage devices, a portion of an apartment key; reconstructing the apartment key using the portions of the apartment key read by the majority of the storage devices; unlocking the main portion of each of the storage devices utilizing the apartment key; reading, from the main portion of one of the storage devices, a portion of a third-party resource access key; requesting, from the third-party resource utilizing the third-party resource access key, an encryption key; receiving, from the third-party resource, the encryption key; and decrypting the data stored on the storage devices utilizing the encryption key.

Abstract: Securely encrypting data using a remote key management service, including: transmitting a local secret to a key management service; transforming an encryption key received from the key management service to generate a key-encrypting key, wherein the encryption key is a one-way cryptographic hash using, as input, the local secret transmitted to the key management service; and decrypting, based on the key-encrypting key, a local data encryption key for encrypting or decrypting local data.

Abstract: Providing authorization and authentication in a cloud for a user of a storage array includes: receiving, by a storage array access module from a client-side array services module, a token representing authentication of user credentials and authorized access privileges defining one or more storage array services accessible by the user, where the token is generated by a cloud-based security module upon authentication of the user credentials and identification of authorized access privileges for the user; receiving, by the storage array access module from the user, a user access request to one or more storage array services; and determining, by the storage array access module, whether to grant the user access request in dependence upon the authorized access privileges represented by the token.

Abstract: A cloud-based storage system within a cloud computing environment, the cloud-based storage system including: monitoring, for the cloud-based storage system, one or more storage system operations, wherein the cloud-based storage system includes a virtual instance storage layer and a cloud-based storage layer; determining, based at least upon the one or more storage system operations, one or more access patterns for the cloud-based storage system; and modifying, based at least upon the one or more access patterns for the cloud-based storage system, one or more cloud configurations for the cloud-based storage system.

Abstract: Utilizing multiple redundancy schemes within a unified storage element, including: receiving, in a storage system at a unified storage element that integrates both fast durable storage and bulk durable storage, a data storage operation from a host computer; storing, in accordance with a first data resiliency technique that corresponds to a RAID N+R format, data corresponding to the data storage operation within the fast durable storage of the unified storage element; and responsive to determining that the complete RAID stripe has been written to the fast durable storage, moving a portion of the stored data from the fast durable storage to the bulk durable storage of the unified storage element, the bulk durable storage storing the data in accordance with a second data resiliency technique that corresponds to a RAID M+R format, wherein M is different from N.

Abstract: Creating a replica of a storage system, including: receiving, by a first storage system from a computing device, data to be stored on the first storage system; reducing, by the first storage system, the data using one or more data reduction techniques; sending, from the first storage system to the second storage system, the reduced data, wherein the reduced data is encrypted; and sending, from the second storage system to a third storage system, the reduced data, wherein the reduced data is encrypted.

Abstract: Restoring a storage system from a replication target, including: receiving, by a first storage system from a computing device, data to be stored on the first storage system; reducing, by the first storage system, the data using one or more data reduction techniques; sending, from the first storage system to the second storage system, the reduced data, wherein the reduced data is encrypted; and retrieving, by the first storage system from the second storage system, the reduced data, wherein the reduced data is encrypted.

Abstract: Providing authorization and authentication in a cloud for a user of a storage array includes: receiving, by a storage array access module from a client-side array services module, a token representing authentication of user credentials and authorized access privileges defining one or more storage array services accessible by the user, where the token is generated by a cloud-based security module upon authentication of the user credentials and identification of authorized access privileges for the user; receiving, by the storage array access module from the user, a user access request to one or more storage array services; and determining, by the storage array access module, whether to grant the user access request in dependence upon the authorized access privileges represented by the token.

Abstract: A cloud-based storage system within a cloud computing environment, the cloud-based storage system including: monitoring, for the cloud-based storage system, one or more storage system operations, wherein the cloud-based storage system includes a virtual instance storage layer and a cloud-based storage layer; determining, based at least upon the one or more storage system operations, one or more access patterns for the cloud-based storage system; and modifying, based at least upon the one or more access patterns for the cloud-based storage system, one or more cloud configurations for the cloud-based storage system.

Abstract: Multi-path end-to-end encryption in a storage system, includes: receiving, by a storage system through a first path, a first write request for first data to be stored in a dataset, where the first data is encrypted with a first encryption key associated with requests received from the first path; decrypting the first data utilizing the first encryption key; encrypting the first data using a storage system encryption key; storing the first data in the dataset; receiving, by the storage system through a second path, a second write request for second data to be stored in the dataset, where the second data is encrypted with a second encryption key associated with requests received from the second path; decrypting the second data utilizing the second encryption key; encrypting the second data using the storage system encryption key; and storing the second data in the dataset.

Abstract: End-to-end encryption in a storage system with multi-tenancy, includes: performing deduplication on a first tenant dataset, the first tenant dataset including data encrypted using a first storage system encryption key; and performing deduplication on a second tenant dataset, the second tenant dataset including data encrypted using a second storage system encryption key, where deduplication is not performed between the first and second tenant datasets.

Abstract: Variable redundancy for metadata in storage systems, including: gathering information describing one or more failure characteristics for a plurality of storage devices of a storage system; determining, based on the one or more failure characteristics, a degree of redundancy for metadata stored in the storage system; and applying the degree of redundancy to the metadata.

Abstract: Synchronously replicating a dataset across cloud-based storage systems, including adding a cloud-based storage system to a set of storage systems that the dataset is synchronously replicated across, where access operations are applied to the dataset equivalently through all storage systems in the set, all storage systems in the set store a separate copy of the dataset, and operations to modify the dataset performed and completed through any of the storage systems in the set are reflected in access operations to read the dataset, the cloud-based storage system including one or more cloud computing instances executing a storage controller application, a virtual drive layer that includes one or more cloud computing instances with local storage for storing at least a portion of the dataset as block data, and an object storage layer for storing at least a portion of the dataset as object data.

Abstract: Performing partial redundant array of independent disks (RAID) stripe parity calculations, including: receiving a last portion of a RAID stripe among multiple portions of the RAID stripe, all portions for a successful write of the RAID stripe being previously received except for the last portion; calculating a parity value based on the last portion of the RAID stripe and a previous parity value without calculating the parity value using a previous portion of the RAID stripe; and writing of the RAID stripe.

Abstract: Servicing I/O operations in a cloud-based storage system, including: receiving, by the cloud-based storage system, a request to write data to the cloud-based storage system; storing, in solid-state storage of the cloud-based storage system, the data; storing, in object storage of the cloud-based storage system, the data; detecting that at least some portion of the solid-state storage of the cloud-based storage system has become unavailable; identifying data that was stored in the portion of the solid-state storage of the cloud-based storage system that has become unavailable; retrieving, from object storage of the cloud-based storage system, the data that was stored in the portion of the solid-state storage of the cloud-based storage system that has become unavailable; and storing, in solid-state storage of the cloud-based storage system, the retrieved data.