Abstract: Embodiments of a cryptographic key management system for cached data that efficiently re-encrypts cached data encrypted with a compromised encryption key by receiving a request to access a cached data block encrypted with an original encryption key. Upon determining that the original encryption key is compromised or destroyed, thus resulting in the requested data block being invalid, evicting the requested data block from the cache storing the cached data. The data block is re-encrypted using a new encryption key upon receipt of a new request to access the cached data. Any remaining cached data encrypted with the original encryption key is evicted from the cache through a defined cache eviction policy.

Abstract: A method of blocking access to files encrypted with a compromised key by mapping keys and ranges of containers encrypted by the keys. Upon notification that a key is compromised, fencing a container range corresponding to data segments encrypted by the compromised key to prevent deduplication operations on the segments. The method makes a point-in-time copy of the filesystem managing the segments, wherein each file of the file system is represented as tree structure having a root level and other levels. The method iteratively inspects in a level-wise manner, each container in each level of the file trees of the files to identify containers having segments encrypted by the compromised key, and marks files corresponding to the identified containers as not readable to block the access to the files encrypted with the compromised key.

Abstract: Embodiments of the runtime risk assessment process monitors deliberate or potentially data destructive operations against a filter of dynamic risk assessment. A filter process recognizes the following conditions as highly indicative of increased risk factors: (1) recent creation of the security officer role, (2) changing of the system time or clock, and (3) disabling of system alerts. If all three of these events occur, the system recognizes this as indicative of a high probability of data attack. The runtime risk assessment process imposes a delay on the execution of each of these commands to provide time to alert the user and an opportunity to re-enter the commands at the end of the delay period. Thus, a potentially dangerous sequence of commands will not occur automatically or immediately, but will instead be delayed to provide an extra validation check or user action.

Abstract: Embodiments of a system and method to prevent mass deletion of data in a data storage system. A data deletion operation comprises a delete operation marking blocks to be deleted followed by a garbage collection (GC) operation to remove marked blocks from storage media. Based on historical information regarding deletions per GC cycle, the storage system can detect any significant deviations as potentially dangerous. If a deletion in excess of a deviation threshold is seen, the next GC operation is skipped to provide a delay period during which time the user can investigate the data delete command and restore data if necessary. De-risking conditions such as known abnormal high deletion periods or new system installation can be used to override any garbage collection delay.

Abstract: Embodiments of a cryptographic key management system for cached data that abstracts key management details from the cache tier to the active tier and encryption process by encrypting data from the active tier using an encryption process employing an encryption key to generate an encrypted data block, and associating an encryption header with the encrypted data block, the encryption header including a key identifier as an index to the encryption key, where the encryption key is accessed through a key table maintained in the active tier. The system stores the encrypted data block in a cache tier, and decrypts the encrypted data block in the cache tier by providing the key identifier in the encryption header to the encryption process.

Abstract: Embodiments for rotating encryption keys in a sized-based process by defining a threshold value specifying a maximum amount of data to be encrypted by a single encryption key, determining whether or not data currently ingested by the data storage system exceeds the threshold value, and performing a key rotation operation to use a new key to encrypt incoming future data if it does exceed the threshold value. A time-based process performs key rotation from an old key to a new key in accordance with a periodic schedule, determines if the key rotation operation is successful in rotating to the new key from the old key, and if the key rotation operation is successful then performing a subsequent key rotation operation in accordance with the periodic schedule, or if not successful sending a user alert and automatically re-attempting the key rotation operation.

Abstract: One example method includes receiving clear text data at a storage system, generating, at the storage system, a clear text data encryption key, requesting a key management system to encrypt the clear text data encryption key with a master key to create an encrypted data encryption key, and the requesting is performed by the storage system, receiving, at the storage system, the encrypted data encryption key from the key management system, encrypting, at the storage system, the clear text data with the clear text data encryption key to create encrypted data, and storing, together, the encrypted data and the encrypted data encryption key.

Abstract: One example method includes receiving clear text data at a storage system, generating, at the storage system, a clear text data encryption key, requesting a key management system to encrypt the clear text data encryption key with a master key to create an encrypted data encryption key, and the requesting is performed by the storage system, receiving, at the storage system, the encrypted data encryption key from the key management system, encrypting, at the storage system, the clear text data with the clear text data encryption key to create encrypted data, and storing, together, the encrypted data and the encrypted data encryption key.