DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The Amendment filed 10/21/2021 has been received and considered.
Claims 1-20 are pending.
This action is Final.
Information Disclosure Statement
2.	The information disclosure statements (IDS) submitted on 10/28/2021 and 01/27/2022 have been considered. The submission are in compliance with the provisions of 37 CFR 1.97. Accordingly, initialed and dated copies of the Applicant’s IDS forms 1449 filed on 10/28/2021 and 01/27/2022 are attached to this office action. 
Response to Arguments
3.	Applicant's arguments filed 10/21/2021 have been fully considered but they are not persuasive. Applicant argues that regarding independent claims 1, 11 and 20, O’Hare in view of Prahlad fails to teach “determining partial data to be encrypted in the to-be-stored data, to obtain first target data and a remaining portion of the to-be-stored data”
	With respect to this argument, as disclosed below, O’Hare in paragraph [0043] discloses resulting data shares include a random distribution of the original data set where one or more distinct shares are generated using any random or pseudo-random technique (e.g., a random or pseudo-random key). In paragraph [0045]-[0048] the process for determining distinct portions by parsing the data and encrypting the data shares. Therefore, the remaining portion of the to-be-stored data and the encrypted data is included in the resulting data share as a random distribution of the original data set.
encrypting the first target data according to a first key provided by an encryption chip connected to the gateway”
With respect to this argument, as disclosed below, O’Hare in paragraph [0045]-[0048] the process for determining distinct portions by parsing the data and encrypting the data shares using a secure data parser. The secure data parser system may be implemented using hardware and/or software and may further include or interface with one or more data storage facilities. Paragraph [0194] discloses a key manager, at the enterprise premises, sharing an encryption key with the cloud gateway and file server where each data file and/or cluster block is encrypted at the gateway and cryptographically split into data shares. The key manager is utilized by the secure data parser for key generation or retrieval. Furthermore, paragraph [0152] discloses an example infrastructure of an enterprise network including the key manager utilized to manage various types of keys (including session keys, splitting keys, encryption keys, authentication tokens/keys, etc.) for managing or securing the enterprise data. Therefore, data shares are encrypted using a key provided by a key manager of a secure data parser system connected to the gateway. 

Applicant further argues that regarding independent claims 1, 11 and 20, O’Hare in view of Prahlad fails to teach “generating second target data by replacing the first target data in the to-be-stored data with the first ciphertext, the second target data comprising the first ciphertext and the remaining portion of the to-be-stored data”
With respect to this argument, as disclosed below O’Hare in paragraph [0124] discloses computing a hash on the resulting ciphertext. The data packet or data block may then be partitioned into two or more data shares using one of the data parsing algorithms the data packet or data block may be parsed so that each data share contains a substantially random distribution of the encrypted data 
Therefore, O’Hare in view of Prahlad teaches the claimed limitations of amended claims 1, 11 and 20 and thereby the dependent claims. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



4.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US Pub No. US 2016/014747 A1 to O’Hare, (hereinafter, “O’Hare”) in view of US Pub. No. US 2010/0332401 A1 to Prahlad, (hereinafter, “Prahlad”), as disclosed in IDS submitted on 04/02/2017.

