Lamassu: Storage-Efficient Host-Side Encryption

Similar documents
Lamassu: Storage-Efficient Host-Side Encryption

COS 318: Operating Systems. NSF, Snapshot, Dedup and Review

Encrypted Data Deduplication in Cloud Storage

Rio-2 Hybrid Backup Server

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into

Secure Data De-Duplication With Dynamic Ownership Management In Cloud Storage

OPERATING SYSTEM. Chapter 12: File System Implementation

Storage and File Hierarchy

COS 318: Operating Systems

Chapter 11: Implementing File Systems

Chapter 12: File System Implementation

Deploying Software Defined Storage for the Enterprise with Ceph. PRESENTATION TITLE GOES HERE Paul von Stamwitz Fujitsu

Chapter 10: File System Implementation

Deduplication Storage System

V. File System. SGG9: chapter 11. Files, directories, sharing FS layers, partitions, allocations, free space. TDIU11: Operating Systems

GlusterFS Architecture & Roadmap

OPERATING SYSTEMS II DPL. ING. CIPRIAN PUNGILĂ, PHD.

Chapter 12: File System Implementation. Operating System Concepts 9 th Edition

Software-defined Storage: Fast, Safe and Efficient

Chapter 12: File System Implementation

COS 318: Operating Systems. Journaling, NFS and WAFL

SMORE: A Cold Data Object Store for SMR Drives

Week 12: File System Implementation

CHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed.

A New Key-value Data Store For Heterogeneous Storage Architecture Intel APAC R&D Ltd.

CS307: Operating Systems

Chapter 11: Implementing File

Chapter 11: Implementing File Systems. Operating System Concepts 9 9h Edition

ENCRYPTED DATA MANAGEMENT WITH DEDUPLICATION IN CLOUD COMPUTING

Security features for UBIFS. Richard Weinberger sigma star gmbh

Backup Solution. User Guide. Issue 01 Date

Strata: A Cross Media File System. Youngjin Kwon, Henrique Fingler, Tyler Hunt, Simon Peter, Emmett Witchel, Thomas Anderson

CA485 Ray Walshe Google File System

Cloud Computing CS

Don t stack your Log on my Log

EMC VNX2 Deduplication and Compression

Current Topics in OS Research. So, what s hot?

Nasuni UniFS a True Global File System

Distributed File Systems II

Software Defined Storage at the Speed of Flash. PRESENTATION TITLE GOES HERE Carlos Carrero Rajagopal Vaideeswaran Symantec

Remote Data Checking for Network Codingbased. Distributed Storage Systems

Improving I/O Bandwidth With Cray DVS Client-Side Caching

High-Performance Transaction Processing in Journaling File Systems Y. Son, S. Kim, H. Y. Yeom, and H. Han

RestFS. Fabrizio Manfredi Furuholmen" Beolink.org!

Introducing Tegile. Company Overview. Product Overview. Solutions & Use Cases. Partnering with Tegile

Introduction. File System Design for an NFS File Server Appliance. Introduction: WAFL. Introduction: NFS Appliance 4/1/2014

Update for TF-Storage. TF-Storage September 22nd, 2014

Operating Systems CMPSC 473 File System Implementation April 10, Lecture 21 Instructor: Trent Jaeger

Cascade Mapping: Optimizing Memory Efficiency for Flash-based Key-value Caching

Cloud FastPath: Highly Secure Data Transfer

TIBX NEXT-GENERATION ARCHIVE FORMAT IN ACRONIS BACKUP CLOUD

Integrity Checking in Cryptographic File Systems with Constant Trusted Storage

[537] RAID. Tyler Harter

Example Implementations of File Systems

Architecting Storage for Semiconductor Design: Manufacturing Preparation

Filesystem. Disclaimer: some slides are adopted from book authors slides with permission

ZBD: Using Transparent Compression at the Block Level to Increase Storage Space Efficiency

Storage and File System

LevelDB-Raw: Eliminating File System Overhead for Optimizing Performance of LevelDB Engine

Staggeringly Large Filesystems

EI 338: Computer Systems Engineering (Operating Systems & Computer Architecture)

