1. Technical Field
This application relates to encrypting in deduplication systems.
2. Description of Related Art
Computer systems may include different resources used by one or more host processors. Resources and host processors in a computer system may be interconnected by one or more communication connections. These resources may include, for example, data storage devices such as those included in the data storage systems manufactured by EMC Corporation. These data storage systems may be coupled to one or more servers or host processors and provide storage services to each host processor. Multiple data storage systems from one or more different vendors may be connected and may provide common data storage for one or more host processors in a computer system.
A host processor may perform a variety of data processing tasks and operations using the data storage system. For example, a host processor may perform basic system I/O operations in connection with data requests, such as data read and write operations.
Host processor systems may store and retrieve data using a storage device containing a plurality of host interface units, disk drives, and disk interface units. The host systems access the storage device through a plurality of channels provided therewith. Host systems provide data and access control information through the channels to the storage device and the storage device provides data to the host systems also through the channels. The host systems do not address the disk drives of the storage device directly, but rather, access what appears to the host systems as a plurality of logical disk units. The logical disk units may or may not correspond to the actual disk drives. Allowing multiple host systems to access the single storage device unit allows the host systems to share data in the device. In order to facilitate sharing of the data on the device, additional software on the data storage systems may also be used.
Additionally, the need for high performance, high capacity information technology systems is driven by several factors. In many industries, critical information technology applications require outstanding levels of service. At the same time, the world is experiencing an information explosion as more and more users demand timely access to a huge and steadily growing mass of data including high quality multimedia content. The users also demand that information technology solutions protect data and perform under harsh conditions with minimal data loss and minimum data unavailability. Computing systems of all types are not only accommodating more data but are also becoming more and more interconnected, raising the amounts of data exchanged at a geometric rate.
To address this demand, modern data storage systems (“storage systems”) are put to a variety of commercial uses. For example, they are coupled with host systems to store data for purposes of product development, and large storage systems are used by financial institutions to store critical data in large databases. For many uses to which such storage systems are put, it is highly important that they be highly reliable and highly efficient so that critical data is not lost or unavailable.
Further, data is a vital business asset for any organization. Therefore, in today's highly inter-connected and mobile environment, the ability to collaborate securely is a must. Businesses need to protect and securely share information with shareholders, employees, partners and customers. Additionally, as more data is stored on the data storage systems, storage administrators must manage this escalating capacity of data while protecting important data against loss or theft. Deduplication and encryption are technologies that help manage this escalating capacity of data securely.
Deduplication is a space-saving technology intended to eliminate redundant (duplicate) data (such as, files) on a data storage system. By saving only one instance of a file, disk space can be significantly reduced. For example, if a file of size 10 megabytes (MB) is stored in ten folders of each employee in an organization that has ten employees. Thus, 100 megabytes (MB) of the disk space is consumed to maintain the same file of size 10 megabytes (MB). Deduplication ensures that only one complete copy is saved to a disk. Subsequent copies of the file are only saved as references that point to the saved copy, such that end-users still see their own files in their respective folders. Similarly, a storage system may retain 200 e-mails, each with an attachment of size 1 megabyte (MB). With deduplication, the disk space needed to store each attachment of size 1 megabyte (MB) is reduced to just 1 megabyte (MB) from 200 megabyte (MB) because deduplication only stores one copy of the attachment.
Data deduplication can operate at a file or a block level. File deduplication eliminates duplicate files (as in the example above), but block deduplication processes blocks within a file and saves unique copy of each block. For example, if only a few bytes of a document or presentation or a file are changed, only the changed blocks are saved. The changes made to few bytes of the document or the presentation or the file do not constitute an entirely new file.
However, the proliferation of data loss coupled with new governance and compliance regulations is driving the need for customers to encrypt their data as well. Encryption is a technology that is used to protect data, prevent unauthorized users from accessing information even if data is compromised or stolen. Encryption uses a mathematical algorithm with a unique key to encode data into a form that cannot be read. No one else can access or use the encrypted data until it is unencrypted again using either the identical key or a different decryption key. If the encryption/decryption key is lost or forgotten, any data encrypted with that key will be rendered inaccessible.
While deduplication systems have helped make data management much easier, they also come with a number of challenges. Deduplicating systems can only encrypt data that is at rest, which means that data has already been archived or copied to backup systems. Encrypting data at rest satisfies some aspects of internal governance rules and compliance regulations but exposes data to a risk of loss and theft until the time at which deduplicated data is encrypted. Encrypting data at rest also introduces the overhead of managing encryption/decryption keys in a data storage system.