论文信息 - Lamassu: Storage-Efficient Host-Side Encryption

Lamassu: Storage-Efficient Host-Side Encryption

Many storage customers are adopting encryption solutions to protect critical data. Most existing encryption solutions sit in, or near, the application that is the source of critical data, upstream of the primary storage system. Placing encryption near the source ensures that data remains encrypted throughout the storage stack, making it easier to use untrusted storage, such as public clouds. Unfortunately, such a strategy also prevents downstream storage systems from applying content-based features, such as deduplication, to the data. In this paper, we present Lamassu, an encryption solution that uses block-oriented, host-based, convergent encryption to secure data, while preserving storage-based data deduplication. Unlike past convergent encryption systems, which typically store encryption metadata in a dedicated store, our system transparently inserts its metadata into each file's data stream. This allows us to add Lamassu to an application stack without modifying either the client application or the storage controller. In this paper, we lay out the architecture and security model used in our system, and present a new model for maintaining metadata consistency and data integrity in a convergent encryption environment. We also evaluate its storage efficiency and I/O performance by using a variety of microbenchmarks, showing that Lamassu provides excellent storage efficiency, while achieving I/O throughput on par with similar conventional encryption systems.

Won So | Peter Shah | W. So | P. Shah

[1] Brian Warner,et al. Tahoe: the least-authority filesystem , 2008, StorageSS '08.

[2] Matt Blaze,et al. A cryptographic file system for UNIX , 1993, CCS '93.

[3] Erez Zadok,et al. Cryptfs: A Stackable Vnode Level Encryption File System , 1998 .

[4] Silvio Micali,et al. How to play ANY mental game , 1987, STOC.

[5] Michael Austin,et al. eCryptfs : An Enterprise-class Cryptographic Filesystem for Linux , 2005 .

[6] Giuseppe Cattaneo,et al. Design and Implementation of a Transparent Cryptographic File System for Unix , 2007 .

[7] Marvin Theimer,et al. Reclaiming space from duplicate files in a serverless distributed file system , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[8] Mihir Bellare,et al. DupLESS: Server-Aided Encryption for Deduplicated Storage , 2013, USENIX Security Symposium.

[9] Michael Austin Halcrow. eCryptfs: An Enterprise-class Encrypted Filesystem for Linux , 2010 .

[10] Jim Guilford Kirk Yap Vinodh Gopal. Fast SHA-256 Implementations on Intel ® Architecture Processors , 2012 .

[11] Darrell D. E. Long,et al. Secure data deduplication , 2008, StorageSS '08.

[12] Mihir Bellare,et al. Message-Locked Encryption and Secure Deduplication , 2013, EUROCRYPT.

[13] Refik Molva,et al. ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage , 2013, 2013 IEEE 5th International Conference on Cloud Computing Technology and Science.