Abstract: A computer-implemented method includes receiving, by a storage system, encrypted data and a set of key identifiers. Each key identifier is associated with information specifying a storage location for which the key identifier is authorized. The method also includes storing, by the storage system, the encrypted data in at least one storage location and receiving, by the storage system, at least one key identifier of the set of key identifiers with a data access request. The method includes determining, by the storage system, whether the data access request is authorized for the at least one key identifier.

Abstract: A computer program product includes one or more computer readable storage media, and program instructions collectively stored on the one or more computer readable storage media, the program instructions include program instructions to authenticate an application as authorized to perform encryption and program instructions to receive data at an authenticated encryption layer. The program instructions include program instructions to encrypt the data using an encryption key, wherein the encryption key is not available to the application, and program instructions to generate a watermark token of the encrypted data. The program instructions include program instructions to generate a watermark of the encrypted data using the watermark token and a watermark key and program instructions to send the encrypted data, the watermark token, and the watermark to a storage system. The storage system is configured to verify the encrypted data for storage using the watermark key.

Abstract: A computer-implemented method includes receiving deduplication information at a storage system. The deduplication information is accessible to the storage system for performing operations thereon. The deduplication information includes signatures associated with portions of client data. The method also includes receiving the client data encrypted with a client secret key. The client secret key is unavailable to the storage system. The method includes deduplicating data chunks stored in the storage system against chunks of the client data, wherein the client data chunks are selected from the client data for deduplication using the deduplication information.

Abstract: A method, system, and computer program product for key in lockbox encrypted data deduplication are provided. The method collects a set of deduplication information by a host in communication with a storage system via a communications network. A fingerprint is generated for a data chunk to be stored on a storage system. The method encrypts the data chunk using a first encryption key to generate an encrypted data chunk. The fingerprint is encrypted with a second encryption key to generate an encrypted fingerprint. The method encrypts the first encryption key with a third encryption key to generate a first encrypted key. The method encrypts the first encryption key with a fourth encryption key to generate a second encryption key. A data package is generated for transmission to the storage system. The method transmits the data package to the storage system.

Abstract: A computer-implemented method includes receiving, by a transcoder, second encrypted data. The second encrypted data is data that has been encrypted in a first key to create first encrypted data that is then encrypted in a second key to create the second encrypted data. The method includes receiving the second key and decrypting the second encrypted data using the second key to obtain the first encrypted data. The method includes encrypting the first encrypted data using a third key to create third encrypted data, and sending the third encrypted data to a destination node. A computer-implemented method includes receiving, by a transcoder, a second encrypted key. The second encrypted key is a key that has been encrypted in a first key to create a first encrypted key that is then encrypted in a second key to create the second encrypted key.

Abstract: A system includes an authenticated encryption layer comprising logic configured to encrypt data received at the authenticated encryption layer from an authorized application at a source node. The data is encrypted using a first key to obtain first encrypted data. The logic is configured to encrypt the first encrypted data using a second key to obtain second encrypted data and generate a watermark for the first encrypted data and/or a watermark for the second encrypted data. The logic is configured to generate a watermark token for the first encrypted data and/or a watermark token for the second encrypted data.

Abstract: A computer implemented method for recovering erased entries within a system of arrays includes identifying a system consisting of a plurality of arrays, wherein each array consists of m rows and n columns of entries, each entry is divided into p symbols consisting of a plurality of bits, protecting the m rows and n columns of entries in the system with an erasure-correcting code allowing the recovery of a number of erased entries in such rows and columns, detecting an erasure corresponding to an entry in the identified system, and, responsive to detecting an erasure, determining the value of the erased entry according to the p symbols of one or more non-erased entries.

Abstract: A computer-implemented method includes computing a fingerprint of a data chunk, encrypting the fingerprint with a fingerprint key, and encrypting the data chunk with a base key and the encrypted fingerprint. The method also includes encrypting the encrypted fingerprint with a user key to generate a doubly encrypted fingerprint and sending the encrypted data chunk and the doubly encrypted fingerprint to a storage system. The storage system does not have access to the base key, the fingerprint key and the user key. A computer-implemented method includes computing a fingerprint of a data chunk and encrypting the data chunk with a base key and the fingerprint. The method also includes encrypting the fingerprint with a user key and sending the encrypted data chunk and the encrypted fingerprint to a storage system. The storage system does not have access to the base key and the user key.

Abstract: A computer program product includes one or more computer readable storage media, and program instructions collectively stored on the one or more computer readable storage media, the program instructions include program instructions to authenticate an application as authorized to perform encryption and program instructions to receive data at an authenticated encryption layer. The program instructions include program instructions to encrypt the data using an encryption key, wherein the encryption key is not available to the application, and program instructions to generate a watermark token of the encrypted data. The program instructions include program instructions to generate a watermark of the encrypted data using the watermark token and a watermark key and program instructions to send the encrypted data, the watermark token, and the watermark to a storage system. The storage system is configured to verify the encrypted data for storage using the watermark key.

Abstract: A computer-implemented method includes receiving, by a storage system, encrypted data and a set of key identifiers. Each key identifier is associated with information specifying a storage location for which the key identifier is authorized. The method also includes storing, by the storage system, the encrypted data in at least one storage location and receiving, by the storage system, at least one key identifier of the set of key identifiers with a data access request. The method includes determining, by the storage system, whether the data access request is authorized for the at least one key identifier.

