Abstract: A key management module is utilized to improve efficiency in cryptographic systems. The key management module may monitor file usage and recommend (and/or implement) key pair changes. In particular, the key management module may be configured to periodically examine (or analyze) performance parameters (e.g., number of times written, number of times read, etc.) associated with a user's files. A network monitor module may be configured to gather and maintain records of the associated performance parameters. The key management module may be further configured to compare the performance parameters of a given file with a table of key level ranges. The table of key lengths may be configured to provide a listing of multiple key lengths, each key length corresponding to an activity level of a performance parameter, e.g., relative read/write access frequency.

Abstract: The present invention provides a split data and meta data distributed system operable to provide computer file services. The system includes a plurality of servers that include meta data servers and data servers. A client multicasts a message, including a request (e.g., a data request or a meta data request) to the plurality of servers in the system. The client considers the plurality of servers to be a single server instance. The servers may be divided into different subsets, and each subset is responsible for data requests or meta data requests. The servers that are responsible for the particular type of received request may respond to the request. Also, if multiple servers in a subset generate a request, the system may synchronize the responses, such that a single response, rather than multiple responses are transmitted to the client. This synchronization may not be necessary for responses to requests that do not change the stored state of the system.

Abstract: A method for processing requests for information from a disc drive comprising: (a) receiving a plurality of requests, wherein each of the requests has application level information associated with it; (b) identifying a first group of the requests that fit within a time interval; (c) using a scheduling algorithm with disc information to schedule one of the requests in the first group; (d) adjusting the length of the time interval; (e) identifying another group of the requests that fit within the adjusted time interval; (f) using the scheduling algorithm to schedule one of the requests in the other group; and (g) repeating steps (d), (e) and (f). An apparatus that processes requests for information in accordance with the method is also provided.

Abstract: A method of and apparatus for migrating data between storage devices for reducing power consumption. Unlike prior techniques for conserving power by spinning down a magnetic disk (e.g., in a laptop computer), the present invention migrates data based on the assumption that the disk is maintained spinning (e.g., in a server). Accordingly, the incremental power consumed by maintaining data on the disk is nominal in comparison to the amount of power required to store the data in volatile memory (e.g., RAM). Data placement is largely based on the goal of minimizing power consumption during periods when the data is not being accessed. Further, unlike conventional techniques in which data is removed from RAM only when a better candidate is available to replace the data, the present invention may move data from RAM regardless of whether replacement data is available. This is avoids consumption of power to maintain data in RAM that is idle.

Abstract: A plurality of file encryption groups are created for a plurality of files based on attributes of each file. An event is detected and a selected file encryption group is divided into a plurality of sub-groups in response to the event. The division is based on an access pattern for each file in the selected file encryption group.

Abstract: A key management module is utilized to improve efficiency in cryptographic systems. The key management module may monitor file usage and recommend (and/or implement) key pair changes. In particular, the key management module may be configured to periodically examine (or analyze) performance parameters (e.g., number of times written, number of times read, etc.) associated with a user's files. A network monitor module may be configured to gather and maintain records of the associated performance parameters. The key management module may be further configured to compare the performance parameters of a given file with a table of key level ranges. The table of key lengths may be configured to provide a listing of multiple key lengths, each key length corresponding to an activity level of a performance parameter, e.g., relative read/write access frequency.

Abstract: A group manager module may provide the capability to segregate or associate files into file encryption groups. A file may be placed into a file encryption group based on the attributes of the file. The attributes may be characteristics/parameters that describe who has access to a file such as UNIX permission/mode bits (group-read/write/executable bit, owner-read/write/executable bits, users-read/write/executable bits) or other system for access control lists (ACLs). Once associated with a file encryption group, the file may be encrypted with the encryption (or write) key of the selected file encryption group, and thus, decrypted with the decryption (or read) key of the file encryption group. A user may have membership into multiple file encryption groups as long as the user possesses the appropriate read/write key pairs.

