DETAILED ACTION
This action is in response to the amendment filed on June 13, 2022. Claims 1-13 have been cancelled, claims 13-20 have been amended and claims 21-21 are new. Claims 13-31 are pending. Of such, claims 13-14 and 21-31 represent a device, claims 15-18 represent a method, and claims 19-20 represent a non-transitory machine-readable storage medium directed to encryption keys from storage systems. 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments, see pages 8-11, filed  on June 13, 2022, with respect to the rejections of claims 1-20 in view of Lee have been fully considered and are persuasive.  Therefore the rejection has been withdrawn. However, upon further consideration, a new grounds of rejection is made in view of Driever and Lee.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 13-31 are rejected under 35 U.S.C. 103 as being unpatentable over Driever et al. (US Publication 2020/0076580), hereinafter referred to as Driever, in view of Lee et al. (US Publication 2005/0091491), hereinafter referred to as Lee.
Regarding Claim 13, Driever discloses:
 A storage system comprising: a communication interface to communicate with a host system that is able to access data stored by the storage system (In ¶ 32, Driever discloses “As part of authentication, the external key manager provides for distribution of a shared key, referred to herein as a wrapping key, to each node (e.g., host, storage device) for use in communication with one another.”); and a controller to: receive a request for a data encryption key from the host system (In ¶ 60, Driever discloses “The key UUID is made known to both the host and the storage device, STEP 302. In one example, it is obtained without direct communication between the node pair; however, in another example, there is communication between the node pair in which the UUID is communicated from, e.g., the host to the storage device.”); in response to the request, retrieve, from a key manager system, the data encryption key for the host system, wherein the controller is to retrieve the data encryption key for the host system from the key manager system by sending, to the key manager system, a request including an identifier associated with the host system or a storage object to be accessed (In ¶ 71, Driever discloses “In a further aspect of the automating the obtaining, the slave node (storage) obtains the UUID from the master node (Host) and using the UUID, requests the wrapping key directly from the key server. ” and in ¶ 91, Driever further discloses “If the key server determines that the storage device is authorized to receive the shared key, the key server responds with the wrapping key”); and receive, from the host system, encrypted data encrypted using the data encryption key (In ¶ 68, Driever discloses “The host uses the key to encrypt messages sent to the storage device using an encryption technique (e.g., ABS_KEYWRAP), and the storage device successfully decrypts the messages to authenticate the storage device (e.g., Fibre Channel node) as a trusted entity using the same encryption technique.”).
	However, Driever does not explicitly disclose the encryption of the data encryption key.
	Lee discloses:
encrypt the data encryption key retrieved from the key manager system using a first key, to produce an encrypted data encryption key; send the encrypted data encryption key to the host system (In ¶ 25, Lee discloses “Using public key 75, storage engine encrypts secure session key 60 and transmits the encrypted public key to host system 5.”)
	One in ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Driever’s approach by utilizing Lee’s approach of encrypting the data encryption key as the motivation would be that protecting the data encryption key/session key using a public/private key cryptography algorithm adds an additional layer of trust between the storage and host nodes (See Lee ¶ 19).
	Regarding Claim 14, the combination of Driever and Lee disclose the limitations of claim 13.
	However, Driever does not explicitly disclose the encryption of the data encryption key.
	Lee discloses:
wherein the encrypted data encryption key is sent to a network interface controller or a storage driver of the host system (In ¶ 34, Lee discloses “Host system 5 will have a file system driver (not illustrated) as is known in the art that converts file requests to the low-level block requests that are passed to storage engine 20.”), and wherein the encrypted data received from the host system is encrypted by the network interface controller or the storage driver using the data encryption key (In ¶ 27, Lee discloses “For host system 5 to write secure content to disc 25, host system 5 encrypts the content and passes the encrypted content and the associated security key(s) to storage engine 20.”).
	One in ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Driever’s approach by utilizing Lee’s approach of encrypting the data encryption key as the motivation would be that protecting the data encryption key/session key using a public/private key cryptography algorithm adds an additional layer of trust between the storage and host nodes (See Lee ¶ 19).
