US 11,782,611 B2
Logical storage device access using device-specific keys in an encrypted storage environment
Tomer Shachar, Omer (IL); Arieh Don, Newton, MA (US); Yevgeni Gehtman, Modi'in (IL); and Maxim Balin, Gan Yavne (IL)
Assigned to EMC IP Holding Company LLC, Hopkinton, MA (US)
Filed by EMC IP Holding Company LLC, Hopkinton, MA (US)
Filed on Apr. 13, 2021, as Appl. No. 17/229,153.
Prior Publication US 2022/0326861 A1, Oct. 13, 2022
Int. Cl. G06F 12/00 (2006.01); G06F 13/00 (2006.01); G06F 3/06 (2006.01)
CPC G06F 3/0623 (2013.01) [G06F 3/064 (2013.01); G06F 3/065 (2013.01); G06F 3/067 (2013.01); G06F 3/0622 (2013.01); G06F 3/0659 (2013.01); G06F 3/0683 (2013.01)] 20 Claims
OG exemplary drawing
 
1. An apparatus comprising:
at least one processing device comprising a processor coupled to a memory;
wherein the at least one processing device is configured:
to associate a first logical storage device of a storage system with a first host device, wherein data encrypted using a first key of the first host device is written to the first logical storage device, the first key being a device-specific key of the first logical storage device;
to generate a copy of the first logical storage device in the storage system;
to associate the copy of the first logical storage device with a second logical storage device of the storage system, wherein data encrypted using a second key of a second host device is written to the second logical storage device, the second key being a device-specific key of the second logical storage device; and
responsive to a request from the second host device for particular data of the second logical storage device, to determine if the particular data was encrypted using the first key or the second key, and to provide the second host device with the particular data and an indication of a result of the determination;
wherein the first key and the second key are utilized concurrently by the respective first host device and the second host device;
wherein the indication of the result of the determination comprises a storage access protocol status value sent by the storage system to the second host device to direct the second host device to decrypt the particular data using the first key or the second key, the storage access protocol status value being one of a first value and a second value different than the first value, the first value indicating that decryption of the particular data is to be performed using the first key and the second value different than the first value indicating that decryption of the particular data is to be performed using the second key; and
wherein the storage access protocol status value is generated in accordance with a specified response format of a same storage access protocol through which the first and second host devices generate write commands for writing the encrypted data to the respective first and second logical storage devices.