Abstract: Servicing I/O operations in a cloud-based storage system, including: receiving, by the cloud-based storage system, a request to write data to the cloud-based storage system; storing, in solid-state storage of the cloud-based storage system, the data; storing, in object storage of the cloud-based storage system, the data; detecting that at least some portion of the solid-state storage of the cloud-based storage system has become unavailable; identifying data that was stored in the portion of the solid-state storage of the cloud-based storage system that has become unavailable; retrieving, from object storage of the cloud-based storage system, the data that was stored in the portion of the solid-state storage of the cloud-based storage system that has become unavailable; and storing, in solid-state storage of the cloud-based storage system, the retrieved data.

Abstract: Replicating data using inferred trust, including: receiving, by a first storage system from a computing device, data encrypted using a first encryption key; decrypting, by the first storage system, the encrypted data using the first encryption key; encrypting, by the first storage system, the decrypted data using a second encryption key; storing, on the first storage system, the data encrypted using the second encryption key; sending, from the first storage system to the second storage system, the data; and servicing, by the second storage system, an input/output (‘I/O’) operation directed to the data.

Abstract: Protecting an encryption key for data stored in a storage system that includes a plurality of storage devices, including: reading, from at least a majority of the storage devices, a portion of an apartment key; reconstructing the apartment key using the portions of the apartment key read by the majority of the storage devices; unlocking the main portion of each of the storage devices utilizing the apartment key; reading, from the main portion of one of the storage devices, a portion of a third-party resource access key; requesting, from the third-party resource utilizing the third-party resource access key, an encryption key; receiving, from the third-party resource, the encryption key; and decrypting the data stored on the storage devices utilizing the encryption key.

Abstract: Securely encrypting data using a remote key management service, including: transmitting a local secret to a key management service; transforming an encryption key received from the key management service to generate a key-encrypting key, wherein the encryption key is a one-way cryptographic hash using, as input, the local secret transmitted to the key management service; and decrypting, based on the key-encrypting key, a local data encryption key for encrypting or decrypting local data.

Abstract: Utilizing multiple redundancy schemes within a unified storage element, including: receiving, in a storage system at a unified storage element that integrates both fast durable storage and bulk durable storage, a data storage operation from a host computer; storing, in accordance with a first data resiliency technique that corresponds to a RAID N+R format, data corresponding to the data storage operation within the fast durable storage of the unified storage element; and responsive to determining that the complete RAID stripe has been written to the fast durable storage, moving a portion of the stored data from the fast durable storage to the bulk durable storage of the unified storage element, the bulk durable storage storing the data in accordance with a second data resiliency technique that corresponds to a RAID M+R format, wherein M is different from N.

Abstract: Creating a replica of a storage system, including: receiving, by a first storage system from a computing device, data to be stored on the first storage system; reducing, by the first storage system, the data using one or more data reduction techniques; sending, from the first storage system to the second storage system, the reduced data, wherein the reduced data is encrypted; and sending, from the second storage system to a third storage system, the reduced data, wherein the reduced data is encrypted.

Abstract: Restoring a storage system from a replication target, including: receiving, by a first storage system from a computing device, data to be stored on the first storage system; reducing, by the first storage system, the data using one or more data reduction techniques; sending, from the first storage system to the second storage system, the reduced data, wherein the reduced data is encrypted; and retrieving, by the first storage system from the second storage system, the reduced data, wherein the reduced data is encrypted.

Abstract: Providing authorization and authentication in a cloud for a user of a storage array includes: receiving, by a storage array access module from a client-side array services module, a token representing authentication of user credentials and authorized access privileges defining one or more storage array services accessible by the user, where the token is generated by a cloud-based security module upon authentication of the user credentials and identification of authorized access privileges for the user; receiving, by the storage array access module from the user, a user access request to one or more storage array services; and determining, by the storage array access module, whether to grant the user access request in dependence upon the authorized access privileges represented by the token.

Abstract: Multi-path end-to-end encryption in a storage system, includes: receiving, by a storage system through a first path, a first write request for first data to be stored in a dataset, where the first data is encrypted with a first encryption key associated with requests received from the first path; decrypting the first data utilizing the first encryption key; encrypting the first data using a storage system encryption key; storing the first data in the dataset; receiving, by the storage system through a second path, a second write request for second data to be stored in the dataset, where the second data is encrypted with a second encryption key associated with requests received from the second path; decrypting the second data utilizing the second encryption key; encrypting the second data using the storage system encryption key; and storing the second data in the dataset.

Abstract: A cloud-based storage system within a cloud computing environment, the cloud-based storage system including: monitoring, for the cloud-based storage system, one or more storage system operations, wherein the cloud-based storage system includes a virtual instance storage layer and a cloud-based storage layer; determining, based at least upon the one or more storage system operations, one or more access patterns for the cloud-based storage system; and modifying, based at least upon the one or more access patterns for the cloud-based storage system, one or more cloud configurations for the cloud-based storage system.