Implementation and Performance Evaluation of RAPID-Cache under Linux

Speeding Up Cloud/Server Applications Using Flash Memory

Offloaded Data Transfers (ODX) Virtual Fibre Channel for Hyper-V. Application storage support through SMB 3.0. Storage Spaces

Using Cohesity with Amazon Web Services (AWS)

Chapter 12: File System Implementation

Deduplication and Incremental Accelleration in Bacula with NetApp Technologies. Peter Buschman EMEA PS Consultant September 25th, 2012

CloudSky: A Controllable Data Self-Destruction System for Untrusted Cloud Storage Networks

COS 318: Operating Systems. File Systems. Topics. Evolved Data Center Storage Hierarchy. Traditional Data Center Storage Hierarchy

-Presented By : Rajeshwari Chatterjee Professor-Andrey Shevel Course: Computing Clusters Grid and Clouds ITMO University, St.

What is a file system

ECE 598 Advanced Operating Systems Lecture 19

Advanced Systems Security: Virtual Machine Systems

STORAGE LATENCY x. RAMAC 350 (600 ms) NAND SSD (60 us)

January 28-29, 2014 San Jose

Intel Software Guard Extensions (Intel SGX) Memory Encryption Engine (MEE) Shay Gueron

The Linux Kernel Cryptographic API

Authenticated Storage Using Small Trusted Hardware Hsin-Jung Yang, Victor Costan, Nickolai Zeldovich, and Srini Devadas

Storage Performance Validation for Panzura

See what s new: Data Domain Global Deduplication Array, DD Boost and more. Copyright 2010 EMC Corporation. All rights reserved.

Secure Key Management and Data Privacy on z/tpf

HPE SimpliVity. The new powerhouse in hyperconvergence. Boštjan Dolinar HPE. Maribor Lancom

416 Distributed Systems. Distributed File Systems 1: NFS Sep 18, 2018

Presented by: Alvaro Llanos E

The CephFS Gateways Samba and NFS-Ganesha. David Disseldorp Supriti Singh

Azor: Using Two-level Block Selection to Improve SSD-based I/O caches

Clustering. RNA-seq: What is it good for? Finding Similarly Expressed Genes. Data... And Lots of It!

Storage Systems for Shingled Disks

DATA PROTECTION FOR THE CLOUD

Google File System. Arun Sundaram Operating Systems

DELL EMC DATA DOMAIN ENCRYPTION

Oracle Secure Backup 12.1 Technical Overview

Ming Ming Wong Jawad Haj-Yahya Anupam Chattopadhyay

Functional Partitioning to Optimize End-to-End Performance on Many-core Architectures

SCONE: Secure Linux Container Environments with Intel SGX

Resilient IoT Security: The end of flat security models

Petal and Frangipani

LOAD BALANCING AND DEDUPLICATION

FaRM: Fast Remote Memory

The Google File System

Transcription:

Lamassu: Storage-Efficient Host-Side Encryption Peter Shah, Won So Advanced Technology Group 9 July, 2015 1 2015 NetApp, Inc. All rights reserved.

Agenda 1) Overview 2) Security 3) Solution Architecture 4) Experimental Results 5) Conclusion 2 2015 NetApp, Inc. All rights reserved.

Overview Architectural Goals 1) Enable external / untrusted storage Public Clouds, etc. 3 2015 NetApp, Inc. All rights reserved.

Overview Architectural Goals 1) Enable external / untrusted storage Public Clouds, etc. 2) Provide data security Restrict trust domain 4 2015 NetApp, Inc. All rights reserved.

Overview Architectural Goals 1) Enable external / untrusted storage Public Clouds, etc. 2) Provide data security Restrict trust domain 5 2015 NetApp, Inc. All rights reserved.

Overview Architectural Goals 1) Enable external / untrusted storage Public Clouds, etc. 2) Provide data security Restrict trust domain 3) Preserve storage deduplication Use convergent encryption Focus on block-oriented deduplication 6 2015 NetApp, Inc. All rights reserved.

