US Patent 8117464 Sub-volume level security for deduplicated data

A network storage server receives write requests from clients via a network and internally buffers data blocks written by the write requests. At a consistency point, the storage server commits the data blocks to nonvolatile mass storage. In the consistency point process, a storage operating system in the network storage server compresses the data blocks, encrypts selected data blocks, and stores the compressed and (possibly) encrypted data blocks in the nonvolatile mass storage facility. Data blocks can also be fingerprinted in parallel with compression and/or encryption, to facilitate deduplication. Data blocks can be indexed and classified according to content or attributes of the data. Encryption can be applied at different levels of logical container granularity, where a separate, unique cryptographic key is used for each encrypted data container. To facilitate deduplication, the system creates an additional, shared encryption key for each data block duplicated between two or more logical containers.