Abstract: End-to-end encryption in a storage system with multi-tenancy, includes: performing deduplication on a first tenant dataset, the first tenant dataset including data encrypted using a first storage system encryption key; and performing deduplication on a second tenant dataset, the second tenant dataset including data encrypted using a second storage system encryption key, where deduplication is not performed between the first and second tenant datasets.

Abstract: A method of performing partial redundant array of independent disks (RAID) stripe parity calculations is disclosed. The method includes receiving a last portion of a RAID stripe among multiple portions of the RAID stripe, all portions for a successful write of the RAID stripe being previously received except for the last portion. The method also includes calculating a parity value based on the last portion of the RAID stripe and a previous parity value without calculating the parity value using a previous portion of the RAID stripe. The method further includes writing of the RAID stripe.

Abstract: Synchronously replicating a dataset across cloud-based storage systems, including adding a cloud-based storage system to a set of storage systems that the dataset is synchronously replicated across, where access operations are applied to the dataset equivalently through all storage systems in the set, all storage systems in the set store a separate copy of the dataset, and operations to modify the dataset performed and completed through any of the storage systems in the set are reflected in access operations to read the dataset, the cloud-based storage system including one or more cloud computing instances executing a storage controller application, a virtual drive layer that includes one or more cloud computing instances with local storage for storing at least a portion of the dataset as block data, and an object storage layer for storing at least a portion of the dataset as object data.

Abstract: Servicing I/O operations in a cloud-based storage system, including: receiving, by the cloud-based storage system, a request to write data to the cloud-based storage system; storing, in solid-state storage of the cloud-based storage system, the data; storing, in object storage of the cloud-based storage system, the data; detecting that at least some portion of the solid-state storage of the cloud-based storage system has become unavailable; identifying data that was stored in the portion of the solid-state storage of the cloud-based storage system that has become unavailable; retrieving, from object storage of the cloud-based storage system, the data that was stored in the portion of the solid-state storage of the cloud-based storage system that has become unavailable; and storing, in solid-state storage of the cloud-based storage system, the retrieved data.

Abstract: Staging data on a storage element integrating fast durable storage and bulk durable storage, including: receiving, at a storage element integrating fast durable storage and bulk durable storage, a data storage operation from a host computer; storing data corresponding to the data storage operation within fast durable storage in accordance with a first data resiliency technique; and responsive to detecting a condition for transferring data between fast durable storage and bulk durable storage, transferring the data from fast durable storage to bulk durable storage in accordance with a second data resiliency technique.

Abstract: Converting RAID data between persistent storage types, including: for each portion of a RAID shard of a RAID stripe: writing, to a respective plurality of source solid state drives, the portion of the RAID shard; detecting that all portions of the RAID shard have been successfully written; copying, from one of the plurality of source solid state drives to a respective target solid state drive among a plurality of target solid state drives from one of the plurality of source solid state drives, the RAID shard, where the RAID shard is copied from a source solid state drive that is different from where each other RAID shard of the RAID stripe is copied from.

Abstract: Staging data on a storage element integrating fast durable storage and bulk durable storage, including: receiving, at a storage element integrating fast durable storage and bulk durable storage, a data storage operation from a host computer; storing data corresponding to the data storage operation within fast durable storage in accordance with a first data resiliency technique; and responsive to detecting a condition for transferring data between fast durable storage and bulk durable storage, transferring the data from fast durable storage to bulk durable storage in accordance with a second data resiliency technique.

Abstract: Creating a replica of a storage system, including: receiving, by a first storage system from a computing device, data to be stored on the first storage system; reducing, by the first storage system, the data using one or more data reduction techniques; sending, from the first storage system to the second storage system, the reduced data, wherein the reduced data is encrypted; and sending, from the second storage system to a third storage system, the reduced data, wherein the reduced data is encrypted.

Abstract: Providing authorization and authentication in a cloud for a user of a storage array includes: receiving, by a storage array access module from a client-side array services module, a token representing authentication of user credentials and authorized access privileges defining one or more storage array services accessible by the user, where the token is generated by a cloud-based security module upon authentication of the user credentials and identification of authorized access privileges for the user; receiving, by the storage array access module from the user, a user access request to one or more storage array services; and determining, by the storage array access module, whether to grant the user access request in dependence upon the authorized access privileges represented by the token.

Abstract: Protecting an encryption key for data stored in a storage system that includes a plurality of storage devices, including: reading, from at least a majority of the storage devices, a portion of an apartment key; reconstructing the apartment key using the portions of the apartment key read by the majority of the storage devices; unlocking the main portion of each of the storage devices utilizing the apartment key; reading, from the main portion of one of the storage devices, a portion of a third-party resource access key; requesting, from the third-party resource utilizing the third-party resource access key, an encryption key; receiving, from the third-party resource, the encryption key; and decrypting the data stored on the storage devices utilizing the encryption key.