	Regarding Claim 15, Driever discloses:
A method of a storage system comprising a hardware processor, comprising (In ¶ 32, Driever discloses “As part of authentication, the external key manager provides for distribution of a shared key, referred to herein as a wrapping key, to each node (e.g., host, storage device) for use in communication with one another.”): receiving, at the storage system, a request for a data encryption key from the host system (In ¶ 60, Driever discloses “The key UUID is made known to both the host and the storage device, STEP 302. In one example, it is obtained without direct communication between the node pair; however, in another example, there is communication between the node pair in which the UUID is communicated from, e.g., the host to the storage device.”); in response to the request, sending, from the storage system over a network to a key manager system, a key identifier for the data encryption key (In ¶ 71, Driever discloses “In a further aspect of the automating the obtaining, the slave node (storage) obtains the UUID from the master node (Host) and using the UUID, requests the wrapping key directly from the key server.”): receiving, at the storage system over the network from the key manager system, the data encryption key obtained by the key manager system by accessing a key repository that correlates key identifiers to corresponding data encryption keys, wherein the key identifier sent from the storage system to the key manager system correlates to the data encryption key in the key repository (In ¶ 91, Driever discloses “If the key server determines that the storage device is authorized to receive the shared key, the key server responds with the wrapping key, ” and in ¶ 97, Driever further discloses “This identifier could have been pre-registered into the database of the EKM or it can be dynamically registered and authorized through successful establishment of the TLS session along with additional optional white-list security administrator action upon establishment of the TLS session”);  and receiving, at the storage system from the host system, encrypted data encrypted using the data encryption key derived by the host system based on decrypting the encrypted data encryption key (In ¶ 68, Driever discloses “The host uses the key to encrypt messages sent to the storage device using an encryption technique (e.g., ABS_KEYWRAP), and the storage device successfully decrypts the messages to authenticate the storage device (e.g., Fibre Channel node) as a trusted entity using the same encryption technique.”)
However, Driever does not explicitly disclose the encryption of the data encryption key.
	Lee discloses:
	receiving, at the storage system, a first key from a host system (In ¶ 25, Lee discloses “To access secure content on disc 25, host system 5 provides not only digital signature 10 but also its public key 75.”) encrypting, at the storage system, the data encryption key using the first key, to produce an encrypted data encryption key; sending the encrypted data encryption key from the storage system to the host system (In ¶ 25, Lee discloses “Using public key 75, storage engine encrypts secure session key 60 and transmits the encrypted public key to host system 5.”)
One in ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Driever’s approach by utilizing Lee’s approach of encrypting the data encryption key as the motivation would be that protecting the data encryption key/session key using a public/private key cryptography algorithm adds an additional layer of trust between the storage and host nodes (See Lee ¶ 19).
	Regarding Claim 16, the combination of Driever and Lee disclose the limitations of claim 15.
	However, Driever does not explicitly disclose the encryption of the data encryption key.
	Lee discloses:
wherein the first key is a public key (In ¶ 25, Lee discloses “To access secure content on disc 25, host system 5 provides not only digital signature 10 but also its public key 75.”).
	One in ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Driever’s approach by utilizing Lee’s approach of encrypting the data encryption key as the motivation would be that protecting the data encryption key/session key using a public/private key cryptography algorithm adds an additional layer of trust between the storage and host nodes (See Lee ¶ 19).
	Regarding Claim 17, the combination of Driever and Lee disclose the limitations of claim 16.
	However, Driever does not explicitly disclose the encryption of the data encryption key.
	Lee discloses:
	wherein the encrypted data is encrypted using the data encryption key derived by the host system based on decrypting the encrypted data encryption key with a private key (In ¶ 7, Lee discloses “recovering the secure session key from the encrypted secure session key using the corresponding private key”).
One in ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Driever’s approach by utilizing Lee’s approach of encrypting the data encryption key as the motivation would be that protecting the data encryption key/session key using a public/private key cryptography algorithm adds an additional layer of trust between the storage and host nodes (See Lee ¶ 19).
Regarding Claim 18, the combination of Driever and Lee disclose:
The method of claim 15, further comprising: receiving, from the host system, information associated with the data encryption key as part of an access of data by the host system (In ¶ 32, Driever discloses “The wrapping key is used to transmit additional information, such as key information, between the trusted endpoints of the nodes. This additional key information includes, for instance, transmit (a.k.a., send) and receive keys used in the encryption/decryption of data.”); and decrypting, by the storage system, encrypted data associated with a data service of the storage system in response to receiving the information associated with the data encryption key (In ¶ 64, Driever discloses “The storage device receives the AUTH_ELS and decrypts the payload utilizing the obtained wrapping key and the deployed AES_KEYWRAP technique”).
