Abstract: The disclosed technology for a hardware system to access a secure backend system uses non-volatile memory to hold encrypted secrets, volatile memory to hold decrypted secrets ready for use, a keys-for-all (K4A) server, and app servers running K4A clients. To access the backend system in production, each app server uses a decrypted secret and a certificate that identifies the app server and certifies its role and physical and logical location. At initialization of the app server, a K4A client is instantiated that launches and tracks processes, running on the app server, that are authorized to request decryption services. The K4A client responds to a decryption request from an authorized process, determined based on tracking of processes launched, by requesting decryption by a K4A server, using the certificate, and returns to the process, in volatile memory, a decrypted secret or a reference to the decrypted secret, decrypted by the K4A server.

Abstract: The disclosed technology for a hardware system to access a secure backend system uses non-volatile memory to hold encrypted secrets, volatile memory to hold decrypted secrets ready for use, a keys-for-all (K4A) server, and app servers running K4A clients. To access the backend system in production, each app server uses a decrypted secret and a certificate that identifies the app server and certifies its role and physical and logical location. At initialization of the app server, a K4A client is instantiated that launches and tracks processes, running on the app server, that are authorized to request decryption services. The K4A client responds to a decryption request from an authorized process, determined based on tracking of processes launched, by requesting decryption by a K4A server, using the certificate, and returns to the process, in volatile memory, a decrypted secret or a reference to the decrypted secret, decrypted by the K4A server.

Abstract: A computer-implemented method for relocating deduplicated data within a multi-device storage system. The method may include identifying a set of deduplicated data units stored on a first device of the multi-device storage system. Each data unit in the set of data units is referred to by one or more deduplication references. The method may also include procuring reference data that indicates, for each data unit in the set of deduplicated data units, the number of deduplication references that point to the data unit. The method may further include using the reference data to select one or more data units from the set of deduplicated data units for relocation to a second device in the multi-device storage system and relocating the one or more data units to the second device in the multi-device storage system. Various other methods, systems, and computer-readable media are also disclosed.