Abstract: An encrypted data storage system includes a storage system that is configured to store encrypted data, and a first client device that is coupled to the storage system. The first client device performs a hash operation on first data to generate a Data Encryption Key (DEK), and uses the DEK to perform a data encryption operation on the first data to generate encrypted first data. The first client device then uses a first Key Encryption Key (KEK) to perform a first key encryption operation on the DEK to generate a first encrypted DEK, associates the first encrypted DEK with the encrypted first data, and transmits the encrypted first data to the storage system for storage.

Abstract: An encrypted data storage system includes a storage system that is configured to store encrypted data, and a first client device that is coupled to the storage system. The first client device performs a hash operation on first data to generate a Data Encryption Key (DEK), and uses the DEK to perform a data encryption operation on the first data to generate encrypted first data. The first client device then uses a first Key Encryption Key (KEK) to perform a first key encryption operation on the DEK to generate a first encrypted DEK, associates the first encrypted DEK with the encrypted first data, and transmits the encrypted first data to the storage system for storage.

Abstract: Embodiments are described for re-keying encrypted data with a new encryption key. A server maintains a ClientBlocks list comprising (handle, hash) pairs for each client, a deduplication table, and encrypted data for one or more clients. Each client stores handles and encryption keys. The server goes through the ClientBlocks list looking for blocks that need to be re-encrypted, due to issuance of new encryption key. When the server finds a block that needs to be re-encrypted, it sends the ciphertext with its key ID to the client with a request to re-encrypt the data. The client then decrypts the data and re-encrypt it with a newer key identified by the newer key version. The server then writes newer key version, and new ciphertext someplace in physical storage, and replaces the pointer in the deduplication table with a pointer to the newly stored ciphertext block.

Abstract: This disclosure describes enhancements to Ethernet for use in higher performance applications like Storage, HPC, and Ethernet based fabric interconnects. This disclosure provides various mechanisms for lossless fabric enhancements with error-detection and retransmissions to improve link reliability, frame pre-emption to allow higher priority traffic over lower priority traffic, virtual channel support for deadlock avoidance by enhancing Class of service functionality defined in IEEE 802.1Q, a new header format for efficient forwarding/routing in the fabric interconnect and header CRC for reliable cut-through forwarding in the fabric interconnect. The enhancements described herein, when added to standard and/or proprietary Ethernet protocols, broadens the applicability of Ethernet to newer usage models and fabric interconnects that are currently served by alternate fabric technologies like Infiniband, Fibre Channel and/or other proprietary technologies, etc.

Abstract: A resilient TCP/IP connection system includes a first computing device coupled to a second computing device. The second computing device transmits a first TCP connection establishment communication that includes a first computing device TCP connection identifier to the first computing device. In response, the second computing device receives a second TCP connection establishment communication that includes a second computing device TCP connection identifier from the first computing device, and establishes a first resilient TCP connection with the first computing device. The second computing device then provides the second computing device TCP connection identifier in each TCP/IP communication transmitted to the first computing device via the first resilient TCP connection, and identifies the first computing device TCP connection identifier in each TCP/IP communication received from the first computing device via the first resilient TCP connection.

Abstract: A resilient TCP/IP connection system includes a first computing device coupled to a second computing device. The second computing device transmits a first TCP connection establishment communication that includes a first computing device TCP connection identifier to the first computing device. In response, the second computing device receives a second TCP connection establishment communication that includes a second computing device TCP connection identifier from the first computing device, and establishes a first resilient TCP connection with the first computing device. The second computing device then provides the second computing device TCP connection identifier in each TCP/IP communication transmitted to the first computing device via the first resilient TCP connection, and identifies the first computing device TCP connection identifier in each TCP/IP communication received from the first computing device via the first resilient TCP connection.

Abstract: Systems and methods may provide for determining a local traffic quota for a service associated with an overlay network and determining an allocation of the local traffic quota across a set of data sources associated with the overlay network. Additionally, the allocation may be imposed on one or more packets received from the set of data sources. In one example, imposing the allocation on the one or more packets includes sending the one or more packets to a parent node connected to the overlay router in a hierarchy of the overlay network if delivery of the one or more packets to the parent node complies with the allocation and delaying delivery of the one or more packets to the parent node if the packets do not comply with the allocation.

