DETAILED ACTION
Claims 1-20 are presented for examination.

Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
3.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

4.	Claims 1-20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of copending Application No. 16/397,661 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.


U.S. Patent Application No. 16/398,069
Claim 1
A system belonging to a cluster, the system comprising: 
a processing resource; and 
a machine readable medium storing instructions that, when executed by the processing resource, cause the processing resource to: 
encrypt data objects of a file system instance to generate encrypted data objects using a Data Encryption Key (DEK) specific to a security domain containing the file system instance, the DEK being wrapped by a Key Encryption Key (KEK) shared exclusively within the cluster, 
create on a backup node a backup of the file system instance comprising at least some of the encrypted data objects, and 
send the DEK wrapped by the KEK to the backup node with the backup, 
wherein the backup node cannot decrypt the backup unless the backup node belongs to the cluster and has access to the KEK to unwrap the DEK, and 
the file system instance hierarchically relates the encrypted data objects located at a leaf level to a root object through references to signatures calculated from the encrypted data objects.  

U.S. Patent Application No. 16/397,661
Claim 1
A system belonging to a cluster, the system comprising: 
a processing resource;  and 
a machine readable medium storing instructions that, when executed by the processing resource, cause the processing resource to: 
encrypt data objects of a file system instance to generate encrypted data objects using 
a data encryption key (DEK) specific to a security domain containing the file system instance, the DEK being wrapped by a key encryption key (KEK) shared exclusively within the cluster, and the file system instance hierarchically relating the encrypted data objects located at a leaf level to a first root object through references to signatures of the encrypted data objects, 
encrypt the first root object using a first metadata encryption key (MEK), 
create on a node a backup of the file system instance comprising at least some of the encrypted data objects, and 
send the DEK and the first MEK to the node with the backup.

Claim Rejections - 35 USC § 103
5.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

6.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


7.	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

8.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Mueller (US 2017/0249467) hereinafter Mueller, in view of Pogde et al. (US 9,432,192) hereinafter Pogde.

In claim 1, Mueller discloses “A system belonging to a cluster, the system comprising: 
a processing resource; and 
a machine readable medium storing instructions that, when executed by the processing resource, cause the processing resource to: 
encrypt data objects of a file system instance to generate encrypted data objects using a Data Encryption Key (DEK) specific to a security domain containing the file system instance, the DEK being wrapped by a Key Encryption Key (KEK) shared exclusively within the cluster ([0038] FIG. 1 depicts an encryption key hierarchy for the file system.  
Components 101 (FEK 1, FEK 2, and FEK 3) correspond to respective FEKs for file 
system objects.  Each of these FEKs is encrypted in turn by component 103, the 
MEK, resulting in locked keys. In such a system, file objects are encrypted with a unique FEK 101.  These FEKs 101 are then each encrypted with the universal MEK 103 to form locked keys.  The locked key for a file object is stored together with the file object on the backup server), 
create on a backup node a backup of the file system instance comprising at least some of the encrypted data objects ([0039] For a backup operation, file objects are generated on the client 201.  If a file object is to be encrypted, an associated FEK (101 in FIG. 1) is used for the encryption.  A locked key is then generated by encrypting the FEK 101 with the MEK (103 in FIG. 1)), and 
send the DEK wrapped by the KEK to the backup node with the backup ([0039] In a backup operation, the encrypted file is transmitted through the data storage server 203 to the backup system 205.  In the case that the file is encrypted, the locked key is transmitted together with the associated file)”.
Mueller does not appear to explicitly disclose however, Pogde discloses “wherein the backup node cannot decrypt the backup unless the backup node belongs to the cluster and has access to the KEK to unwrap the DEK (col. 7 lines 58-67, in order to decrypt a particular node, security manager 160 has to obtain an encryption key from its parent node, which is encrypted by a parent key of the parent node, and so on.  Therefore, in order to decrypt an entire tree representing a file, a directory of one or more files, or an entire file system, one has to obtain an encryption key of the root node of the tree.  Thus, the decryption process of a hierarchical tree is performed via a top-down approach, starting with root nodes 221-223 and ending with leaf nodes 251-255 of the hierarchical tree 300), and 
the file system instance hierarchically relates the encrypted data objects located at a leaf level to a root object through references to signatures calculated from the encrypted data objects (col. 5 lines 28-42, each of the nodes in the hierarchical tree is encrypted by security manager 160 using an encryption key that is generated based on content of the corresponding node (e.g., hashing of the content of the corresponding node).  Thus, each of the nodes in a hierarchical tree is encrypted using a different key.  The encryption key of a particular node (e.g., child node) is stored together with content of its parent node.  The encryption key of the child node and content of the parent node are then encrypted by a parent key, where the parent key is generated by security manager 160 based on content of the parent node (e.g., hashing of the content of the parent node), and so on.  In this embodiment, the encryption process of a hierarchical tree is performed via a bottom-up approach, starting with leaf nodes and ending with a root node of the hierarchical tree)”.
Hence, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine Mueller and Pogde, the suggestion/motivation for doing so would have been to provide improved secure method to store data by utilizing hierarchical encryption techniques (col. 2 lines 38-41).		

In claim 2, Mueller teaches
The system of claim 1, wherein the backup node is remote to the cluster and does not have access to the KEK to unwrap the DEK ([0039] a backup operation, file objects are generated on the client 201.  If a file object is to be encrypted, an associated FEK (101 in FIG. 1) is used for the encryption.  A locked key is then generated by encrypting the FEK 101 with the MEK (103 in FIG. 1).  In a backup operation, the encrypted file is transmitted through the data storage server 203 to the backup system 205.  In the case that the file is encrypted, the locked key is transmitted together with the associated file).  

