Distributed data stores are critical to the success of applications in cloud. Massive volumes of user data are stored and processed with the support of underlying distributed data stores. With large amounts of data stored remotely in the cloud, security becomes a major concern. Authentication and access control are provided by cloud storage providers. But even with proper authentication and access control policies, storage systems are still vulnerable to attackers who have direct access to storage devices such as disks. Encryption makes it computational difficult to retrieve the original data even when the attackers have the access to the disks. However, there are many challenges in designing an encrypted distributed data store that is highly secure and cost-aware.

In this paper, we show that security flexibility and cost efficiency can be achieved at the same time. We present Carp, a cost- aware relaxed protocol for encrypted data stores. Carp is a heuristic solution instead of an optimal one. The key idea is to reduce additional encryption operations for frequently accessed data. It is achieved by allowing data objects stay unencrypted for a short time period after the data are accessed. Reducing encryption operations eventually means reducing the computational cost and power consumption in the data store. Unlike conventional encrypted file systems which store data encryption keys on disks, we present a hybrid design of key generation and caching. Data encryption keys are generated for individual objects or a group of them using cryptographic hashing. We develop a prototype data store and conduct experiments. The experimental results show that Carp can reduce up to 20% encryption operations with high-level security.

分布式数据存储对于云中应用程序的成功至关重要。在底层分布式数据存储的支持下，存储和处理了大量的用户数据。随着大量数据远程存储在云中，安全性成为主要问题。身份验证和访问控制由云存储提供商提供。但是，即使采用了正确的身份验证和访问控制策略，存储系统仍然容易受到直接访问磁盘等存储设备的攻击者的攻击。即使攻击者可以访问磁盘，加密也使得计算上难以检索原始数据。但是，在设计高度安全且具有成本意识的加密分布式数据存储时面临许多挑战。

在本文中，我们表明可以同时实现安全灵活性和成本效率。我们提出了Carp，这是一种用于加密数据存储的成本意识宽松协议。鲤鱼是一种启发式解决方案，而不是最佳解决方案。关键思想是减少频繁访问数据的额外加密操作。通过允许数据对象在访问数据后的短时间内保持未加密状态来实现。减少加密操作最终意味着减少数据存储中的计算成本和功耗。与将数据加密密钥存储在磁盘上的常规加密文件系统不同，我们提出了密钥生成和缓存的混合设计。使用加密哈希为单个对象或一组对象生成数据加密密钥。我们开发了一个原型数据存储并进行实验。实验结果表明，Carp可以以高级别的安全性减少多达20％的加密操作。