Abstract: This disclosure describes enhancements to Ethernet for use in higher performance applications like Storage, HPC, and Ethernet based fabric interconnects. This disclosure provides various mechanisms for lossless fabric enhancements with error-detection and retransmissions to improve link reliability, frame pre-emption to allow higher priority traffic over lower priority traffic, virtual channel support for deadlock avoidance by enhancing Class of service functionality defined in IEEE 802.1Q, a new header format for efficient forwarding/routing in the fabric interconnect and header CRC for reliable cut-through forwarding in the fabric interconnect. The enhancements described herein, when added to standard and/or proprietary Ethernet protocols, broadens the applicability of Ethernet to newer usage models and fabric interconnects that are currently served by alternate fabric technologies like Infiniband, Fibre Channel and/or other proprietary technologies, etc.

Abstract: This disclosure describes enhancements to Ethernet for use in higher performance applications like Storage, HPC, and Ethernet based fabric interconnects. This disclosure provides various mechanisms for lossless fabric enhancements with error-detection and retransmissions to improve link reliability, frame pre-emption to allow higher priority traffic over lower priority traffic, virtual channel support for deadlock avoidance by enhancing Class of service functionality defined in IEEE 802.1Q, a new header format for efficient forwarding/routing in the fabric interconnect and header CRC for reliable cut-through forwarding in the fabric interconnect. The enhancements described herein, when added to standard and/or proprietary Ethernet protocols, broadens the applicability of Ethernet to newer usage models and fabric interconnects that are currently served by alternate fabric technologies like Infiniband, Fiber Channel and/or other proprietary technologies, etc.

Abstract: An apparatus in one embodiment comprises at least one processing device having a processor coupled to a memory. The processing device implements a messaging policy enforcement server that receives from a first client device metadata of an encrypted message to be sent from the first client device to a second client device. The received metadata comprises a first key utilized by the first client device to encrypt the message with the first key being encrypted utilizing a second key associated with the second client device. The messaging policy enforcement server processes the received metadata to determine one or more policies applicable to the encrypted message and to generate a further encrypted version of the encrypted first key utilizing one or more additional keys corresponding to the one or more policies. The further encrypted version of the encrypted first key is sent to the second client device in modified metadata of the encrypted message.

Abstract: An apparatus comprises a storage system, a key manager incorporated in or otherwise associated with the storage system, and an input-output controller coupled to the key manager and configured to control storage of data items in the storage system. The key manager is configured to determine a controller key accessible to the input-output controller and a plurality of data encryption keys utilizable by the input-output controller to encrypt the data items for storage in the storage system. A given one of the data items is encrypted using a particular one of the data encryption keys and has associated metadata that includes the particular data encryption key encrypted using the controller key. The metadata may comprise an inner wrapping of the particular data encryption key using the controller key and at least one outer wrapping of the inner wrapping using at least one additional key.

Abstract: One embodiment provides a method for enabling class-based credit flow control for a network node in communication with a link partner using an Ethernet communications protocol. The method includes receiving a control frame from the link partner. The control frame includes at least one field for specifying credit for at least one traffic class and the credit is based on available space in a receive buffer associated with the at least one traffic class. The method further includes sending data packets to the link partner based on the credit, the data packets associated with the at least one traffic class.

Abstract: Examples are generally directed towards providing key decryption for pre-encrypted keys. On identifying a portion of encrypted data to be decrypted, a computing device obtains a pre-encrypted key from a key manager. The pre-encrypted key is a random number generated by the key manager. The computing device decrypts the pre-encrypted key with a client-side wrapping key to obtain an actual key. The computing device decrypts the portion of the encrypted data with the actual key. The key manager is an un-trusted key manager without access to the wrapping key or the actual key. An unauthorized party obtaining access to the encrypted data and the pre-encrypted key stored by the key manager does not provide enough information to enable decrypting the encrypted data without also obtaining access to the client-side wrapping key stored remotely from the key manager.

