Abstract: A computer-implemented method includes receiving, by a storage system, encrypted data and a set of key identifiers. Each key identifier is associated with information specifying a storage location for which the key identifier is authorized. The method also includes storing, by the storage system, the encrypted data in at least one storage location and receiving, by the storage system, at least one key identifier of the set of key identifiers with a data access request. The method includes determining, by the storage system, whether the data access request is authorized for the at least one key identifier.

Abstract: A method, system, and computer program product for key in lockbox encrypted data deduplication are provided. The method collects a set of deduplication information by a host in communication with a storage system via a communications network. A fingerprint is generated for a data chunk to be stored on a storage system. The method encrypts the data chunk using a first encryption key to generate an encrypted data chunk. The fingerprint is encrypted with a second encryption key to generate an encrypted fingerprint. The method encrypts the first encryption key with a third encryption key to generate a first encrypted key. The method encrypts the first encryption key with a fourth encryption key to generate a second encryption key. A data package is generated for transmission to the storage system. The method transmits the data package to the storage system.

Abstract: A system includes an authenticated encryption layer comprising logic configured to encrypt data received at the authenticated encryption layer from an authorized application at a source node. The data is encrypted using a first key to obtain first encrypted data. The logic is configured to encrypt the first encrypted data using a second key to obtain second encrypted data and generate a watermark for the first encrypted data and/or a watermark for the second encrypted data. The logic is configured to generate a watermark token for the first encrypted data and/or a watermark token for the second encrypted data.

Abstract: According to one embodiment, a computer-implemented method includes receiving an object to be stored within a storage library, computing a hash value, utilizing the object, determining a storage location within the storage library to store the hash value, and sending the hash value to the storage location and neighbor locations of the storage location within the storage library.

Abstract: A computer-implemented method includes computing a fingerprint of a data chunk, encrypting the fingerprint with a fingerprint key, and encrypting the data chunk with a base key and the encrypted fingerprint. The method also includes encrypting the encrypted fingerprint with a user key to generate a doubly encrypted fingerprint and sending the encrypted data chunk and the doubly encrypted fingerprint to a storage system. The storage system does not have access to the base key, the fingerprint key and the user key. A computer-implemented method includes computing a fingerprint of a data chunk and encrypting the data chunk with a base key and the fingerprint. The method also includes encrypting the fingerprint with a user key and sending the encrypted data chunk and the encrypted fingerprint to a storage system. The storage system does not have access to the base key and the user key.

Abstract: A computer-implemented method includes receiving, by a storage system, encrypted data and a set of key identifiers. Each key identifier is associated with information specifying a storage location for which the key identifier is authorized. The method also includes storing, by the storage system, the encrypted data in at least one storage location and receiving, by the storage system, at least one key identifier of the set of key identifiers with a data access request. The method includes determining, by the storage system, whether the data access request is authorized for the at least one key identifier.

Abstract: One embodiment provides a system including a computer processor, a computer-readable hardware storage device, and program code embodied with the computer-readable hardware storage device for execution by the computer processor to implement a method that includes receiving a selection of a first blob for reclamation from a first data center. The first blob includes multiple erasure code groups. A first message is sent to a second data center indicating the first blob is to be reclaimed. A global reclamation complete message is received from the second data center. The global reclamation complete message indicates a second blob in the second data center has been reclaimed. The first data center and the second data center each maintain local blob occupancy information.

Abstract: A method, system, and computer program product for key in lockbox encrypted data deduplication are provided. The method collects a set of deduplication information by a host in communication with a storage system via a communications network. A fingerprint is generated for a data chunk to be stored on a storage system. The method encrypts the data chunk using a first encryption key to generate an encrypted data chunk. The fingerprint is encrypted with a second encryption key to generate an encrypted fingerprint. The method encrypts the first encryption key with a third encryption key to generate a first encrypted key. The method encrypts the first encryption key with a fourth encryption key to generate a second encryption key. A data package is generated for transmission to the storage system. The method transmits the data package to the storage system.

Abstract: A computer-implemented method includes sending key group information to a storage system. The key group information includes keyID information for client data keys in the key group. The client data keys enable deduplication of data chunks encrypted in any of the client data keys in the key group. The method also includes generating deduplication information. The deduplication information includes fingerprints associated with chunks of client data. The method also includes encrypting the data chunks with one of the client data keys, wherein a corresponding decryption key for the encrypted data chunks is not available to the storage system. The method includes sending the deduplication information to the storage system for use in a deduplication process by the storage system and sending the encrypted data chunks to the storage system.

Abstract: A computer-implemented method includes sending key group information to a storage system. The key group information includes keyID information for client data keys in the key group. The client data keys enable deduplication of data chunks encrypted in any of the client data keys in the key group. The method also includes generating deduplication information. The deduplication information includes fingerprints associated with chunks of client data. The method also includes encrypting the data chunks with one of the client data keys, wherein a corresponding decryption key for the encrypted data chunks is not available to the storage system. The method includes sending the deduplication information to the storage system for use in a deduplication process by the storage system and sending the encrypted data chunks to the storage system.

