A storage server is a computer that provides access to information (data) that is stored on one or more storage devices connected to the storage server, such as disk drives (“disks”), flash devices, or storage arrays. Each storage device may constitute a physical storage object of the storage server on which information is stored. The storage server also includes an operating system that may implement a storage abstraction layer to logically organize the information as logical storage objects on the physical storage objects (e.g., disks). With certain logical organizations, the storage abstraction layer may involve a file system which organizes information as a hierarchical structure of directories and data containers, such as files. Each file may be implemented as set of data structures, e.g., disk blocks, configured to store information, such as the actual data for the file. The file system typically organizes such data blocks as a “logical volume” whereby each directory, file, and logical volume may constitute a logical storage object. With certain logical organizations, a file system may also constitute a logical storage object.
A storage server may be configured to operate according to a client/server model of information delivery to allow one or more clients access to data in logical storage objects (e.g., logical volumes) stored on the storage server. In this model, the client may comprise an application executing on a computer that “connects” to the storage server over a computer network, such as a point-to-point link, shared local area network, wide area network or virtual private network implemented over a public network, such as the Internet. A client may access the logical volumes by submitting access requests to the storage server, for example, a “write” request to store client data included in a request to disk or a “read” request to retrieve client data from disk.
Multiple storage servers may be networked or otherwise connected together as a storage system whereby data are securely stored by the storage servers to protect against possible unauthorized access to such data. To that end, data may be secured by a storage server transforming unencrypted data (cleartext) into encrypted data (ciphertext) destined for storage on the storage system. The transformation may be performed using an encryption key (also referred to as a key) which is a code or number that, when taken together with an encryption algorithm, defines a unique transformation used to encrypt or decrypt data. Storage containing encrypted data may thus be referred to as “secure storage” since data is not stored in its native form but rather in encrypted form. Secure storage may be implemented by encrypting data prior to being written to storage and decrypting data upon being read from storage.
To provide further security against unauthorized access, each of the storage objects constituting secure storage (e.g., logical volumes, disks) may be associated with its own encryption key for securing data of the storage object. As a result, logical access to data of the storage objects may be limited in the event one of the keys is subject to unauthorized access. An encryption key may also be associated with yet another encryption key, referred to as a “passphrase,” which may be used to encrypt or decrypt the encryption key for added security when the encryption key itself is being stored. In order to track the associations (mappings) between the various keys and storage objects, a technique for managing key information may be implemented to coordinate the use of the keys with data of the storage objects or with other encrypted keys.
With conventional storage systems, security operations involving cryptographic and key management tasks may be performed by, and coordinated between, dedicated processing systems networked or otherwise connected to the storage server. This configuration avoids the need for critical security operations to compete for resources of a single processing system when securing data of the storage server. One such exemplary configuration may involve a storage server connected to a cryptographic processing system such as a DataFort™ appliance offered by NetApp, Inc., of Sunnyvale, Calif., which receives cleartext and encrypted data from the storage server and returns encrypted and cleartext data to the storage server. In contrast, a key manager such as a Lifetime Key Management™ appliance also offered by NetApp, Inc., may be operative to store the keys and respond to key requests from the cryptographic processing system.
A primary concern with the conventional configuration involves, however, the overhead associated with providing and managing the various processing systems to secure data of the storage server. Establishing a secure connection to avoid unintended exposure of information across the network or connection port between the dedicated processing systems may also require special expertise or skills by an administrator of the storage server. For instance, a secure connection may typically be achieved by carrying out a complex exchange of information between the various systems to ensure an authorized user is interfacing with each of the systems. In addition, it may be cumbersome to access the dedicated and possibly remote system each time a cryptographic operation is performed or key information is otherwise requested by the storage server. This may involve tying up limited system resources such as network bandwidth and slowing down storage system performance to delay servicing of access requests from a client.
Finally, in certain cases, the administrator may need to implement additional security measures to further ensure the security of data stored by the storage server. When security measures are carried out by a system configuration involving separate processing systems, the administrator must manually invoke the operations at the various systems which may be a burdensome task on the part of the administrator. Manual invocation of such tasks may further involve delay in implementing potentially critical security measures.