Abstract: A computer-implemented method includes receiving, by a transcoder, second encrypted data. The second encrypted data is data that has been encrypted in a first key to create first encrypted data that is then encrypted in a second key to create the second encrypted data. The method includes receiving the second key and decrypting the second encrypted data using the second key to obtain the first encrypted data. The method includes encrypting the first encrypted data using a third key to create third encrypted data, and sending the third encrypted data to a destination node. A computer-implemented method includes receiving, by a transcoder, a second encrypted key. The second encrypted key is a key that has been encrypted in a first key to create a first encrypted key that is then encrypted in a second key to create the second encrypted key.

Abstract: A computer-implemented method includes, receiving, by a source node, a request from a destination node for data stored in a region of shared memory controlled by the source node. The data is encrypted in a local key of the source node. The method includes decrypting, by the source node, the locally encrypted data using the local key and encrypting, by the source node, the decrypted data using a first key for generating first encrypted data. The method also includes encrypting, by the source node, the first encrypted data using a second key for generating second encrypted data, and sending, by the source node, the second encrypted data to the destination node. A computer program product includes one or more computer readable storage media and program instructions collectively stored on the one or more computer readable storage media. The program instructions includes program instructions to perform the foregoing method.

Abstract: A method, system, and computer program product for key in lockbox encrypted data deduplication are provided. The method collects a set of deduplication information by a host in communication with a storage system via a communications network. A fingerprint is generated for a data chunk to be stored on a storage system. The method encrypts the data chunk using a first encryption key to generate an encrypted data chunk. The fingerprint is encrypted with a second encryption key to generate an encrypted fingerprint. The method encrypts the first encryption key with a third encryption key to generate a first encrypted key. The method encrypts the first encryption key with a fourth encryption key to generate a second encryption key. A data package is generated for transmission to the storage system. The method transmits the data package to the storage system.

Abstract: A computer implemented method for recovering erased entries within a system of arrays includes identifying a system consisting of a plurality of arrays, wherein each array consists of m rows and n columns of entries, each entry is divided into p symbols consisting of a plurality of bits, protecting the m rows and n columns of entries in the system with an erasure-correcting code allowing the recovery of a number of erased entries in such rows and columns, detecting an erasure corresponding to an entry in the identified system, and, responsive to detecting an erasure, determining the value of the erased entry according to the p symbols of one or more non-erased entries.

Abstract: A computer-implemented method includes sending key group information to a storage system. The key group information includes keyID information for client data keys in the key group. The client data keys enable deduplication of data chunks encrypted in any of the client data keys in the key group. The method also includes generating deduplication information. The deduplication information includes fingerprints associated with chunks of client data. The method also includes encrypting the data chunks with one of the client data keys, wherein a corresponding decryption key for the encrypted data chunks is not available to the storage system. The method includes sending the deduplication information to the storage system for use in a deduplication process by the storage system and sending the encrypted data chunks to the storage system.

Abstract: A computer-implemented method includes sending key group information to a storage system. The key group information includes keyID information for client data keys in the key group. The client data keys enable deduplication of data chunks encrypted in any of the client data keys in the key group. The method also includes generating deduplication information. The deduplication information includes fingerprints associated with chunks of client data. The method also includes encrypting the data chunks with one of the client data keys, wherein a corresponding decryption key for the encrypted data chunks is not available to the storage system. The method includes sending the deduplication information to the storage system for use in a deduplication process by the storage system and sending the encrypted data chunks to the storage system.

Abstract: A secret is sliced into a number of encrypted slices. The encrypted slices can be distributed amongst members of a group. The encrypted slices make recovery of the secret possible, but a group authority key is required for decryption. Thus, a number of slices are necessary, but still not sufficient, to recover the secret.

Abstract: A computer-implemented method according to one embodiment includes initiating a read-modify-write (RMW) operation; assigning the RMW operation to a thread; identifying a storage device associated with the RMW operation; assign a log block within the storage device to the thread; determining a free shadow block location within the storage device; creating a copy of data to be written to the storage device during the RMW operation; writing the copy of the data to the free shadow block location within the storage device; updating the log block within the storage device to point to the free shadow block location to which the copy of the data is written; and writing the data to one or more blocks of a home area of the storage device.

Abstract: A data storage system includes a plurality of data blocks. A set of data blocks are protected by an erasure correcting code and each of the data blocks in the set of data blocks includes block identification information. The data storage system includes a processor and logic integrated with the processor, executable by the processor, or integrated with and executable by the processor. The logic is configured to verify the block identification information for each of the data blocks in the set of data blocks at the time of read and, as part of reconstructing a data block, reconstruct the block identification information for the reconstructed data block, and verify the block identification information.

Abstract: A computer-implemented method, according to one embodiment, includes: selecting strips from each storage unit for a given erasure code stripe such that the given erasure code stripe includes at most one strip from a high failure rate region of the respective storage unit, where each of the storage units include high and low failure rate regions. The selected strips are organized such that a number of each strip in the given erasure code stripe is offset from the remaining strips by an amount that is greater than a total number of strips in the high failure rate regions. The organized selected strips are further mapped to form the given erasure code stripe such that the high failure rate regions on each storage unit are mapped to one or more sequentially numbered strips, and the low failure rate regions are mapped to additional sequentially numbered strips.