Volatile encryption keys
First Claim
1. A method comprising:
- receiving, at data processing hardware of a distributed system, a client request from a customer device for access to a requested encrypted resource of the distributed system, the client request including a customer-supplied encryption key associated with wrapped persistent encryption keys for encrypted resources of the distributed system, the wrapped persistent encryption keys stored on one or more non-volatile memory hosts of the distributed system;
storing, by the data processing hardware, the customer-supplied encryption key of the received client request on one or more volatile memory hosts of the distributed system;
unwrapping, by the data processing hardware, a wrapped persistent encryption key corresponding to the requested encrypted resource using the customer-supplied encryption key, the unwrapped persistent encryption key configured to decrypt the requested encrypted resource;
decrypting, by the data processing hardware, the requested encrypted resource using the corresponding unwrapped persistent encryption key;
sending the decrypted resource from the data processing hardware to the customer device; and
after ceasing access of the decrypted resource, destroying, by the data processing hardware, the customer-supplied encryption key from the one or more volatile memory hosts of the distributed system.
2 Assignments
0 Petitions
Accused Products
Abstract
A method of operating a distributed storage system includes receiving, at data processing hardware of the distributed storage system, a customer-supplied encryption key from a customer device (i.e., a client). The customer-supplied encryption key is associated with wrapped persistent encryption keys for encrypted resources of the distributed storage system. The wrapped persistent encryption keys are stored on one or more non-volatile memory hosts of the distributed storage system. The method also includes unwrapping, by the data processing hardware, a wrapped persistent encryption key that corresponds to a requested encrypted resource using the customer-supplied encryption key. The unwrapped persistent encryption key is configured to decrypt the requested encrypted resource. The method further includes decrypting, by the data processing hardware, the requested encrypted resource using the corresponding unwrapped persistent encryption key. After ceasing access of the decrypted resource, the method includes destroying, by the data processing hardware, the customer-supplied encryption key.
-
Citations
26 Claims
-
1. A method comprising:
-
receiving, at data processing hardware of a distributed system, a client request from a customer device for access to a requested encrypted resource of the distributed system, the client request including a customer-supplied encryption key associated with wrapped persistent encryption keys for encrypted resources of the distributed system, the wrapped persistent encryption keys stored on one or more non-volatile memory hosts of the distributed system; storing, by the data processing hardware, the customer-supplied encryption key of the received client request on one or more volatile memory hosts of the distributed system; unwrapping, by the data processing hardware, a wrapped persistent encryption key corresponding to the requested encrypted resource using the customer-supplied encryption key, the unwrapped persistent encryption key configured to decrypt the requested encrypted resource; decrypting, by the data processing hardware, the requested encrypted resource using the corresponding unwrapped persistent encryption key; sending the decrypted resource from the data processing hardware to the customer device; and after ceasing access of the decrypted resource, destroying, by the data processing hardware, the customer-supplied encryption key from the one or more volatile memory hosts of the distributed system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method comprising:
-
receiving, at data processing hardware, a client request from a customer device for access to an encrypted resource of a distributed system, the client request including a customer-supplied encryption key; storing, by the data processing hardware, the customer-supplied encryption key of the received client request only on one or more volatile memory hosts of the distributed system; obtaining, by the data processing hardware, a key identifier that identifies the customer-supplied encryption key associated with the encrypted resource; determining, by the data processing hardware, whether the customer-supplied encryption key of the client request is the customer-supplied encryption key identified by the key identifier by determining whether a hash of the customer-supplied encryption key of the client request equals the key identifier; when the customer-supplied encryption key of the client request is the customer-supplied encryption key identified by the key identifier, unwrapping, by the data processing hardware, a wrapped persistent encryption key associated with the requested encrypted resource using the customer-supplied encryption key, the unwrapped persistent encryption key configured to decrypt the requested encrypted resource; decrypting, by the data processing hardware, the requested encrypted resource using the unwrapped persistent encryption key; and sending the decrypted resource from the data processing hardware to the customer device. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method comprising:
-
receiving, at data processing hardware, a key map mapping persistent encryption keys for encrypted resources of a distributed system, the persistent encryption keys stored wrapped in a wrapper on one or more non-volatile memory hosts of the distributed system; storing, by the data processing hardware, the key map on the one or more non-volatile memory hosts of the distributed system; receiving, at the data processing hardware, a client request from a customer device for access to a requested encrypted resource of the distributed system, the client request including a customer-supplied encryption key, the customer-supplied encryption key associated with the wrapped persistent encryption keys for the encrypted resources; storing, by the data processing hardware, the customer-supplied encryption key of the received client request only on one or more volatile memory hosts of the distributed system; receiving, at the data processing hardware, a volatile cryptographic token from the customer device; combining, by the data processing hardware, the volatile cryptographic token and the customer-supplied encryption key using a key derivation function to derive a persistent encryption key; unwrapping, by the data processing hardware, a wrapped persistent encryption key corresponding to the requested encrypted resource using the derived persistent encryption key, the unwrapped persistent encryption key configured to decrypt the requested encrypted resource; decrypting, by the data processing hardware, the requested encrypted resource using the corresponding unwrapped persistent encryption key; and sending the decrypted resource from the data processing hardware to the customer device. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
-
Specification