As per claims 1, 11 and 20, O’Hare teaches a hybrid-cloud data storage method, a gateway, and a non-transitory computer readable storage medium storing a plurality of machine readable instructions in connection with a gateway, respectively, applied to a gateway having one or more processors and memory storing a plurality of programs to be executed by the one or more processors, the method comprising: 
; determining partial data to be encrypted in the to-be-stored data, to obtain first target data and a remaining portion of the to-be-stored data (O’Hare, [0043] “the resulting shares may include a substantially random distribution of the original data set. As used herein, a substantially random distribution of data refers to generating one or more distinct shares from an original data set where at least one of the shares is generated using one or more random or pseudo-random techniques, random or pseudo-random information (e.g., a random or pseudo-random key), or any combination thereof.” And para. [0045] “The secure data parser 100 receives data to be secured 102 and passes the data to a pre-processor 104 that may perform any combination of pre-processing operations on the received data 102, such as encrypting the data, adding integrity information (e.g., a hash) to the data, and adding authentication information to the data. The pre-processing may alternatively or additionally involve accessing and/or generating one or more keys or other information used by the secure data parser 100. The one or more keys may be any suitable key(s) for generating distinct portions of data from an original data set and/or any suitable key for other operations described herein that are performed by the secure data parser 100.”);
encrypting the first target data according to a first key provided by an encryption chip connected to the gateway (O’Hare, para. [0045] “The secure data parser 100 receives data to be secured 102 and passes the data to a pre-processor 104 that may perform any combination of pre-processing operations on the received data 102, such as encrypting the data, adding integrity information (e.g., a hash) to the data, and adding authentication information to the data. The pre-processing may alternatively or additionally involve accessing and/or generating one or more keys or other information used by the secure data parser 100. The one or more keys may be any suitable key(s) for generating distinct portions of data from an original data set and/or any suitable key for other operations described herein that are performed by the secure data parser 100.” And para. [0046] “After any desired pre-processing, the (optionally transformed) data 102 and any additional information, such as any suitable keys, are passed to a data parser 106. Data parser 106 may parse the received data to generate one or more shares from the data 102 using any of the parsing techniques described herein. The data parser 106 may use any suitable key for data parsing.” And para. [0194] “the local gateway 2002 may send encrypted data to a cloud file server 2006 in the private or public enterprise cloud 2005. The cloud gateway 2008 may in turn distribute cryptographically split data to geo-separated cloud storage locations 2011-2013. Specifically, a key manager 2030 at the enterprise premises may share an encryption key with the cloud gateway 2008 in the cloud file server 2006. In this way, a two-level encryption mechanism may be implemented, e.g., each data file and/or cluster block is locally encrypted at gateway 2002, and is subsequently cryptographically split into data shares at the cloud gateway 2008.”);
obtaining a first ciphertext obtained after the first target data is encrypted; generating second target data by replacing the first target data in the to-be-stored data with the first ciphertext, the second target data comprising the first ciphertext and the remaining portion of the to-be-stored data; generating a data slice corresponding to the second target data (O’Hare, para. [0124] “After header generation is complete (e.g., using simplified header generation process 900), the secure data parser may enter the data partitioning phase using simplified data parsing process 910. Each incoming data packet or data block in the stream is encrypted using the encryption key, K, at step 912. At step 914, share integrity information (e.g., a hash H) may be computed on the resulting ciphertext from step 912. For example, a SHA-256 hash may be computed. At step 916, the data packet or data block may then be partitioned into two or more data shares using one of the data parsing algorithms described above. In some embodiments, the data packet or data block may be parsed so that each data share contains a substantially random distribution of the encrypted data packet or data block. The integrity information (e.g., hash H) may then be appended to each data share. An optional post-authentication tag (e.g., MAC) may also be computed and appended to each data share in some embodiments.” And para. [0179] “when a change is detected in a cluster block module 1508, at process 1511, the data block/cluster block with the change is compressed and cryptographically split at process 1512. The result of this operation is written to the upload directory as an upload block/cluster block at 1514. Upon confirmation that the upload block/cluster block has been written, the gateway controller 1513 may change the state of the data block/cluster block to an “uploaded” state at 1516.”); and 
transmitting the data slice corresponding to the second target data to a public cloud for storage (O’Hare, para. [0127] “As shown in illustrative share format 1000 of FIG. 10, header block 1002 may be associated with two or more output blocks 1004. Each header block, such as header block 1002, may be designed to fit within a single network data packet. In some embodiments, after header block 1002 is transmitted from a first location to a second location, the output blocks may then be transmitted. Alternatively, header block 1002 and output blocks 1004 may be transmitted at the same time in parallel. The transmission may occur over one or more similar or dissimilar communications paths.” And para. [0128] “Each output block may include data portion 1006 and integrity/authenticity portion 1008. As described above, each data share may be secured using a share integrity portion including share integrity information (e.g., a SHA-256 hash) of the encrypted, pre-partitioned data. To verify the integrity of the outputs blocks at recovery time, the secure data parser may compare the share integrity blocks of each share and then invert the parse algorithm. The hash of the recovered data may then be verified against the share hash.”).
