Abstract: A drive subsystem engages in data communication with a storage controller by establishing first and second communication ports, wherein the second port is configured for decryption and forwarding of decrypted communications to the first port. The drive subsystem receives and processes data communications having selective encryption and identification of target port, by (1) for a security command containing secret data (e.g. a passphrase) enabling operation of a target drive, receiving the security command at the second port, decrypting the security command and forwarding it to the first port for delivery to the target drive, and (2) for data commands by which the storage controller stores and retrieves data to/from the target drive, receiving the data commands in non-encrypted form at the first port directly from the storage controller for delivery to the target drive.

Abstract: Techniques for providing increased support for deduplication and compression of encrypted storage volumes. The techniques include receiving, at a storage virtual machine (VM), a data encryption key (DEK) associated with encrypted volume data, in which the DEK is wrapped in a key encryption key (KEK). The techniques include receiving, at the storage VM from a client virtual machine (VM), a write request specifying the encrypted volume data. The techniques include obtaining, by the storage VM, the KEK from a key management system (KMS) embedded on the storage VM. The techniques include unwrapping, by the storage VM, the DEK using the KEK, and decrypting, by an IO decryptor hosted by the storage VM, the encrypted volume data using the DEK. The techniques include performing, by the storage VM, data reduction operations on the decrypted volume data, and storing, by the storage VM, the data-reduced volume data on a storage array.

Abstract: A method, computer program product, and computing system for receiving a selection of one or more secure snapshots to remove from a storage system. A snapshot deletion key may be received from the storage system. The selection of the one or more secure snapshots and the snapshot deletion key may be provided to a storage system support service. A snapshot deletion response may be received from the storage system support service. The snapshot deletion response and the selection of the one or more secure snapshots may be authenticated via the storage system. In response to authenticating the snapshot deletion response and the selection of the one or more secure snapshots, the one or more secure snapshots may be unlocked for deletion.

Abstract: Techniques are directed to detecting an abnormal event while data storage equipment is in transit. Such techniques involve receiving a series of sensor signals from a set of sensors affixed to the data storage equipment. The series of sensor signals identifies a series of positional integrity measurements for the data storage equipment while the data storage equipment is in transit. Such techniques further involve performing a series of comparison operations that compares the series of positional integrity measurements to a set of range. Such techniques further involve, based on the series of comparison operations, providing an abnormal event signal in response to a particular positional integrity measurement falling outside a corresponding range of the set of ranges.

Abstract: A technique for managing communications between a server and multiple clients includes configuring the server to support multiple sets of certificates for respective clients having respective root certificates. The technique further includes determining an indicator associated with a client root certificate during an initial handshake between a client and the server and providing the client with a server certificate associated with the indicator.

Abstract: A drive subsystem engages in data communication with a storage controller by establishing first and second communication ports, wherein the second port is configured for decryption and forwarding of decrypted communications to the first port. The drive subsystem receives and processes data communications having selective encryption and identification of target port, by (1) for a security command containing secret data (e.g. a passphrase) enabling operation of a target drive, receiving the security command at the second port, decrypting the security command and forwarding it to the first port for delivery to the target drive, and (2) for data commands by which the storage controller stores and retrieves data to/from the target drive, receiving the data commands in non-encrypted form at the first port directly from the storage controller for delivery to the target drive.

Abstract: A method, computer program product, and computing system for receiving a selection of one or more secure snapshots to remove from a storage system. A snapshot deletion key may be received from the storage system. The selection of the one or more secure snapshots and the snapshot deletion key may be provided to a storage system support service. A snapshot deletion response may be received from the storage system support service. The snapshot deletion response and the selection of the one or more secure snapshots may be authenticated via the storage system. In response to authenticating the snapshot deletion response and the selection of the one or more secure snapshots, the one or more secure snapshots may be unlocked for deletion.

Abstract: A technique for managing communications between a server and multiple clients includes configuring the server to support multiple sets of certificates for respective clients having respective root certificates. The technique further includes determining an indicator associated with a client root certificate during an initial handshake between a client and the server and providing the client with a server certificate associated with the indicator.

Abstract: A method, computer program product, and computing system for coupling password-resetting content to an IT computing device. The password-resetting content is validated on the IT computing device. The password-resetting content is processed to reset one or more passwords associated with the IT computing device.

Abstract: A method, computer program product, and computer system for storing, by a computing device, a data encryption key in a keystore. A plurality of stable system values may be generated, wherein a threshold number of the plurality of stable system values is required to access the data encryption key from the keystore. The plurality of stable system values may be stored in different locations. More stable system values of the plurality of stable system values than the threshold number of the plurality of stable system values required to access the data encryption key from the keystore may be deleted.

Abstract: A method, computer program product, and computer system for storing, by a computing device, a data encryption key in a keystore. A plurality of stable system values may be generated, wherein a threshold number of the plurality of stable system values is required to access the data encryption key from the keystore. The plurality of stable system values may be stored in different locations. More stable system values of the plurality of stable system values than the threshold number of the plurality of stable system values required to access the data encryption key from the keystore may be deleted.

