Abstract: Device-implemented methodology for enabling and/or performing crypto-erase via internal action and external action. In one illustrative aspect, a request to read data is received at a device configured to perform data operations on a storage medium, the data being stored on the storage medium in encrypted form. In one approach, a first key stored within the device is accessed. In another approach, a first key stored on and/or with the storage medium is retrieved. A second key is received from an external source. A media encryption key is generated using the first and second keys. The encrypted form of the data is read from the storage medium. The encrypted form of the data is decrypted using the media encryption key. The decrypted data is output. Methodology for writing encrypted data is also presented.

Abstract: A method for more efficiently utilizing storage space in a redundant array of independent disks (RAID) is disclosed. In one embodiment, such a method implements a RAID from multiple storage drives. The RAID utilizes data striping with distributed parity values to provide desired data protection/redundancy. The distributed parity values are placed on selected storage drives of the RAID in accordance with a designated parity rotation. The method further adaptively alters the parity rotation of the RAID to provide an increased concentration of parity values in certain storage drives of the RAID compared to other storage drives of the RAID. This parity rotation may be adapted based on residual storage capacity in each storage drive, consumed space in each storage drive, or the like. A corresponding system and computer program product are also disclosed.

Abstract: Provided are a computer program product, system, and method for merging multiple point-in-time copies into a merged point-in-time copy. A repository maintains a full copy of the source data and point-in-time copies at point-in-times of the source data. Each of the point-in-time copies have change information indicating changed data in the source data that changed between the point-in-time of the point-in-time copy and a subsequent point-in-time and changed point-in-time data comprising data in the source data as of the point-in-time of the point-in-time copy indicated in the change information as changed. At least two selected of the point-in-time copies in the repository are merged into a merged point-in-time copy by: forming merged change information in the merged point-in-time copy indicating changed data indicated in change information for the selected point-in-time copies; and forming merged changed data in the merged point-in-time copy from the changed data in the selected point-in-time copies.

Abstract: A path is secured from one node to another node of the computing environment. The one node obtains a first encryption key and a second encryption key. A shared key is obtained by the one node from a key server, and the shared key is used to encrypt a message. The encrypted message includes the first encryption key and the second encryption key. The encrypted message and an identifier of the shared key is sent from the one node to the other node, and a response message is received by the one node. The response message at least provides an indication that the other node received the encrypted message and obtained the shared key.

Abstract: A path for a node of a computing environment is secured. The securing includes obtaining, by the node, a message that includes an identifier of a shared key and an encrypted message. The node obtains the shared key from a key server and uses it to decrypt the encrypted message to obtain an encryption key and one or more parameters. A security parameters index to be associated with the encryption key and the one or more parameters is obtained. The node sends a response message to another node, the response message including the security parameters index.

Abstract: Provided are a computer program product, system, and method for creating a restore copy from a copy of a full copy of source data in a repository that is at a different point-in-time than a restore point-in-time of a restore request. A repository has a full copy of source data as of a full copy point-in-time and for each of a plurality of point-in-time copies at different point-in-times of the source data, change information indicating changed data in the source data that changed between the point-in-time of the point-in-time copy and a subsequent point-in-time, and changed point-in-time data comprising data in the source data as of the point-in-time of the point-in-time copy indicated in the change information as changed. A point-in-time copy of the full copy is created in response to a restore request and returned as a restore copy to the restore request.

Abstract: Provided are a computer program product, system, and method for using a repository having a full copy of source data and point-in-time information from point-in-time copies of the source data to restore the source data at different points-in-time. The source data is copied to a full copy in the repository. Point-in-time copies are initiated at different point-in-times of the source data. In response to completing each of the point-in-time copies, transmitting to the repository change information indicating changed data in the source data that changed between the point-in-time and the subsequent point-in-time and changed point-in-time data comprising data in the source data as of the point-in-time of the point-in-time copy. In response to a restore request having a restore time, applying the changed point-in-time data from at least one of the point-in-time copies to the data of the full copy to restore the full copy to the restore time.

Abstract: A system includes a processor and logic integrated with the processor, executable by the processor, or integrated with and executable by the processor, or integrated with and executable by the processor. The logic is configured to receive a request to store data on media and obtain a data key. The logic is configured to generate an encryption encapsulated data key using the data key and generate a session encrypted data key using the data key. The logic is further configured to provide the session encrypted data key to a machine configured to write encrypted data to the data storage media for use by the machine in writing encrypted data to the data storage media. The logic is configured to provide the encryption encapsulated data key to the machine for enabling the machine to store the encryption encapsulated data key with the data on the data storage media.

Abstract: A method for more efficiently utilizing storage space in a set of storage drives is disclosed. In one embodiment, such a method implements, in a set of storage drives, a first RAID utilizing data striping with distributed parity values. The method further implements, in a subset of the set of storage drives, a second RAID using residual storage space in storage drives belonging to the subset. Storage drives belonging to the subset may have a storage capacity that is larger than storage drives not belonging to the subset. In certain embodiments, the method adaptively alters a parity rotation of the first RAID to provide an increased concentration of parity values in certain storage drives of the first RAID compared to other storage drives of the first RAID. A corresponding system and computer program product are also disclosed.