O’Hare teaches all the limitations of claims 1, 11 and 20 above, however fails to explicitly teach but Prahlad teaches: 
encrypting the first target data according to a first key (Prahlad, para. [0122] “a cloud storage site API may provide a command to encrypt a file located on the cloud storage site using an encryption method that does not result in the cloud storage site receiving a key (or does not result in the cloud storage site receiving or retaining other information sufficient to decrypt an encrypted file). For example, a cloud storage site API may permit storing encrypted data belonging to a client on a cloud storage site, together with an encrypted version of the encryption key that was used to encrypt the encrypted data.” And para. [0407] “FIG. 29 illustrates a process 2900 for encrypting files stored within a cloud storage site 115A-N. The process may be performed by cloud storage submodule 236, or any other suitable system component. The process begins at block 2910, when cloud storage submodule 236 receives a request to encrypt a file located on a target cloud storage site. For example, cloud storage submodule 236 may receive an indication of which target files within a target cloud storage site should be encrypted. Cloud storage submodule 236 may also receive an indication of which encryption method should be utilized, one or more encryption keys and/or additional information.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Prahlad’s data storage operations with a cloud storage environment into O’Hare’s gateway for cloud-based secure storage, with a motivation to store and/or manage credentials or other authorization and connection information (e.g., site configuration settings, login information, certificates, etc.) that permit the cloud storage submodule to perform storage operations on a cloud storage (Pahlad, para. [0125]). 

As per claims 2 and 12, the combination of O’Hare and Pahlad teach the hybrid-cloud data storage method according to claim 1 and the gateway according to claim 11, respectively, wherein the determining partial data to be encrypted in the to-be-stored data, to obtain first target data comprises: 
determining a size of the partial data to be encrypted in the to-be-stored data, and determining a corresponding position of the partial data to be encrypted in the to-be-stored data (O’Hare, para. [0171] “a cluster block includes a group of data blocks that are written or transmitted together to (or retrieved or received together from) the cloud simultaneously. According to one implementation, the size of a cluster block (e.g., how many data blocks are to be grouped into a single cluster block) may be dynamically adjusted, or configured periodically, intermittently, or per user request. A cluster block may include any number of data blocks (e.g., one block, five blocks, ten blocks, or several hundred data blocks, etc.), and may have any suitable size (e.g., 2 MB, 5 MB, 10 MB, 100 MB, etc.). The size of a cluster block may also be adjusted based on the type of data, an average file size for a particular client computer system, etc. The size of the cluster block may also be adjusted based on system performance feedback, e.g., whether the existing cluster block size is too large, which leads to read/write operation latency, or whether the existing cluster block size is too small such that the frequent remote read/write operations may be burdensome to the system.); and 
determining the partial data to be encrypted in the to-be-stored data according to the size and the position, and using the partial data as the first target data (Prahlad, para. [0162] “FIG. 5C illustrates a data structure 520 for the metadata file 504. The data structure 520 consists of one or more stream headers 522 and stream data 524. The stream header 522 describes a data object contained in an "N" file 506 or an "S" file 508 (e.g., its location, its size, an offset within the file, etc.). The stream data 524 contains the pointer to the data object contained in the "N" file 506 or the "S" file 508. For example, the pointer may give its location within the "N" file 506 or the "S" file 508. The location of the data object may be given by offsets within the "N" file 506 or the "S" file 508. For example, its location may be given by a starting offset, and its length or size. As another example, its location may be given by a starting offset and an ending offset. As previously mentioned, the data object may be in an "S" file 508 in another chunk folder, and the stream data 524 would point to this "S" file in the other chunk folder (e.g., give its location in the "S" file in the other chunk folder). Each time the deduplication module 299 places a data object in the "S" file 508, the deduplication module 299 adds a stream header 522 and corresponding stream data 524 to the metadata file 504.”).
(Pahlad, para. [0125]). 