In claim 3, Pogde teaches
The system of claim 1, wherein internal objects of the file system instance between the root object and the encrypted data objects at the leaf level are unencrypted (col. 5 lines 40-42, the encryption process of a hierarchical tree is performed via a bottom-up approach, starting with leaf nodes and ending with a root node of the hierarchical tree).  

In claim 4, Pogde teaches
The system of claim 1, wherein the instructions that cause the processing resource to create the backup includes instructions that cause the processing resource to not send encrypted data objects for which respective signatures are found on the backup node (col. 11 lines 35-44, Fingerprints are mapped to a particular data object via metadata 1016, enabling the system to identify the location of the data object containing a data chunk represented by a particular fingerprint.  A fingerprint may be generated based on at least a portion of a data chunk, for example, by applying a predetermined mathematical algorithm (e.g., hash function) to at least a portion of the content of the data chunk.  When an active storage unit fails, metadata contained in another storage unit may be utilized to recover the active storage unit).  

In claim 5, Pogde teaches
The system of claim 1, wherein the machine readable medium stores instructions that cause the processing resource to deduplicate the encrypted data objects based on the signatures (col. 6 lines 9-15, Each upper level contains one or more references to one or more lower level segments.  In one embodiment, an upper level segment contains a fingerprint (e.g., metadata) of fingerprints of its child level segments.  Only the lowest 
level segments are the actual data segments containing the actual deduplicated segments), and 
wherein data objects having identical unencrypted content but belonging to different file system instances from different security domains are encrypted by different DEKs and are associated with different signatures, the different signatures causing the data objects having identical unencrypted content to not be deduplicated across the different security domains (col. 6 line 61-col. 7 line 4, A file tree is also referred to a fingerprint tree since it contains mostly fingerprints of the associated deduplicated segments.  In this example, a file tree can have up to 7 levels: L0, L6.  The L0 segments represent user data (e.g., actual data) and are the leaves of the tree.  The L6 is the root of the segment tree.  Segments from L1 to L6 are referred to as metadata segments or LP segments.  They represent the metadata of the file.  An L1 segment is an array of L0 references.  Similarly an L2 is an array of L1 references and so on.  A segment is considered live if it can be referenced by any live content in the file system).  
In claim 6, Pogde teaches
The system of claim 1, wherein the backup is deduplicated against a series of backups originating from the security domain based on signatures of objects of the file system instance and signatures of objects of the series of backups (col. 4 lines 40-47, when client 101 is about to transmit a data stream (e.g., a file or a directory of one or more files) to storage system 104, deduplication engine 151 is configured to deduplicate the data stream into deduplicated segments.  For each of the deduplicated segments, client 101 transmits a fingerprint of the deduplicated segment to storage system 104 to 
determine whether that particular deduplicated segment has already been stored in storage system 104).  

In claim 7, Mueller teaches
The system of claim 1, wherein the machine readable medium stores instructions that cause the processing resource to delete the DEK to cryptographically erase the file system instance and the backup ([0031] if the first module receives as an event a request for deletion of an encrypted object of the set of objects, the present method 
comprises changing the encryption state associated with said object to a state 
indicating the non-availability of an FEK for said object).

Claims 8-11 and 13-14 are essentially same as claims 1, 4-5 and 6-7 except that they recite claimed invention as a method and are rejected for the same reasons as applied hereinabove.

In claim 12, Pogde teaches
The method of claim 8, comprising compressing, by the processing resource, the data objects before the encrypting (col. 6 lines 38-42, the metadata (e.g., fingerprints) and the data section of the current level segments can be obtained from the identified container.  A container may contain metadata or fingerprints of all segments stored therein, where segments are compressed into a compression region).  

Claims 15-19 are essentially same as claims 1, 4-5 and 7 except that they recite claimed invention as a machine readable medium and are rejected for the same reasons as applied hereinabove.

In claim 20, Mueller teaches
The non-transitory machine readable medium of claim 15, further comprising instructions to delete the DEK to cryptographically erase the file system instance and a series of backups on the other computing system that are associated with the security domain ([0055] the EKEH module (325 in FIG. 3) registers encryption key events for files that are already backed-up.  The registered events are: CREATE (occurs if an encryption key is generated for a file system object--this means that the file system object was newly encrypted either because of the file system object being newly created, a change of its contents, or the encryption of an previously un-encrypted file system object.), CHANGE (occurs if an encryption key has changed for a file system object due to the MEK (103 in FIG. 3) being changed causing the FEKs (101 in FIG. 1) to be newly encrypted resulting in new locked keys), and DESTROY (occurs if an 
encryption key was deleted for a file system object--means file system object 
was decrypted).

Conclusion
9.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on 892 form.

Examiner’s Note: Examiner has cited particular figures, and paragraphs in the references as applied to the claims above for the convenience of the applicant.  Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well.  It is respectfully requested for the applicant, in preparing the responses, to fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner.

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HUAWEN A PENG whose telephone number is (571)270-5215.  The examiner can normally be reached on Mon thru Fri 8 am to 4 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Boris Gorney can be reached on 571-270-5626.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/HUAWEN A PENG/Primary Examiner, Art Unit 2158