	Regarding Claim 19, Driever discloses:
A non-transitory machine-readable storage medium comprising instructions that upon execution cause a storage system to (In ¶ 147, Driever discloses “The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention.”): receive a request for a data encryption key from the host system (In ¶ 60, Driever discloses “The key UUID is made known to both the host and the storage device, STEP 302. In one example, it is obtained without direct communication between the node pair; however, in another example, there is communication between the node pair in which the UUID is communicated from, e.g., the host to the storage device.”); ; in response to the request, send, from the storage system over a network to a key manager system, a key identifier for the data encryption key (In ¶ 71, Driever discloses “In a further aspect of the automating the obtaining, the slave node (storage) obtains the UUID from the master node (Host) and using the UUID, requests the wrapping key directly from the key server.”)(In ¶ 91, Driever discloses “If the key server determines that the storage device is authorized to receive the shared key, the key server responds with the wrapping key, ” and in ¶ 97, Driever further discloses “This identifier could have been pre-registered into the database of the EKM or it can be dynamically registered and authorized through successful establishment of the TLS session along with additional optional white-list security administrator action upon establishment of the TLS session”);  receive, from the host system, encrypted data encrypted using the data encryption key derived by the host system based on decrypting the encrypted data encryption key using a private key of the host system (In ¶ 68, Driever discloses “The host uses the key to encrypt messages sent to the storage device using an encryption technique (e.g., ABS_KEYWRAP), and the storage device successfully decrypts the messages to authenticate the storage device (e.g., Fibre Channel node) as a trusted entity using the same encryption technique.”); and store the encrypted data in a storage medium of the storage system (In ¶ 73, Driever discloses “For instance, a host reads from and writes data to a storage device through a communication channel, such as a Fibre Channel, Infiniband, or a TCP/IP network.”).
However, Driever does not explicitly disclose the encryption of the data encryption key.
	Lee discloses:
	receive a public key from a host system (In ¶ 25, Lee discloses “To access secure content on disc 25, host system 5 provides not only digital signature 10 but also its public key 75.”); encrypt the data encryption key using the public key, to produce an encrypted data encryption key; send the encrypted data encryption key to the host system (In ¶ 25, Lee discloses “Using public key 75, storage engine encrypts secure session key 60 and transmits the encrypted public key to host system 5.”)
One in ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Driever’s approach by utilizing Lee’s approach of encrypting the data encryption key as the motivation would be that protecting the data encryption key/session key using a public/private key cryptography algorithm adds an additional layer of trust between the storage and host nodes (See Lee ¶ 19).
Regarding Claim 20, the combination of Driever and Lee disclose:
The non-transitory machine-readable storage medium of claim 19, wherein the instructions upon execution cause the storage system to: manage access of the data encryption key responsive to the request for the data encryption key based on whether the host system is authorized (In ¶ 84, Driever discloses “Referring to FIG. 5A, in one example, one node (e.g., host 102) and another node (e.g., storage device 104) participate in an authentication protocol to provide trust with one another. Initially, signed certificates, signed by a Certificate Authority (e.g., Certificate Authority 110), are installed in each endpoint node (e.g., host and storage device), as well as in in the external key manager server”).
Regarding Claim 21, the combination of Driever and Lee disclose:
The storage system of claim 13, wherein the identifier included in the request sent to the key manager system is associated with the host system (In ¶ 59, Driever discloses “In accordance with an aspect of the present invention, a wrapping key is created in the EKM and assigned a universal unique identifier (UUID), STEP 301. The UUID is, for instance, a KMIP (or other protocol) attribute assigned to an encryption key (e.g., the wrapping key) during creation. The key is created for use by the node pair by any selected technique, which may be programmatic or administrative. In the examples described below, the node pair includes a host, which may be referred to as a server, and a storage device, such as a control unit.”).
Regarding Claim 22, the combination of Driever and Lee disclose:
The storage system of claim 13, wherein the identifier included in the request sent to the key manager system is associated with the storage object to be accessed by the host system  (In ¶ 59, Driever discloses “In accordance with an aspect of the present invention, a wrapping key is created in the EKM and assigned a universal unique identifier (UUID), STEP 301. The UUID is, for instance, a KMIP (or other protocol) attribute assigned to an encryption key (e.g., the wrapping key) during creation. The key is created for use by the node pair by any selected technique, which may be programmatic or administrative. In the examples described below, the node pair includes a host, which may be referred to as a server, and a storage device, such as a control unit.”).
Regarding Claim 23, the combination of Driever and Lee disclose:
The storage system of claim 13, wherein the request including the identifier is sent from the storage system over a network to the key manager system (In ¶ 71, Driever discloses “In a further aspect of the automating the obtaining, the slave node (storage) obtains the UUID from the master node (Host) and using the UUID, requests the wrapping key directly from the key server.”).
Regarding Claim 24, the combination of Driever and Lee disclose the limitations with respect to claim 13.
However, Driever does not explicitly disclose the encryption of the data encryption key.
	Lee discloses:
wherein the first key is from the host system and is a public key of the host system. (In ¶ 25, Lee discloses “To access secure content on disc 25, host system 5 provides not only digital signature 10 but also its public key 75.”).
