| CPC G06F 21/6218 (2013.01) [G06F 16/152 (2019.01); H04L 9/0891 (2013.01); G06F 2221/2141 (2013.01)] | 14 Claims |
|
1. A computer-implemented method of blocking access to files encrypted with a compromised encryption key, comprising:
maintaining a map of encryption keys and ranges of containers encrypted by respective encryption keys;
receiving an indication that an encryption key is compromised as a compromised key;
fencing a container range corresponding to data segments encrypted by the compromised key to prevent deduplication operations on the data segments;
making a point-in-time copy of the filesystem managing the data segments, wherein each file of the file system is represented as a Merkle tree storing fingerprints of data using a hashing method and having a root level and one or more hierarchical lower levels;
iteratively inspecting, from the lowest level to a highest level, each container in each level of the file trees of the files to identify containers having segments encrypted by the compromised key for a corresponding level; and
marking files corresponding to the identified containers as not readable to block the access to the files encrypted with the compromised key, wherein data is processed as part of a deduplication backup process executed by a data storage server, and wherein the backup process looks up the fingerprints in a hash table constituting an index to determine if the fingerprints exist or do not exist within the hash table, and if not, compressing and encrypting corresponding data segments into compression regions for storing in the containers, and further wherein a bitmap correlates a container identifier (ID) with a respective encryption key ID, and fingerprints contained in each container referenced by a container ID to tabulate all the fingerprints of the containers as the bitmap, and further comprising marking an entry in the bitmap for each fingerprint of an identified container having segments encrypted by the compromised key, as an impacted fingerprint.
|