File systems manage files and other data objects stored on computer systems. File systems were originally built into the computer operating system to facilitate access to files stored locally on resident storage media. As personal computers became networked, some file storage capabilities were offloaded from individual user machines to special storage servers that stored large numbers of files on behalf of the user machines. When a file was needed, the user machine simply requested the file from the server. In this server-based architecture, the file system is extended to facilitate management of and access to files stored remotely at the storage server over a network.
Today, file storage is migrating toward a model in which files are stored on various networked computers, rather than on a central storage server. One challenge faced in storing files on remote computers concerns controlling access to files that may be distributed over many different computers in a manner that allows an authorized user to access a file while at the same time insuring that unauthorized users are prevented from accessing the file. A co-pending U.S. patent application Ser. No. 09/814,259, entitled “On-Disk File Format for a Serverless Distributed File System”, to inventors William J. Bolosky, Gerald Cermak, Atul Adya, and John R. Douceur describes a file format that provides such allowances and assurances. This application is hereby incorporated by reference.
In accordance with this file format, files are encrypted using a symmetric key, and then the symmetric key is encrypted with the public key of a public/private key pair corresponding to each user that is authorized to access the file. Thus, only the user with the correct private key is able to decrypt the symmetric key, which can then be used to decrypt the file. Although the security provided in systems employing this file format is very good, a problem that remains is that a significant amount of computational effort is involved in the use of public/private key encryption and decryption.
The invention addresses these problems and provides solutions to improved decryption performance that are effective for distributed file systems, and in particular, serverless distributed file systems.