1. Field of the Invention
This invention is related to the field of computer systems and, more particularly, to data protection mechanisms for data systems.
2. Description of the Related Art
A data system may be defined as a generic term for any system that stores and manages access to data (e.g. files, records, etc.) typically stored or maintained on some type of logical or physical storage devices. Exemplary types of data systems may include, but are not limited to, file systems, databases, backup systems, and volume managers. A data system typically includes the data itself, typically stored on one or more of some type or types of logical and/or physical device, and data system metadata which references or describes the data, and which may also be stored on some type of logical or physical device, either with the data or on a separate device. The data and metadata, when set into a logical hierarchy, make up an organized, structured set of information. Data system software may provide the functionality needed to manage and access the data in the data system.
FIG. 1 illustrates an exemplary generic data system. Data system 110 may include data 114 stored on one or more storage devices 112. Storage devices 112 may include physical and/or logical devices. A storage device 112 may be any type of computer-accessible medium capable of storing data 114 including, but not limited to: storage media or memory media such as magnetic or optical media, stand-alone disk, RAID (Redundant Array of Independent Disks) systems, JBODs (Just a Bunch Of Disks, used to refer to disk cabinets that do not have a built-in RAID controller), any of one or more types of backup devices, including, but not limited to, various types of tape devices and optical storage devices, CD-ROM (CD, CD-R, or CD-RW), volatile or non-volatile media such as RAM (e.g. SDRAM, DDR, RDRAM, SRAM, etc.), ROM, Flash Memory, MEMS, etc. A data system 110 may include one or more types of storage devices 112. The type or types of storage devices 112 used in a data system 110 may depend on the characteristics or purposes of that particular data system 110. For example, a backup system may typically, but not necessarily, use some form of tape or optical storage device to store data.
Metadata 120 that references data 114 may also be stored on one or more of the storage devices 112. Metadata 120 may be a data structure or structures that may include, but is not limited to, definitions, descriptions, and location information for the data it references. Data system software 100 may provide the functionality needed to manage and access the data in the data system. (As used herein, the term data system software may be used to reference the software that provides the functionality needed to manage and access the data in the data system as well as any associated hardware needed to store and/or execute the data system software and/or that itself provides functionality for managing and accessing the data in the data system.) The data system software 100 may manage access the data 114 in the data system 110 using the data system metadata 120 which references the data 114. There may be one or more levels of metadata 120 in a data system 110; for example, the data system software 100 may access a second level of metadata that directly references data 114 through a first level of metadata, which may include a table or index to elements in the second level of metadata. One or more applications 104 may store or access data 114 in the data system 110 via the data system software 100, which in turn may access the data 114 in the data system 110 using metadata 120 on behalf of the application(s) 104.
In many data systems, it may be necessary or desirable to protect at least some of the data in the data system. One mechanism for protecting data in a data system is encryption. Conventionally, encryption may be applied only to the data of a data system, or alternatively to the metadata and data of the data system. FIG. 2 illustrates an exemplary generic data system in which the data may be encrypted. FIG. 2 shows the metadata and data of a data system 110 as a logical hierarchy with two layers of metadata (metadata 120 and metadata 122) between data system software 100 and data 114. Some or all of data 114 may be encrypted to protect the data. Alternatively, data 114 and one or more layers of the metadata may be encrypted. Any of various types of encryption algorithms may be used to encrypt the metadata; the particular encryption algorithm used is not significant, but note that a particular encryption algorithm may be selected to match the requirements of the particular data system.
Encryption of data 114 may be expensive in terms of performance. The overhead introduced by performing encryption of data 114 during each storage to data system 110 and decryption of data 114 during each access of data from data system 110 may significantly impact the performance of data system 110, for example when providing access to data system 110 to application(s) 104.
File Systems
An exemplary type of data system is a file system. A file system may be defined as a collection of files and file system metadata (e.g., directories, inodes, inode lists, log files, object location tables, etc.) that, when set into a logical hierarchy, make up an organized, structured set of information. File systems may be mounted from a local system or remote system. File system software may include the system or application-level software that may be used to create, manage, and access file systems.
File system metadata may be defined as information that file system software maintains on files stored in the file system. File system metadata may include, but is not limited to, definitions and descriptions of the data it references. File system metadata may include one or more of, but is not limited to, inodes, directories, mapping information in the form of indirect blocks, superblocks, etc. Generally, file system metadata for a file includes path information for the file as seen from the application side and corresponding file system location information (e.g. device:block number(s)). File system metadata may itself be stored on a logical or physical device within a file system. A file system may use metadata (e.g., in an inode table or list, master file table, or object location table), which may itself be part of the data stored in the allocated extents, to track where each portion of each file is stored.
File systems may use data structures such as inodes or entries in master file tables to store file system metadata. The data structure may hold information about files in a file system (e.g. a Unix or Windows file system). There may be a data structure for each file, and a file may be uniquely identified by the file system on which it resides and its corresponding data structure on that system. A data structure for a file may include at least some of, but is not limited to, the following information: the device where the file resides, locking information, mode and type of file, the number of links to the file, the owner's user and group IDs, the number of bytes in the file, access and modification times, the time the data structure for the file itself was last modified and the addresses of the file's blocks on disk (and/or pointers to indirect blocks that reference the file blocks).