Encryption is the conversion of data into an encrypted form that is known as “cipher text” which is not easily understood by unauthorized personnel. Decryption is the conversion of the cipher text back into the original form of the data (i.e., plain text). Current file and volume encryption technology permits the storage of data into backup media (e.g., disk, tape or memory device) in the encrypted form so that the data is not comprehensible to unauthorized personnel. The encryption can be applied to individual files, or applied to the entire data in a volume that is formed by a physical storage disk. One example of a file and volume encryption technology is the HP-UX Encrypted Volume and File System (EVFS) which is commercially available in various products from Hewlett-Packard Company.
One limitation of current technology is that applications are required to be shut down and are not able to access volume data when the volume is being configured for storing the cipher text (encrypted text), when the data encryption key is being changed (re-keying), or when the volume is being reconverted for storing the plain text (decrypted text). When the volume is being configured for encryption, the following steps are required: (1) the application(s) that are using the volume are shut down, (2) the plain text data in the volume are backed up on a backup media (e.g., tape or disk), (3) the volume space is extended to create space for the encryption metadata, (4) the volume is initialized by writing the encryption metadata at the beginning of the volume, (5) the volume is brought online (enabled for encryption), (6) the plain text data are restored from the backup media to the volume as encrypted text, and (7) the applications(s) that were previously shut down are re-started. Similar steps above (e.g., backing up the volume data and restoring the volume data) are performed if the volume data is re-keyed (i.e., re-encrypted) or is converted from cipher text to plain text (decrypted text).
In computing environments with very large volumes (e.g., sizes of terabytes or petabytes), applications will need to be turned off for a significant amount of time (e.g., many hours or days) until the entire volume data is converted from plain text to cipher text. Furthermore, certain customer environments (e.g., financial service industry entities such as banks) have security policies that often require data to be re-encrypted regularly by using newly-generated data encryption keys, so that data security is maintained or increased. The enforcement or practice of such security polices results in a required down time for applications for each time data is re-encrypted using newly-generated data encryption keys. The regular shutdown of applications while the volume data is being regularly re-encrypted results in a longer downtime period that may not be acceptable for some customers (e.g., customers who use enterprise computing systems). Therefore, the current technology is subjected to at least the above constraints and deficiencies.