Abstract: Techniques are directed to detecting an abnormal event while data storage equipment is in transit. Such techniques involve receiving a series of sensor signals from a set of sensors affixed to the data storage equipment. The series of sensor signals identifies a series of positional integrity measurements for the data storage equipment while the data storage equipment is in transit. Such techniques further involve performing a series of comparison operations that compares the series of positional integrity measurements to a set of range. Such techniques further involve, based on the series of comparison operations, providing an abnormal event signal in response to a particular positional integrity measurement falling outside a corresponding range of the set of ranges.

Abstract: Techniques for synchronizing configuration information in a clustered storage environment. The techniques allow a system administrator or other user to make additions and/or updates to configuration information in one or more configuration files, which are automatically propagated for storage in multiple data storage appliances within a storage domain. By allowing a user to make changes to configuration files associated with a primary appliance within the storage domain, and automatically propagating the configuration files in a background process from the primary appliance to multiple secondary appliances within the storage domain, the user can more readily assure consistency of the configuration information, not only among the primary and secondary appliances within the storage domain, but also among previously unavailable or unreachable data storage appliance(s) that may be recovered and brought back on line within the storage domain.

Abstract: Digital certificates for a set of multiple network services are maintained in a certificate store and managed through a single access point that provides access to the certificate store. The certificates are managed, at least in part by i) assigning one or more tags to each digital certificate in the set of digital certificates, one of the tags indicating a service in the set of services that uses the digital certificate to perform secure communications over the communication network, and ii) performing a set of certificate management operations through the single access point to the certificate store. At least one of the certificate management operations performed through the single access point selects a subset of the digital certificates from the set of digital certificates based at least in part on the tags assigned to the digital certificates.

Abstract: A method, computer program product, and computing system for coupling password-resetting content to an IT computing device. The password-resetting content is validated on the IT computing device. The password-resetting content is processed to reset one or more passwords associated with the IT computing device.

Abstract: A technique is directed to transporting data storage equipment. The technique involves electronically activating monitoring circuitry which is co-located with the data storage equipment. The technique further involves, after the monitoring circuitry is electronically activated, receiving location data from the monitoring circuitry while the data storage equipment is en route from a first ground location to a second ground location. The technique further involves, based on the location data, performing a set of location evaluation operations to determine whether the data storage equipment is on course along a predefined route between the first ground location and the second ground location.

Abstract: Techniques for synchronizing configuration information in a clustered storage environment. The techniques allow a system administrator or other user to make additions and/or updates to configuration information in one or more configuration files, which are automatically propagated for storage in multiple data storage appliances within a storage domain. By allowing a user to make changes to configuration files associated with a primary appliance within the storage domain, and automatically propagating the configuration files in a background process from the primary appliance to multiple secondary appliances within the storage domain, the user can more readily assure consistency of the configuration information, not only among the primary and secondary appliances within the storage domain, but also among previously unavailable or unreachable data storage appliance(s) that may be recovered and brought back on line within the storage domain.

Abstract: In response to determining that an encryption operation request includes no indication of a cryptographic key, an encryption service module performs an encryption operation using a current cryptographic key retrieved by the encryption service module, and creates and stores an encrypted data object that includes the resulting ciphertext and a key identifier that uniquely identifies the cryptographic key and the associated cryptographic algorithm used to perform the encryption. A subsequent decryption operation request to the encryption service module that indicates the encrypted data object is processed by retrieving the cryptographic key and identifying the associated cryptographic using the key identifier contained in the encrypted data object. The encrypted data object may also include an initialization vector used to generate the ciphertext contained in the encrypted data object, as well as an integrity check value generated across the ciphertext and initialization vector.

Abstract: In response to determining that an encryption operation request includes no indication of a cryptographic key, an encryption service module performs an encryption operation using a current cryptographic key retrieved by the encryption service module, and creates and stores an encrypted data object that includes the resulting ciphertext and a key identifier that uniquely identifies the cryptographic key and the associated cryptographic algorithm used to perform the encryption. A subsequent decryption operation request to the encryption service module that indicates the encrypted data object is processed by retrieving the cryptographic key and identifying the associated cryptographic using the key identifier contained in the encrypted data object. The encrypted data object may also include an initialization vector used to generate the ciphertext contained in the encrypted data object, as well as an integrity check value generated across the ciphertext and initialization vector.

Abstract: The techniques presented herein provide for verifying the integrity of an encryption key log file generated on a data storage system. Encryption key activity events associated with a storage system's back-end storage drives are identified. A unique signature is generated for each encryption key activity event. Each encryption key activity event and its corresponding signature are stored in an audit log file. An audit log hash file is generated using the contents of the audit log file. At an external location, the audit log file and the audit log hash file are retrieved from the storage system. The integrity of the retrieved audit log file is verified by generating a local audit log hash file and comparing the local audit log hash file to the retrieved audit log hash file and determining if the local audit log hash file matches the retrieved audit log hash file.