Abstract: One embodiment provides a system including a computer processor, a computer-readable hardware storage device, and program code embodied with the computer-readable hardware storage device for execution by the computer processor to implement a method that includes receiving a selection of a first blob for reclamation from a first data center. The first blob includes multiple erasure code groups. A first message is sent to a second data center indicating the first blob is to be reclaimed. A global reclamation complete message is received from the second data center. The global reclamation complete message indicates a second blob in the second data center has been reclaimed. The first data center and the second data center each maintain local blob occupancy information.

Abstract: One embodiment provides a system including a computer processor, a computer-readable hardware storage device, and program code embodied with the computer-readable hardware storage device for execution by the computer processor to implement a method that includes selecting a first blob for reclamation from a first data center. The first blob includes multiple erasure code groups. A first message is sent to a second data center indicating the first blob is to be reclaimed. A second message is sent to the second data center after reclaiming the first blob in the first data center. A global reclamation complete message is received from the second data center. The global reclamation complete message indicates a second blob in the second data center has been reclaimed. The global reclamation complete message is sent in response to the second data center receiving a local reclamation complete message from a third data center.

Abstract: According to one embodiment, a computer-implemented method includes receiving an object to be stored within a storage library, computing a hash value, utilizing the object, determining a storage location within the storage library to store the hash value, and sending the hash value to the storage location and neighbor locations of the storage location within the storage library.

Abstract: A controller including an object aggregator process that combines multiple data objects into a data segment, and transfers the data segment with reduced location metadata to storage media of at least one of multiple storage units. An erasure coder process generates code to encode the data segment into an erasure code that protects against concurrent data loss in the multiple storage units based on data reconstruction using a first responder, a second responder and a last responder.

Abstract: One embodiment provides a system including a computer processor, a computer-readable hardware storage device, and program code embodied with the computer-readable hardware storage device for execution by the computer processor to implement a method that includes selecting a first blob for reclamation from a first data center. The first blob includes multiple erasure code groups. A first message is sent to a second data center indicating the first blob is to be reclaimed. A second message is sent to the second data center after reclaiming the first blob in the first data center. A global reclamation complete message is received from the second data center. The global reclamation complete message indicates a second blob in the second data center has been reclaimed. The global reclamation complete message is sent in response to the second data center receiving a local reclamation complete message from a third data center.

Abstract: One embodiment provides a method for reclaiming free space. The method comprises selecting a first blob for reclamation from a first data center; sending a first message to a second data center indicating the first blob is to be reclaimed; sending a second message to the second data center after reclaiming the first blob; receiving a global reclamation complete message from the second data center; reading at least one data set from the first blob; and storing in a write buffer the at least one data set for encoding into a erasure code group in an alternative blob in the first data center. Further, upon receipt of the global reclamation message from the second data center, indicating the first blob is free in the map in the first data center. In one embodiment, selecting the first blob is based on the map indicating free space in the first data center.

Abstract: A controller including an object aggregator process that combines multiple data objects into a data segment, and transfers the data segment with reduced location metadata to storage media of at least one of multiple storage units. An erasure coder process generates code to encode the data segment into an erasure code that protects against concurrent data loss in the multiple storage units based on data reconstruction using a first responder, a second responder and a last responder.

Abstract: A data storage structure, comprising: a plurality of storage units, each comprising: a storage media; and a library executive configured to manage the storage media. The structure further comprises a buffer connected to a controller, the controller comprising: a host interface configured to receive the instruction from the host machine; an object aggregator configured to combine the plurality of data objects into a data segment; a persistent write buffer configured to store the data segment; a persistent map configured to identify a location of each of the plurality of objects in the data segment; an erasure coder configured to encode the data segment into an erasure code; a destager configured to transfer the data segment from the persistent write buffer to the storage media in a given storage unit; and a library controller configured to communicate with the library executive in the given storage unit.

Abstract: Embodiments of the invention relate to receiving a write request that includes a write data and an address of a target block in tertiary storage. In response to the write request, a write-miss is detected at a cache located in persistent storage. Based on detecting the write-miss, the write data and associated metadata are written to a fast write storage location and the write request is marked as complete. In addition, the target block is retrieved from the address in the tertiary storage and stored in the cache. Contents of the fast write storage location are merged with the contents of the target block in the cache.

Abstract: A data storage structure, comprising: a plurality of storage units, each comprising: a storage media; and a library executive configured to manage the storage media. The structure further comprises a buffer connected to a controller, the controller comprising: a host interface configured to receive the instruction from the host machine; an object aggregator configured to combine the plurality of data objects into a data segment; a persistent write buffer configured to store the data segment; a persistent map configured to identify a location of each of the plurality of objects in the data segment; an erasure coder configured to encode the data segment into an erasure code; a destager configured to transfer the data segment from the persistent write buffer to the storage media in a given storage unit; and a library controller configured to communicate with the library executive in the given storage unit.