Abstract: In accordance with an embodiment of the present invention, a security module may be configured to provide an owner the capability to differentiate between users. In particular, the security module may be configured to generate an asymmetric read/write key pair for respectively decrypting/encrypting data for storage on a disk. The owner of the file may distribute the read key of the asymmetric key pair to a group of users that the owner has assigned read-permission for the encrypted data, i.e., a group that has read-only access. Moreover, the owner of the file may distribute the write key of the asymmetric pair to another group of users that the owner has assigned write-permission for the encrypted data, i.e., users in the write-permission group may modify the data. Alternatively, the security module may be configured to throw away the write key and not allow further re-use of the key.

Abstract: A security module is utilized to improve key management for encrypted files. In particular, multiple cryptographic keys may be used to encrypt multiple versions of a file, or to encrypt multiple separate files within a single encryption group for storage on an untrusted file server. An authorized user may require access to only a single cryptographic key to access the encrypted file or files. To revoke access of a user or to encrypt subsequent versions of a file, a file owner may utilize the security module to generate subsequent or new versions of the cryptographic key based on an asymmetric private key of the file owner. An authorized user may obtain a subsequent or new versions of the cryptographic key from the file owner or by other means. An authorized user may generate previous versions of the current cryptographic key based on an asymmetric public key of the file owner, without further contacting the owner.

Abstract: A technique for secure file access control via directory encryption. Filenames of data files stored by a network server are encrypted so as to protect them in the event the server is untrustworthy, such as in a distributed computing environment. Two encryption keys are employed so as to provide different access capabilities. For example, clients of the server that are authorized to perform read-only operations on the files may be prevented from modifying the files, while client that are authorized to perform write operations, may modify the files or even delete the files. In a preferred embodiment, encrypted filenames replace plaintext files in a directory structure without otherwise changing the directory structure. Because the directory structure is otherwise unchanged, the server may still have adequate information to perform file management and space management functions.

Abstract: A method of and apparatus for migrating data between storage devices for reducing power consumption. Unlike prior techniques for conserving power by spinning down a magnetic disk (e.g., in a laptop computer), the present invention migrates data based on the assumption that the disk is maintained spinning (e.g., in a server). Accordingly, the incremental power consumed by maintaining data on the disk is nominal in comparison to the amount of power required to store the data in volatile memory (e.g., RAM). Data placement is largely based on the goal of minimizing power consumption during periods when the data is not being accessed. Further, unlike conventional techniques in which data is removed from RAM only when a better candidate is available to replace the data, the present invention may move data from RAM regardless of whether replacement data is available. This is avoids consumption of power to maintain data in RAM that is idle.

Abstract: A system and method for improving communication between a storage area network (“SAN”) and a network attached storage (“NAS”). The NAS, implementing a file system, may be configured to create a message to inform an underlying SAN utilizing a list of freed blocks in response to a file and/or directory deletion by a client. The NAS outputs the freed block message to the SAN. The SAN may be configured to maintain a current free block table (or current free block list). The SAN may be further configured to update the current free block table in response to receiving the freed block message from the NAS. As a result, any block listed on the current free block table may be flushed from the SAN, marked as unused by the data storage system or may be marked as allocated but unused. If the SAN marks blocks as unused, the unused blocks are eligible for migration to relatively less expensive storage within the SAN.

Abstract: The present invention provides a split data and meta data distributed system operable to provide computer file services. The system includes a plurality of servers that include meta data servers and data servers. A client multicasts a message, including a request (e.g., a data request or a meta data request) to the plurality of servers in the system. The client considers the plurality of servers to be a single server instance. The servers may be divided into different subsets, and each subset is responsible for data requests or meta data requests. The servers that are responsible for the particular type of received request may respond to the request. Also, if multiple servers in a subset generate a request, the system may synchronize the responses, such that a single response, rather than multiple responses are transmitted to the client. This synchronization may not be necessary for responses to requests that do not change the stored state of the system.