Abstract: Techniques for providing increased support for deduplication and compression of encrypted storage volumes. The techniques include receiving, at a storage virtual machine (VM), a data encryption key (DEK) associated with encrypted volume data, in which the DEK is wrapped in a key encryption key (KEK). The techniques include receiving, at the storage VM from a client virtual machine (VM), a write request specifying the encrypted volume data. The techniques include obtaining, by the storage VM, the KEK from a key management system (KMS) embedded on the storage VM. The techniques include unwrapping, by the storage VM, the DEK using the KEK, and decrypting, by an IO decryptor hosted by the storage VM, the encrypted volume data using the DEK. The techniques include performing, by the storage VM, data reduction operations on the decrypted volume data, and storing, by the storage VM, the data-reduced volume data on a storage array.

Abstract: A method, computer program product, and computing system for receiving content for securely transmitting from an initiator device across a fabric to a target device. The content may be encrypted with a predefined encryption key, thus defining encrypted content. The encrypted content may be encapsulated in a Non-volatile Memory Express (NVMe) Over Fabrics (NVMe-oF) command, thus defining an encapsulated NVMe-oF security command. The encapsulated NVMe-oF security command may be transmitted across the fabric to the target device.

Abstract: A method, computer program product, and computer system for storing, by a computing device, a data encryption key in a keystore. A plurality of stable system values may be generated, wherein a threshold number of the plurality of stable system values is required to access the data encryption key from the keystore. The plurality of stable system values may be stored in different locations. More stable system values of the plurality of stable system values than the threshold number of the plurality of stable system values required to access the data encryption key from the keystore may be deleted.

Abstract: A technique rekeys information to maintain data security. The technique involves identifying a first storage drive as a source device available to a proactive copy service. The technique further involves identifying a set of second storage drives as a set of spare devices available to the proactive copy service. The technique further involves invoking the proactive copy service which, in response to being invoked, transfers information from the first storage drive to the set of second storage drives. The information is encrypted by a first key when residing on the first storage drive and is encrypted by a set of second keys when residing on the set of second storage drives, the first key being different from each second key.

Abstract: A technique rekeys information to maintain data security. The technique involves identifying a first storage drive as a source device available to a proactive copy service. The technique further involves identifying a set of second storage drives as a set of spare devices available to the proactive copy service. The technique further involves invoking the proactive copy service which, in response to being invoked, transfers information from the first storage drive to the set of second storage drives. The information is encrypted by a first key when residing on the first storage drive and is encrypted by a set of second keys when residing on the set of second storage drives, the first key being different from each second key.

Abstract: A method, computer program product, and computer system for storing, by a computing device, a data encryption key in a keystore. A plurality of stable system values may be generated, wherein a threshold number of the plurality of stable system values is required to access the data encryption key from the keystore. The plurality of stable system values may be stored in different locations. More stable system values of the plurality of stable system values than the threshold number of the plurality of stable system values required to access the data encryption key from the keystore may be deleted.

Abstract: A method, computer program product, and computer system for receiving, by a computing device, an I/O request for data. A number of storage devices of a plurality of storage devices in a Mapped RAID group that will be used to process the I/O request may be determined. It may be determined that each storage device of the number of storage devices in the Mapped RAID group that will be used to process the I/O request lacks a respective threshold number of credits to process the I/O request. It may be determined whether a cache associated with the Mapped RAID group allows a user I/O queue. If the cache allows the user I/O queue, a user I/O may be placed in the user I/O queue. If the cache does not allow the user I/O queue, the I/O request may be failed.

Abstract: There is disclosed techniques for queuing I/O requests on Mapped RAID. The techniques comprising queuing a pending I/O request in a queue. The techniques also comprising determining that sufficient credits are available to enable a number of storage devices of a plurality of storage devices in a Mapped RAID group to process the pending I/O request. The techniques further comprising processing the pending I/O request upon determining that there is sufficient credits.

Abstract: A method, computer program product, and computer system for receiving, by a computing device, an I/O request for data. A number of storage devices of a plurality of storage devices in a Mapped RAID group that will be used to process the I/O request may be determined. It may be determined that an amount of I/O credits available for the number of storage devices is insufficient. The amount of I/O credits available for the number of storage devices to process the I/O request may be tuned dynamically based upon, at least in part, determining that the amount of I/O credits available for the number of storage devices is insufficient.

Abstract: A method, computer program product, and computer system for receiving, by a computing device, an I/O request for data. A number of storage devices of a plurality of storage devices in a Mapped RAID group that will be used to process the I/O request may be determined. It may be determined whether each storage device of the number of storage devices in the Mapped RAID group that will be used to process the I/O request has a respective threshold number of credits to process the I/O request. If each storage device of the number of storage devices in the Mapped RAID group that will be used to process the I/O request has the respective threshold number of credits, the I/O request may be processed. If at least one storage device of the number of storage devices in the Mapped RAID group that will be used to process the I/O request lacks the respective threshold number of credits, the I/O request may be queued.

