Attribute-based encryption (ABE) has been widely used in cloud computing where a data provider outsources his/herencrypted data to a cloud service provider, and can share the data with users possessing specific credentials (or attributes). However,the standard ABE system does not support secure deduplication, which is crucial for eliminating duplicate copies of identical data inorder to save storage space and network bandwidth. In this paper, we present an attribute-based storage system with securededuplication in a hybrid cloud setting, where a private cloud is responsible for duplicate detection and a public cloud manages thestorage. Compared with the prior data deduplication systems, our system has two advantages. Firstly, it can be used to confidentiallyshare data with users by specifying access policies rather than sharing decryption keys. Secondly, it achieves the standard notion ofsemantic security for data confidentiality while existing systems only achieve it by defining a weaker security notion. In addition, we putforth a methodology to modify a ciphertext over one access policy into ciphertexts of the same plaintext but under other access policieswithout revealing the underlying plaintext.