Abstract: Provided are a computer program product, system, and method for creating a restore copy from a copy of source data in a repository having source data at different point-in-times. All the source data as of an initial point-in-time is copied to a repository. In response to completing point-in-time copies following the initial point-in-time, change information is transmitted to the repository indicating changed data in the source data that changed between the point-in-time of the point-in-time copy and a subsequent point-in-time. For each point-in-time copy, copying changed source data comprising source data indicated in the change information for the point-in-time copy as changed to the repository. A restore request is received to restore the source data as of a restore point-in-time. The source data in the repository as of the restore point-in-time is copied from the repository to a restore copy.

Abstract: A path is secured from one node to another node of the computing environment. The one node obtains a first encryption key and a second encryption key. A shared key is obtained by the one node from a key server, and the shared key is used to encrypt a message. The encrypted message includes the first encryption key and the second encryption key. The encrypted message and an identifier of the shared key is sent from the one node to the other node, and a response message is received by the one node. The response message at least provides an indication that the other node received the encrypted message and obtained the shared key.

Abstract: A path for a node of a computing environment is secured. The securing includes obtaining, by the node, a message that includes an identifier of a shared key and an encrypted message, the encrypted message including a first encryption key, a second encryption key, one or more first parameters and one or more second parameters. The node obtains the shared key from a key server and uses it to decrypt the encrypted message to obtain the first encryption key, the second encryption key, the one or more first parameters and the one or more second parameters. A second security parameters index, to be associated with the second encryption key and the one or more second parameters, is obtained. The node sends a response message to another node, the response message including the second security parameters index.

Abstract: A path is secured from one node to another node of the computing environment. The one node obtains a first encryption key and one or more first parameters for transmission of data, and a second encryption key and one or more second parameters for reception of data. A shared key is obtained by the one node from a key server, and the shared key is used to encrypt a message. The encrypted message includes the first encryption key, the one or more first parameters, the second encryption key and the one or more second parameters. The encrypted message and an identifier of the shared key is sent from the one node to the other node, and a response message is received by the one node. The response message at least provides an indication that the other node received the encrypted message and obtained the shared key.

Abstract: Authentication is performed on a plurality of links to be used to couple one node of the computing environment and another node of the computing environment. The performing authentication includes obtaining, by the other node from the one node via one link of the plurality of links, an identifier of a shared key maintained by a key server. The other node uses the identifier to obtain the shared key from the key server. An indication that the other node decrypted a message received from the one node using the shared key is sent from the other node via the one link. The sending the indication on one or more other links of the plurality of links is repeated for subsequent messages decrypted by the other node using the shared key previously obtained.

Abstract: Authentication is performed on a plurality of links coupling one node of the computing environment and another node of the computing environment. The performing authentication includes obtaining by the one node a shared key from a key server coupled to the one node and another node of the computing environment. A message encrypted with the shared key is sent from the one node to the other node via one link of the plurality of links. An indication that the other node decrypted the message using the shared key obtained by the other node is received from the other node via the one link. The sending and the receiving are repeated on one or more other links of the plurality of links using the shared key previously obtained.

Abstract: A path for a node of a computing environment is secured. The securing includes obtaining, by the node, a message that includes an identifier of a shared key and an encrypted message. The node obtains the shared key from a key server and uses it to decrypt the encrypted message to obtain an encryption key and one or more parameters. A security parameters index to be associated with the encryption key and the one or more parameters is obtained. The node sends a response message to another node, the response message including the security parameters index.

Abstract: Device-implemented methodology for enabling and/or performing crypto-erase via internal action and external action. In one illustrative aspect, a request to read data is received at a device configured to perform data operations on a storage medium, the data being stored on the storage medium in encrypted form. In one approach, a first key stored within the device is accessed. In another approach, a first key stored on and/or with the storage medium is retrieved. A second key is received from an external source. A media encryption key is generated using the first and second keys. The encrypted form of the data is read from the storage medium. The encrypted form of the data is decrypted using the media encryption key. The decrypted data is output. Methodology for writing encrypted data is also presented.

Abstract: Authentication is performed on a plurality of links of a computing environment. One node requests generation of a shared key by a key server coupled to the one node. The one node obtains the shared key and an identifier of the shared key and sends the identifier from the one node to another node. A message encrypted with the shared key is sent from the one node to the other node via one link of the plurality of links. The one node receives via the one link an indication that the other node decrypted the encrypted message using the shared key obtained by the other node. The sending the encrypted message and the receiving the indication that the other node decrypted the encrypted message are repeated on one or more other links of the plurality of links using the shared key previously obtained.

Abstract: A data handling system includes a block-based storage device. An encryption key structure block includes key structure locations that may store encryption key structures. A key structure may take on at least three states: an erased state, an active state, and a zeroized state. The key structure includes error control data fields that are configured to contain error control data that independently protect data of the key structure in the active and the zeroized state. Key structures may be stored to key structure locations within a first encryption key block until each key structure location has stored a key structure in the active or zeroized state. Subsequently, the key structures in the active state may be copied and stored in key structure locations within a second encryption key block.

Abstract: Access between a plurality of nodes of the computing environment is controlled by a key server. The key server receives from one node of the plurality of nodes, a request for a shared key, in which the shared key is created for a selected node pair. A determination is made by the key server as to whether the one node is a node of the selected node pair. In one example, the determining checks an alternate name of the one node to determine whether it matches an alternate name associated with the shared key. Based on determining the one node is a node of the selected node pair, the key server provides the shared key to the one node.