Abstract: A computer-implemented method includes receiving, by a storage system, encrypted data and a set of key identifiers. Each key identifier is associated with information specifying a storage location for which the key identifier is authorized. The method also includes storing, by the storage system, the encrypted data in at least one storage location and receiving, by the storage system, at least one key identifier of the set of key identifiers with a data access request. The method includes determining, by the storage system, whether the data access request is authorized for the at least one key identifier.

Abstract: A method, system, and computer program product for key in lockbox encrypted data deduplication are provided. The method collects a set of deduplication information by a host in communication with a storage system via a communications network. A fingerprint is generated for a data chunk to be stored on a storage system. The method encrypts the data chunk using a first encryption key to generate an encrypted data chunk. The fingerprint is encrypted with a second encryption key to generate an encrypted fingerprint. The method encrypts the first encryption key with a third encryption key to generate a first encrypted key. The method encrypts the first encryption key with a fourth encryption key to generate a second encryption key. A data package is generated for transmission to the storage system. The method transmits the data package to the storage system.

Abstract: A system includes an authenticated encryption layer comprising logic configured to encrypt data received at the authenticated encryption layer from an authorized application at a source node. The data is encrypted using a first key to obtain first encrypted data. The logic is configured to encrypt the first encrypted data using a second key to obtain second encrypted data and generate a watermark for the first encrypted data and/or a watermark for the second encrypted data. The logic is configured to generate a watermark token for the first encrypted data and/or a watermark token for the second encrypted data.

Abstract: A computer-implemented method includes computing a fingerprint of a data chunk, encrypting the fingerprint with a fingerprint key, and encrypting the data chunk with a base key and the encrypted fingerprint. The method also includes encrypting the encrypted fingerprint with a user key to generate a doubly encrypted fingerprint and sending the encrypted data chunk and the doubly encrypted fingerprint to a storage system. The storage system does not have access to the base key, the fingerprint key and the user key. A computer-implemented method includes computing a fingerprint of a data chunk and encrypting the data chunk with a base key and the fingerprint. The method also includes encrypting the fingerprint with a user key and sending the encrypted data chunk and the encrypted fingerprint to a storage system. The storage system does not have access to the base key and the user key.

Abstract: A computer-implemented method includes receiving, by a storage system, encrypted data and a set of key identifiers. Each key identifier is associated with information specifying a storage location for which the key identifier is authorized. The method also includes storing, by the storage system, the encrypted data in at least one storage location and receiving, by the storage system, at least one key identifier of the set of key identifiers with a data access request. The method includes determining, by the storage system, whether the data access request is authorized for the at least one key identifier.

Abstract: A method, system, and computer program product for key in lockbox encrypted data deduplication are provided. The method collects a set of deduplication information by a host in communication with a storage system via a communications network. A fingerprint is generated for a data chunk to be stored on a storage system. The method encrypts the data chunk using a first encryption key to generate an encrypted data chunk. The fingerprint is encrypted with a second encryption key to generate an encrypted fingerprint. The method encrypts the first encryption key with a third encryption key to generate a first encrypted key. The method encrypts the first encryption key with a fourth encryption key to generate a second encryption key. A data package is generated for transmission to the storage system. The method transmits the data package to the storage system.

Abstract: A computer-implemented method includes sending key group information to a storage system. The key group information includes keyID information for client data keys in the key group. The client data keys enable deduplication of data chunks encrypted in any of the client data keys in the key group. The method also includes generating deduplication information. The deduplication information includes fingerprints associated with chunks of client data. The method also includes encrypting the data chunks with one of the client data keys, wherein a corresponding decryption key for the encrypted data chunks is not available to the storage system. The method includes sending the deduplication information to the storage system for use in a deduplication process by the storage system and sending the encrypted data chunks to the storage system.

Abstract: A computer-implemented method includes sending key group information to a storage system. The key group information includes keyID information for client data keys in the key group. The client data keys enable deduplication of data chunks encrypted in any of the client data keys in the key group. The method also includes generating deduplication information. The deduplication information includes fingerprints associated with chunks of client data. The method also includes encrypting the data chunks with one of the client data keys, wherein a corresponding decryption key for the encrypted data chunks is not available to the storage system. The method includes sending the deduplication information to the storage system for use in a deduplication process by the storage system and sending the encrypted data chunks to the storage system.

Abstract: A computer-implemented method, according to one embodiment, includes: selecting strips from each storage unit for a given erasure code stripe such that the given erasure code stripe includes at most one strip from a high failure rate region of the respective storage unit, where each of the storage units include high and low failure rate regions. The selected strips are organized such that a number of each strip in the given erasure code stripe is offset from the remaining strips by an amount that is greater than a total number of strips in the high failure rate regions. The organized selected strips are further mapped to form the given erasure code stripe such that the high failure rate regions on each storage unit are mapped to one or more sequentially numbered strips, and the low failure rate regions are mapped to additional sequentially numbered strips.

Abstract: A non-invasive servo-write system for use in a data recording disk drive. The system measures actuator position and generates a reference clock using semiconductor lasers. Internal position references are provided by reflective diffraction gratings affixed to the actuator arm and the spindle hub. Wavefront reconstruction optics correct for aberrations in the gratings. Optical sensors detect differential changes in the diffraction patterns created by the gratings, eliminating sensitivity to frequency drift. Decode electronics convert optical sensor data into an actuator position measurement. Control electronics drive the voice coil motor within the disk drive, which positions the write transducer to record servo information provided in a servo pattern generator. Transparent windows in the head-disk-assembly cover allow the servo-writer to write drives which are completely assembled and sealed.