Abstract: The techniques presented herein provide managing embedded and external key management systems in a data storage system. An embedded encryption key management system is selected. A first unique signature is generated using a time parameter and a randomly generated value. A backup copy of the lockbox is created, wherein access to the backup copy of the lockbox requires providing a minimum number of unique data storage system values. The encryption key management system is switched to external. A second unique signature is generated for use with the local lockbox, wherein the signature generated using a time parameter and a randomly generated value. The encryption key management system is switched back to embedded and a third unique signature is generated for use with the local lockbox, wherein the signature is generated using a time parameter and a randomly generated value.

Abstract: Examples are generally directed towards providing key decryption for pre-encrypted keys. On identifying a portion of encrypted data to be decrypted, a computing device obtains a pre-encrypted key from a key manager. The pre-encrypted key is a random number generated by the key manager. The computing device decrypts the pre-encrypted key with a client-side wrapping key to obtain an actual key. The computing device decrypts the portion of the encrypted data with the actual key. The key manager is an un-trusted key manager without access to the wrapping key or the actual key. An unauthorized party obtaining access to the encrypted data and the pre-encrypted key stored by the key manager does not provide enough information to enable decrypting the encrypted data without also obtaining access to the client-side wrapping key stored remotely from the key manager.

Abstract: The techniques presented herein provide for verifying the integrity of an encryption key log file generated on a data storage system. Encryption key activity events associated with a storage system's back-end storage drives are identified. A unique signature is generated for each encryption key activity event. Each encryption key activity event and its corresponding signature are stored in an audit log file. An audit log hash file is generated using the contents of the audit log file. At an external location, the audit log file and the audit log hash file are retrieved from the storage system. The integrity of the retrieved audit log file is verified by generating a local audit log hash file and comparing the local audit log hash file to the retrieved audit log hash file and determining if the local audit log hash file matches the retrieved audit log hash file.

Abstract: The techniques presented herein provide for initializing and upgrading data encryption capability in a data storage system. The data storage system in initialized to encrypt data writes using a system wide encryption key. A request is received to upgrade the encryption functionality in the data storage system. A data slice is identified for encryption, wherein the data slice is stored in a RAID group in the data storage system. The data slice is pinned in a first cache memory of a first storage processor and persisted in a second cache memory of a second storage processor. The data slice encrypted and a write operation is initiated to write the encrypted data slice back to the RAID group. If the write operation was successful, the data slice is unpinned the first and second cache memory associated with the data slice is freed, else if the write operation was unsuccessful, the data slice is unpinned and the first and second cache memory associated with the data slice are flushed.

Abstract: The techniques presented herein provide for associating a data encryption lockbox backup with a data storage system. A first set of software system stable values (SSV) is derived from data storage system component values unique to the data storage system. A lockbox storing the first set of SSV and a set of encryption keys associated with a corresponding respective set of data storage system drives is created. Access to the lockbox requires providing a first minimum number of SSV that match corresponding SSV in the first set of SSV. A backup copy of the lockbox is created, wherein access to the backup copy requires providing a second minimum number of SSV that match corresponding SSV in the first set of SSV, wherein the minimum number of SSV is equal to a second match value. The backup copy of the lockbox is stored at a remote location.

Abstract: An apparatus comprises a storage system and a key manager incorporated in or otherwise associated with the storage system. The storage system is configured to store data items across a plurality of dimensions with each such dimension comprising a plurality of classes. The key manager is configured to assign class keys to respective ones of the classes of each of the dimensions. A given one of the data items associated with at least one of the classes in each of two or more of the dimensions is encrypted for storage in the storage system using a multidimensional key determined as a function of the class keys corresponding to respective ones of the classes with which that data item is associated. Such an arrangement allows all of the data items associated with a given one of the classes to be deleted by deleting the class key assigned to the given class.

Abstract: A method, computer program product, and computing system for receiving, on an active storage processor from a passive storage processor, a join request indicator. The join request indicator indicates that the passive storage processor wants to transition to an active status. The active storage processor and the passive storage processor are both coupled to a data array. A status change indicator is provided from the active storage processor to the passive storage processor, wherein the status change indicator indicates that the passive-to-active transition of the passive storage processor has been initiated. A first data array status indicator is received on the active storage processor from the passive storage processor, wherein the first data array status indicator indicates the status of the data array as seen by the passive storage processor.

Abstract: In a disk processor, a method includes receiving, by a first storage processor of the disk processor, an instruction to assign each enclosure of the set of disk drive enclosures an identifier, the first storage processor being disposed in electrical communication with the set of disk drive enclosures to define at least one bus, each identifier providing a distinct identity to each enclosure in the data storage system. The method includes evaluating, by the first storage processor and as part of a first batch process, the set of enclosures relative to a set of identification rules. The method includes assigning, by the first storage processor and as part of the first batch process, an identifier to each enclosure that complies with the set of identification rules. The method includes generating a fault notification for each enclosure that does not comply with at least one identification rule of the set of identification rules.

Abstract: A method is used in managing loop interface instability. It is determined that a loop has excessive intermittent failures. It is determined, based on whether the intermittent failures are detectable on another loop, whether the cause of the excessive intermittent failures is within a specific category of components. A search procedure is executed that is directed to the specific category of components, to isolate the cause of the excessive intermittent failures.