As per claims 3 and 13, the combination of O’Hare and Pahlad teach the hybrid-cloud data storage method according to claim 2 and the gateway according to claim 12, respectively, wherein the determining a corresponding position of the partial data to be encrypted in the to-be-stored data comprises: 
determining a corresponding intra-block address offset of the partial data to be encrypted in the to-be-stored data; and the generating second target data comprising the first ciphertext according to the first ciphertext comprises: overwriting the first ciphertext to an original position of the first target data in the to- be-stored data according to the intra-block address offset, to obtain the second target data (Prahlad, para. [0162] “FIG. 5C illustrates a data structure 520 for the metadata file 504. The data structure 520 consists of one or more stream headers 522 and stream data 524. The stream header 522 describes a data object contained in an "N" file 506 or an "S" file 508 (e.g., its location, its size, an offset within the file, etc.). The stream data 524 contains the pointer to the data object contained in the "N" file 506 or the "S" file 508. For example, the pointer may give its location within the "N" file 506 or the "S" file 508. The location of the data object may be given by offsets within the "N" file 506 or the "S" file 508. For example, its location may be given by a starting offset, and its length or size. As another example, its location may be given by a starting offset and an ending offset. As previously mentioned, the data object may be in an "S" file 508 in another chunk folder, and the stream data 524 would point to this "S" file in the other chunk folder (e.g., give its location in the "S" file in the other chunk folder). Each time the deduplication module 299 places a data object in the "S" file 508, the deduplication module 299 adds a stream header 522 and corresponding stream data 524 to the metadata file 504.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Prahlad’s data storage operations with a cloud storage environment into O’Hare’s gateway for cloud-based secure storage, with a motivation to store and/or manage credentials or other authorization and connection information (e.g., site configuration settings, login information, certificates, etc.) that permit the cloud storage submodule to perform storage operations on a cloud storage (Pahlad, para. [0125]). 

As per claims 4 and 14, the combination of O’Hare and Pahlad teach the hybrid-cloud data storage method according to claim 2 and the gateway according to claim 12, respectively, wherein the obtaining a first ciphertext obtained after the first target data is encrypted comprises: 
transmitting the first target data to the connected encryption chip; and obtaining the first ciphertext from the encryption chip, the first ciphertext being generated by the encryption chip by encrypting the target data according to the stored first key (O’Hare, para. [0127] “As shown in illustrative share format 1000 of FIG. 10, header block 1002 may be associated with two or more output blocks 1004. Each header block, such as header block 1002, may be designed to fit within a single network data packet. In some embodiments, after header block 1002 is transmitted from a first location to a second location, the output blocks may then be transmitted. Alternatively, header block 1002 and output blocks 1004 may be transmitted at the same time in parallel. The transmission may occur over one or more similar or dissimilar communications paths.” And para. [0128] “Each output block may include data portion 1006 and integrity/authenticity portion 1008. As described above, each data share may be secured using a share integrity portion including share integrity information (e.g., a SHA-256 hash) of the encrypted, pre-partitioned data. To verify the integrity of the outputs blocks at recovery time, the secure data parser may compare the share integrity blocks of each share and then invert the parse algorithm. The hash of the recovered data may then be verified against the share hash.” And para. [0136] “Storing data shares and/or key shares across different clouds may provide enhanced data security. In addition to storing data in the cloud, one or more data shares, key shares, or keys may be stored on local storage, such as local memory 1124 of user system 1120 or a local memory of user device 1130, and one or more data shares, key shares, or keys may be stored on removable storage (e.g., a USB memory), such as removable storage 1126 or removable storage 1136 which may be for example.”).