Overview Architectural Goals 1) Enable external / untrusted storage Public Clouds, etc. 2) Provide data security Restrict trust domain Lamassu 3) Preserve storage deduplication Use convergent encryption Focus on block-oriented deduplication 4) Work with existing applications Transparent addition No changes to app or storage systems Self-contained* 7 2015 NetApp, Inc. All rights reserved.

Security Encryption Model 8 2015 NetApp, Inc. All rights reserved.

Convergent Encryption (CE) Equality-Preserving Encryption For any given plain text, convergent encryption will always produce the same cipher text. 9 2015 NetApp, Inc. All rights reserved.

Convergent Encryption Message-Locked Encryption (MLE) For any given plain text, convergent encryption will always produce the same cipher text. Most common form: Key derived from data Hash Block Key Data Block AES Cipher Text Message-locked encryption path 10 2015 NetApp, Inc. All rights reserved.

Convergent Encryption Message-Locked Encryption (MLE) For any given plain text, convergent encryption will always produce the same cipher text. Most common form: Key derived from data Block Key Data Block AES Cipher Block Message-locked decryption path 11 2015 NetApp, Inc. All rights reserved.

Convergent Encryption Message-Locked Encryption (MLE) For any given plain text, convergent encryption will always produce the same cipher text. Most common form: Key derived from data Block Key Data Block AES Cipher Block Message-locked decryption path 12 2015 NetApp, Inc. All rights reserved.

Convergent Encryption Key Storage For any given plain text, convergent encryption will always produce the same cipher text. Most common form: Key derived from data Hash Block Key? Data Block AES Cipher Block 13 2015 NetApp, Inc. All rights reserved.

Convergent Encryption Key Storage For any given plain text, convergent encryption will always produce the same cipher text. Most common form: Key derived from data Secret Key Hash Block Key AES Non-convergent Data Block AES Cipher Block 14 2015 NetApp, Inc. All rights reserved.

Metadata Storage Key Storage Architecture 15 2015 NetApp, Inc. All rights reserved.

Keys as Metadata Transparent Key Management Treat per-block hash-keys as file metadata Potentially hundreds, or thousands per file File Data Keys 16 2015 NetApp, Inc. All rights reserved.

Keys as Metadata Transparent Key Management Treat per-block hash-keys as file metadata Potentially hundreds, or thousands per file Store keys inside each file Preserve transparency Allow external storage to copy, rename, etc. File Data Stored 17 2015 NetApp, Inc. All rights reserved.

Keys as Metadata Transparent Key Management Treat per-block hash-keys as file metadata Potentially hundreds, or thousands per file Store keys inside each file Preserve transparency Allow external storage to copy, rename, etc. Separate data from metadata Keep keys from polluting duplicate blocks Keep added data from breaking block alignment File Data Stored 18 2015 NetApp, Inc. All rights reserved.

Keys as Metadata Transparent Key Management Treat per-block hash-keys as file metadata Potentially hundreds, or thousands per file Store keys inside each file Preserve transparency Allow external storage to copy, rename, etc. Separate data from metadata Keep keys from polluting duplicate blocks Keep added data from breaking block alignment File Data Stored 19 2015 NetApp, Inc. All rights reserved.

File Structure Logical File Layout Segment 0 Segment 1 Segment 2 Segment n Fixed-Size Segment 20 2015 NetApp, Inc. All rights reserved.

File Structure Logical File Layout Segment 0 Segment 1 Segment 2 Segment n Fixed-Size Segment Physical Offset 0 Metadata Data 0 Data 1 Data 2 Data m Logical Offset 0 Fixed-Size Data Block 21 2015 NetApp, Inc. All rights reserved.

File Structure Logical File Layout Segment 0 Segment 1 Segment 2 Segment n Fixed-Size Segment Physical Offset 0 Metadata Data 0 Data 1 Data 2 Data m Logical Offset 0 Fixed-Size Data Block Meta Slot 0 Slot 1 Slot 2 Slot m Key Table Slot 22 2015 NetApp, Inc. All rights reserved.