	One in ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Driever’s approach by utilizing Lee’s approach of encrypting the data encryption key as the motivation would be that protecting the data encryption key/session key using a public/private key cryptography algorithm adds an additional layer of trust between the storage and host nodes (See Lee ¶ 19).
Regarding Claim 25, the combination of Driever and Lee disclose the limitations with respect to claim 24.
However, Driever does not explicitly disclose the encryption of the data encryption key.
	Lee discloses:
wherein the encrypted data is encrypted using the data encryption key determined by the host system from the encrypted data encryption key by decrypting the encrypted data encryption key using a private key of the host system (In ¶ 7, Lee discloses “recovering the secure session key from the encrypted secure session key using the corresponding private key”).
One in ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Driever’s approach by utilizing Lee’s approach of encrypting the data encryption key as the motivation would be that protecting the data encryption key/session key using a public/private key cryptography algorithm adds an additional layer of trust between the storage and host nodes (See Lee ¶ 19).
Regarding Claim 26, the combination of Driever and Lee disclose:
The storage system of claim 13, wherein the data encryption key retrieved by the storage system from the key manager system is obtained by the key manager system by accessing a key repository that correlates key identifiers to corresponding data encryption keys, wherein the identifier included in the request from the storage system to the key manager system is a key identifier that correlates to the data encryption key in the key repository (In ¶ 87, Driever discloses “This identifier could have been pre-registered into the database of the EKM or it can be dynamically registered and authorized through successful establishment of the TLS session along with additional optional white-list security administrator action upon establishment of the TLS session.”).
Regarding Claim 27, the combination of Driever and Lee disclose:
The storage system of claim 13, wherein the controller is to: receive, from the host system, information associated with the data encryption key as part of an access of data by the host system (In ¶ 32, Driever discloses “The wrapping key is used to transmit additional information, such as key information, between the trusted endpoints of the nodes. This additional key information includes, for instance, transmit (a.k.a., send) and receive keys used in the encryption/decryption of data.”); and decrypt encrypted data associated with a data service of the storage system in response to receiving the information associated with the data encryption key (In ¶ 64, Driever discloses “The storage device receives the AUTH_ELS and decrypts the payload utilizing the obtained wrapping key and the deployed AES_KEYWRAP technique”).
Regarding Claim 28, the combination of Driever and Lee disclose:
The storage system of claim 27, wherein the information associated with the data encryption key comprises an identifier of the data encryption key (In ¶ 107, Driever discloses “In one embodiment, the slave node receives an identifier of the shared wrapping key that is used to decrypt a message containing send/receive keys.”).
Regarding Claim 29, the combination of Driever and Lee disclose:
The storage system of claim 28, wherein the controller does not decrypt the encrypted data associated with the data service if the host system does not provide the information associated with the data encryption key as part of the access of data by the host system (In ¶ 91, Driever discloses “If, however, the storage device is not in the same pool or is not identified as the peer, it will not be successful in retrieving the key from the key server and no further communication between the endpoint nodes will be performed until, for instance, a relevant security policy changes.”).
Regarding Claim 30, the combination of Driever and Lee disclose:
The storage system of claim 27, wherein the information associated with the data encryption key comprises the identifier associated with the host system (In ¶ 71, Driever discloses “In a further aspect of the automating the obtaining, the slave node (storage) obtains the UUID from the master node (Host) and using the UUID, requests the wrapping key directly from the key server.”).
Regarding Claim 31, the combination of Driever and Lee disclose:
The storage system of claim 13, wherein the controller is to manage access of the data encryption key responsive to the request for the data encryption key based on whether the host system is authorized (In ¶ 84, Driever discloses “Referring to FIG. 5A, in one example, one node (e.g., host 102) and another node (e.g., storage device 104) participate in an authentication protocol to provide trust with one another. Initially, signed certificates, signed by a Certificate Authority (e.g., Certificate Authority 110), are installed in each endpoint node (e.g., host and storage device), as well as in in the external key manager server,”).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Harwood et al. (US 9830278) discloses a method for the use of data encryption keys to manage encrypted data in a storage area network. 
Leshinsky et al. (US 10372926) discloses a method for encryption key distribution between a client and distributed data store.
Yoshida et al. (US 20220069983) discloses a method for a storage apparatus to send a request to a key management server using an identifier for an encryption key. 
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHADI H KOBROSLI whose telephone number is (571)272-1952. The examiner can normally be reached M-F 9am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHADI H KOBROSLI/Examiner, Art Unit 2492                                                                                                                                                                                                        
/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492