As per claims 5 and 15, the combination of O’Hare and Pahlad teach the hybrid-cloud data storage method according to claim 4 and the gateway according to claim 14, respectively,  further comprising: 
retrieving a setting table (Prahlad, para. [0293] “prior to storing data from the blocks to a different data store, the cloud gateway 1540 may encrypt and/or compress data as described previously with respect to FIG. 3B. The cloud gateway may create, generate, update, and/or include an allocation table, (such as a table for the data store) that tracks the transferred data and the data that was not transferred. The table may include information identifying the original data blocks for the data, the name of the data object (e.g., file name), the location of any transferred data blocks (including, e.g., offset information), and so on. The location of the transferred data blocks may comprise a URL to a file located on cloud storage site 115A-N. For example, Table 3 provides entry information.”); and 
(Prahlad, para. [0299] “the cloud gateway 1540 transfers data within the identified sub-objects from the data store to a media agent 1770, to be stored in a different data store. The cloud gateway may perform some or all of the processes described with respect to FIG. 1 when transferring the data to the media agent. For example, the cloud gateway may review a storage policy assigned to the data store and select a media agent based on instructions within the storage policy. In step 1925, the system optionally updates an allocation table, such as a FAT for a file system associated with the cloud gateway, to indicate the data blocks that no longer contain data and are now free to receive and store data from the file system.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Prahlad’s data storage operations with a cloud storage environment into O’Hare’s gateway for cloud-based secure storage, with a motivation to store and/or manage credentials or other authorization and connection information (e.g., site configuration settings, login information, certificates, etc.) that permit the cloud storage submodule to perform storage operations on a cloud storage (Pahlad, para. [0125]). 
As per claims 6 and 16, the combination of O’Hare and Pahlad teach the hybrid-cloud data storage method according to claim 5 and the gateway according to claim 15, respectively, wherein the determining a size of the partial data to be encrypted in the to-be-stored data comprises: 
determining the size of the partial data to be encrypted in the to-be-stored data that is recorded in the setting table; and the determining a corresponding position of the partial data to be encrypted in the to- be-stored data comprises: determining the corresponding position of the partial data to be encrypted in the to-be- stored data that is recorded in the setting table (Prahlad, para.  [0296] “The division component may perform different processes when determining how to divide a data object. For example, the division component may include indexing, header, and other identifying information or metadata in a first sub-object, and include the payload in other sub-objects. The division component may identify and/or retrieve file format or schema information from an index, FAT, NFS, or other allocation table in the file system to determine where certain sub-objects of a data object reside (such as the first or last sub-object of a large file). The division component may follow a rules-based process when dividing a data object, where the rules may define a minimum or maximum data size for a sub-object, a time of creation for data within a sub-object, a type of data within a sub-object”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Prahlad’s data storage operations with a cloud storage environment into O’Hare’s gateway for cloud-based secure storage, with a motivation to store and/or manage credentials or other authorization and connection information (e.g., site configuration settings, login information, certificates, etc.) that permit the cloud storage submodule to perform storage operations on a cloud storage (Pahlad, para. [0125]).
As per claims 7 and 17, the combination of O’Hare and Pahlad teach the hybrid-cloud data storage method according to claim 5 and the gateway according to claim 15, respectively, further comprising: 
triggering to perform the operation of determining partial data to be encrypted in the to-be-stored data, in a case that the setting table indicates that the to-be-stored data is to be partially encrypted (Prahlad, para.  [0296] “The division component may perform different processes when determining how to divide a data object. For example, the division component may include indexing, header, and other identifying information or metadata in a first sub-object, and include the payload in other sub-objects. The division component may identify and/or retrieve file format or schema information from an index, FAT, NFS, or other allocation table in the file system to determine where certain sub-objects of a data object reside (such as the first or last sub-object of a large file). The division component may follow a rules-based process when dividing a data object, where the rules may define a minimum or maximum data size for a sub-object, a time of creation for data within a sub-object, a type of data within a sub-object”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Prahlad’s data storage operations with a cloud storage environment into O’Hare’s gateway for cloud-based secure storage, with a motivation to store and/or manage credentials or other authorization and connection information (e.g., site configuration settings, login information, certificates, etc.) that permit the cloud storage submodule to perform storage operations on a cloud storage (Pahlad, para. [0125]). 
As per claim 8, the combination of O’Hare and Pahlad teach the hybrid-cloud data storage method according to claim 5, further comprising: 
obtaining a second ciphertext obtained after the to-be-stored data is encrypted, in a case that the setting table indicates that the to-be-stored data is to be completely encrypted, the to-be-stored data being encrypted according to a second key provided by the encryption chip connected to the gateway (O’Hare, para. [0174] “When one or more of the cluster blocks are sent from the local cache to a cloud-based storage device 1405a-c, the cloud interface library 1409 may apply a second cryptographic operation on the already secured cluster blocks from the local cache memory using, for example, a second encryption key different from the first encryption key. The first encryption key and the second encryption key, as managed by the key manager 1411, may be stored at the same or different storage locations from the storage location of the respective cluster block(s). At the cloud interface library 1409, each cluster block may be distributed in a number of data shares, and the data shares 1406a-c are stored by the one or more remote storage devices 1405a-c.”); and 
generating a data slice corresponding to the second ciphertext according to the second ciphertext, and transmitting the data slice to the public cloud for storage (O’Hare, para. [0175] “the cloud interface library 1409 may split each cluster block into a plurality of secondary data units, and cause each secondary data unit to be placed into one of the number of data shares. The secondary data units may be placed into shares using a key generated, for example, based on a random or pseudo-random number. The splitting may be performed in a manner such that each cluster block may be restorable by recombining a subset less than all of the secondary data units from the number of data shares 1406a-c. The split key may be stored and/or managed by the key manager 1411.”).

As per claims 9 and 18, the combination of O’Hare and Pahlad teach the hybrid-cloud data storage method according to claim 8 and the gateway according to claim 17, respectively, wherein the obtaining a second ciphertext obtained after the to-be-stored data is encrypted comprises: 
determining whether the second key requested from the encryption chip last time is within a set life cycle; obtaining the second key in a case that the second key is within the set life cycle, and encrypting the to-be-stored data according to the second key, to obtain the second ciphertext (O’Hare, para. [0177] “The block device 1506 (e.g., similar to the block device layer 1403 in FIG. 14) may then receive the write operation request and pass the write request to a device mapper 1507 to direct the write request to the cluster block module 1508 (e.g., similar to the transparent block device 1408 in FIG. 14). The device mapper 1507 translates the block I/O into file I/O using a block map that reads and writes blocks into sequential cluster blocks. For example, the device mapper 1507 obtains a write operation request that is associated with a data file, and then may translate identifying information of the data file to identifying information (e.g., sequential identifiers, etc.) of one or more cluster blocks that represent the data file and that are stored in the storage volume. A block map may be used by the device mapper 1507, which may include mapping information between a data file and the associated cluster blocks. For instance, the block map may map one or more data files to a specific cluster block when the specific cluster block includes data blocks from the one or more data files. Or alternatively, the block map may map a data file to one or more cluster blocks when the one or more cluster blocks includes data blocks from the data file.” And para. [0203] “At step 2404, the gateway manger may request a second capture of a state of one or more cluster blocks stored by the one or more remote storage devices at the timestamp. The one or more cluster blocks are related to one or more data files stored with the local file system. For example, the one or more cluster blocks may include a part an entirety of a data file that is currently stored, or has been previously stored associated with the local file system.”); 
requesting a third key from the encryption chip in a case that the second key is not within the set life cycle, and encrypting the to-be-stored data according to the requested third key, to obtain the second ciphertext (O’Hare, para. [0181] “FIG. 15B, the user 1501 may send a read request to a PC 1502 or a server 1503…when the block/cluster block does not exist in the local cache at step 1529, a cache miss 1530 is identified. For each "cache miss," a read request may be send to the cloud read operation 1532 for the missing data block/cluster block at 1531. The cloud read operation 1532 may read the data block/cluster block from the respective cloud object storage 1518, return the read data block/cluster block to an upload block directory 1533. The gateway controller 1534 may then perform decompression of the retrieved data block/cluster block at the decompression process 1535. As the retrieved data block/cluster block at the decompression process 1535 may be in the form of data shares, the data shares may be reassembled and decrypted, and then be populated to the cluster block module 1508.” And para. [0095] “Cipher feedback key generator 514 may generate, for each secure data parser operation, a unique key, or random number (using, for example, random number generator 512), to be used as a seed value for an operation that extends an original session key size (e.g., a value of 128, 256, 512, or 1024 bits) into a value equal to the length of the data to be parsed.”).

As per claims 10 and 19, the combination of O’Hare and Pahlad teach the hybrid-cloud data storage method according to claim 1 and the gateway according to claim 11, respectively, further comprising: 
determining whether an address space of the obtained to-be-stored data corresponds to an address space of the to-be-stored data to be encrypted that is recorded in the setting table (Prahlad, para. [0291] “FIG. 1 when transferring the data to the media agent. For example, before transferring data, the system may review a storage policy as described herein to select a media agent, such as secondary storage computing device 165, based on instructions within the storage policy. In step 1825, the system optionally updates an allocation table, such as a file allocation table ("FAT") for the file system 1730 associated with the cloud gateway to indicate the data blocks that no longer contain data and are now free to receive and store data from the file system.” And para. [0293] “prior to storing data from the blocks to a different data store, the cloud gateway 1540 may encrypt and/or compress data as described previously with respect to FIG. 3B. The cloud gateway may create, generate, update, and/or include an allocation table, (such as a table for the data store) that tracks the transferred data and the data that was not transferred. The table may include information identifying the original data blocks for the data, the name of the data object (e.g., file name), the location of any transferred data blocks (including, e.g., offset information), and so on.”); and 
determining, according to a storage frequency of the to-be-stored data to be encrypted that is recorded in the setting table, whether the obtained to-be-stored data needs to be encrypted (Prahlad, para. [0066] “storage operations may be performed according to various storage preferences, for example, as expressed by a user preference or a storage policy. A "storage policy" is generally a data structure or other information source that includes a set of preferences and other storage criteria associated with performing a storage operation. The preferences and storage criteria may include, but are not limited to, a storage location (or a class or quality of storage location), deduplication requirements, relationships between system components, network pathways to utilize in a storage operation, retention policies, data characteristics, compression or encryption requirements, preferred system components to utilize in a storage operation, the estimated or historic usage or cost associated with operating system components, frequency or use/access/etc. various time-related factors, single-instancing and/or deduplication information, and other criteria relating to a data storage or management operation. For example, a storage policy may indicate that certain data is to be stored in the storage device 115, retained for a specified period of time before being aged to another tier of secondary storage, copied to the storage device 115 using a specified number of data streams, etc. As one example, a storage policy may specify that certain data should be stored in one or more target cloud storage sites 115A-N”); 
triggering, in a case that the determining results are both yes, to perform the operation of determining partial data to be encrypted in the to-be-stored data (Prahlad, para. [0296] “The division component may perform different processes when determining how to divide a data object. For example, the division component may include indexing, header, and other identifying information or metadata in a first sub-object, and include the payload in other sub-objects. The division component may identify and/or retrieve file format or schema information from an index, FAT, NFS, or other allocation table in the file system to determine where certain sub-objects of a data object reside (such as the first or last sub-object of a large file). The division component may follow a rules-based process when dividing a data object, where the rules may define a minimum or maximum data size for a sub-object, a time of creation for data within a sub-object, a type of data within a sub-object, and so on.” And para. [0298] “Referring to FIG. 19, a flow diagram illustrating a routine 1900 for performing sub-object-level data migration in a cloud gateway 1540 is shown. In step 1910, the system identifies sub-objects of data blocks within a data store that satisfy one or more criteria. The data store may store large files (>50 MB), such as databases associated with a file system, SQL databases, Microsoft Exchange mailboxes, virtual machine files, and so on. The system may compare some or all of the sub-objects (or, information associated with the sub-objects) of the data store with predetermined and/or dynamic criteria. The predetermined criteria may be time-based criteria within a storage policy or data retention policy. The system may review an index with the division component 815 when comparing the sub-objects with applicable criteria.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Prahlad’s data storage operations with a cloud storage environment into O’Hare’s gateway for cloud-based secure storage, with a motivation to store and/or manage credentials or other authorization and connection information (e.g., site configuration settings, login information, certificates, etc.) that permit the cloud storage submodule to perform storage operations on a cloud storage (Pahlad, para. [0125]). 

Conclusion
5.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20150052360 A1 – Enhanced data encryption for communication system.
US 20130168450 A1 – Format preserving cipher system.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZOHA P TAFAGHODI whose telephone number is (571)272-5199.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437