Abstract: One embodiment provides a document management system comprising a storage system to store one or more encrypted documents, at least a first portion of a first encrypted document encrypted using a first encryption key, and an encryption key manager to manage a set of encryption keys for the documents on the storage system, the encryption key manager further to discard the first encryption key to provide secure removal of the portion of the encrypted document.

Abstract: Methods and apparatus for multiplexing many client streams over a single connection. A proxy server establishes multiple TCP connections with respective clients that desire to access a web server connected to the proxy server via a multiplexed TCP connection. TCP packets received from the clients via the TCP connections are separated out based on their TCP connections, a packet payload data is extracted and added to client data streams. Data segments comprising sequential runs of bits from the client data streams and embedded in multiplexed (MUX) TCP packets that are sent over the multiplexed TCP connection. Upon receipt, the web server de-encapsulates the data segments and buffers them in queues allocated for each TCP connection in re-assembled client data streams. This enables the packet flows transported over the multiplexed connection for the TCP connections to be individually controlled.

Abstract: Methods, apparatus, and systems for distributing network loads in a manner that is resilient to system topology changes. Distribution functions and associated operations are implemented on multiple load splitters such that if a load splitter becomes inoperative, another or other load splitters can forward packets corresponding to flows previously handled by the inoperative load splitter without requiring flow state synchronization to be maintained across load splitters. The distribution functions are implemented in a manner that distributes packets for the same flows to the same servers through system topology changes, addressing both situations when servers fail and/or are taken off-line and when such servers or replacement servers are brought back on-line. The techniques are facilitated, in part, via use of redistributed flow lists and/or Bloom filters that are marked to track redistributed flows. A novel Bloom filter recycle scheme is also disclosed.

Abstract: An apparatus comprises a storage system and a key manager incorporated in or otherwise associated with the storage system. The storage system comprises first storage of a first type and second storage of a second type with the first storage providing enhanced data protection relative to the second storage. The key manager is configured to maintain a master key hierarchy for the storage system. The master key hierarchy comprises a plurality of levels each including one or more master keys, with an uppermost level of the master key hierarchy comprising a root master key that is stored in the first storage and at least one lower level of the master key hierarchy comprising a plurality of master keys that are stored in the second storage under encryption by the root master key. Keys of a lowermost level of the master key hierarchy are associated with respective groups of data items.

Abstract: Systems and methods may provide for determining a local traffic quota for a service associated with an overlay network and determining an allocation of the local traffic quota across a set of data sources associated with the overlay network. Additionally, the allocation may be imposed on one or more packets received from the set of data sources. In one example, imposing the allocation on the one or more packets includes sending the one or more packets to a parent node connected to the overlay router in a hierarchy of the overlay network if delivery of the one or more packets to the parent node complies with the allocation and delaying delivery of the one or more packets to the parent node if the packets do not comply with the allocation.

Abstract: An apparatus comprises a storage system and a cryptographic module incorporated in or otherwise associated with the storage system. The cryptographic module is configured to obtain a plurality of data encryption keys used to encrypt respective ones of the data items for storage in the storage system and a plurality of tenant keys for respective ones of the tenants. A given one of the data items is encrypted using a particular one of the data encryption keys. The given data item as stored for a given one of the tenants has associated metadata that includes the particular data encryption key encrypted using the tenant key of the given tenant. Such an arrangement allows for efficient deduplication. For example, a single copy of the given data item can be stored for multiple ones of the tenants by appropriate configuration of the metadata associated with the given data item.

Abstract: One embodiment provides a method for enabling class-based credit flow control for a network node in communication with a link partner using an Ethernet communications protocol. The method includes receiving a control frame from the link partner. The control frame includes at least one field for specifying credit for at least one traffic class and the credit is based on available space in a receive buffer associated with the at least one traffic class. The method further includes sending data packets to the link partner based on the credit, the data packets associated with the at least one traffic class.