Metadata Consistency Crash Detection and Recovery Data and metadata must be in sync Depends on underlying storage to prevent partial writes 23 2015 NetApp, Inc. All rights reserved.

Metadata Consistency Crash Detection and Recovery Data and metadata must be in sync Depends on underlying storage to prevent partial writes Starting State N Block N 24 2015 NetApp, Inc. All rights reserved.

Metadata Consistency Crash Detection and Recovery Data and metadata must be in sync Depends on underlying storage to prevent partial writes Starting State N Block N Update Block Block N N 25 2015 NetApp, Inc. All rights reserved.

Metadata Consistency Crash Detection and Recovery Data and metadata must be in sync Depends on underlying storage to prevent partial writes Starting State N Block N Update Block Block N N Write Meta N N Block N 26 2015 NetApp, Inc. All rights reserved.

Metadata Consistency Crash Detection and Recovery Data and metadata must be in sync Depends on underlying storage to prevent partial writes Starting State N Block N Update Block Block N N Write Meta N N Block N Write Data N N Block N 27 2015 NetApp, Inc. All rights reserved.

Metadata Consistency Crash Detection and Recovery Data and metadata must be in sync Depends on underlying storage to prevent partial writes Starting State N Block N Update Block Block N N Write Meta N N Block N Write Data N N Block N Stale keys are cleaned up during subsequent metadata updates 28 2015 NetApp, Inc. All rights reserved.

Results Storage Efficiency & Performance 29 2015 NetApp, Inc. All rights reserved.

Overview Prototype Implementation Application FUSE Lamassu Key Manager VFS Network Linux Kernel NFS Remote Storage System 30 2015 NetApp, Inc. All rights reserved.

Comparison with other Systems Benchmarking Strategy 1) PlainFS FUSE-based (pass-through) 31 2015 NetApp, Inc. All rights reserved.

Comparison with other Systems Benchmarking Strategy 1) PlainFS FUSE-based (pass-through) 2) EncFS FUSE-based Provides AES encryption 32 2015 NetApp, Inc. All rights reserved.

Comparison with other Systems Benchmarking Strategy 1) PlainFS FUSE-based (pass-through) 2) EncFS FUSE-based Provides AES encryption 3) LamassuFS FUSE-based Provides AES encryption Provides convergent encryption 33 2015 NetApp, Inc. All rights reserved.

Deduplication Results Comparison of Deduplication Ratios 100 Relative data size after deduplication (%) 90 80 70 60 50 PlainFS EncFS LamassuFS 40 10 20 30 40 50 Percentage of redundancy in raw data 34 2015 NetApp, Inc. All rights reserved.

Deduplication Results Comparison of Deduplication Ratios 100 Relative data size after deduplication (%) 90 80 70 60 50 PlainFS EncFS LamassuFS 40 10 20 30 40 50 Percentage of redundancy in raw data 35 2015 NetApp, Inc. All rights reserved.

Singe File I/O Throughput Comparison with other FUSE systems using remote NFS storage 150 125 I/O Bandwidth 100 75 50 PlainFS EncFS LamassuFS 25 0 seq-write seq-read rand-write rand-read rand-rw 36 2015 NetApp, Inc. All rights reserved.

Single File I/O Throughput Comparison with other FUSE systems using local DRAM storage 1000 I/O Bandwidth 100 PlainFS EncFS LamassuFS 10 seq-write seq-read rand-write rand-read rand-rw 37 2015 NetApp, Inc. All rights reserved.

Conclusions Recap and Observations Strong security on shared storage Uses standard encryption techniques Preserves storage-based deduplication Transparent to both application and storage Easy to deploy Flexible user-mode architecture Can integrate with other host-side technologies 38 2015 NetApp, Inc. All rights reserved.

Conclusions Recap and Observations Strong security on shared storage Uses standard encryption techniques Preserves storage-based deduplication Transparent to both application and storage Easy to deploy Flexible user-mode architecture Can integrate with other host-side technologies Special Thanks James Kelley Questions? 39 2015 NetApp, Inc. All rights reserved.

Thank You 40 2015 NetApp, Inc. All rights reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback