Volatile encryption keys

US 10,164,955 B1
Filed: 05/25/2016
Issued: 12/25/2018
Est. Priority Date: 05/25/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at data processing hardware of a distributed system, a client request from a customer device for access to a requested encrypted resource of the distributed system, the client request including a customer-supplied encryption key associated with wrapped persistent encryption keys for encrypted resources of the distributed system, the wrapped persistent encryption keys stored on one or more non-volatile memory hosts of the distributed system;

storing, by the data processing hardware, the customer-supplied encryption key of the received client request on one or more volatile memory hosts of the distributed system;

unwrapping, by the data processing hardware, a wrapped persistent encryption key corresponding to the requested encrypted resource using the customer-supplied encryption key, the unwrapped persistent encryption key configured to decrypt the requested encrypted resource;

decrypting, by the data processing hardware, the requested encrypted resource using the corresponding unwrapped persistent encryption key;

sending the decrypted resource from the data processing hardware to the customer device; and

after ceasing access of the decrypted resource, destroying, by the data processing hardware, the customer-supplied encryption key from the one or more volatile memory hosts of the distributed system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of operating a distributed storage system includes receiving, at data processing hardware of the distributed storage system, a customer-supplied encryption key from a customer device (i.e., a client). The customer-supplied encryption key is associated with wrapped persistent encryption keys for encrypted resources of the distributed storage system. The wrapped persistent encryption keys are stored on one or more non-volatile memory hosts of the distributed storage system. The method also includes unwrapping, by the data processing hardware, a wrapped persistent encryption key that corresponds to a requested encrypted resource using the customer-supplied encryption key. The unwrapped persistent encryption key is configured to decrypt the requested encrypted resource. The method further includes decrypting, by the data processing hardware, the requested encrypted resource using the corresponding unwrapped persistent encryption key. After ceasing access of the decrypted resource, the method includes destroying, by the data processing hardware, the customer-supplied encryption key.

24 Citations

View as Search Results

26 Claims

1. A method comprising:
- receiving, at data processing hardware of a distributed system, a client request from a customer device for access to a requested encrypted resource of the distributed system, the client request including a customer-supplied encryption key associated with wrapped persistent encryption keys for encrypted resources of the distributed system, the wrapped persistent encryption keys stored on one or more non-volatile memory hosts of the distributed system;
  
  storing, by the data processing hardware, the customer-supplied encryption key of the received client request on one or more volatile memory hosts of the distributed system;
  
  unwrapping, by the data processing hardware, a wrapped persistent encryption key corresponding to the requested encrypted resource using the customer-supplied encryption key, the unwrapped persistent encryption key configured to decrypt the requested encrypted resource;
  
  decrypting, by the data processing hardware, the requested encrypted resource using the corresponding unwrapped persistent encryption key;
  
  sending the decrypted resource from the data processing hardware to the customer device; and
  
  after ceasing access of the decrypted resource, destroying, by the data processing hardware, the customer-supplied encryption key from the one or more volatile memory hosts of the distributed system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising identifying, by the data processing hardware, the wrapped persistent encryption key using a key map mapping the wrapped persistent encryption keys for the encrypted resources of the distributed system to customer-supplied encryption keys.
  - 3. The method of claim 1, further comprising obtaining metadata associated with the requested encrypted resource using a resource identifier, the metadata including the wrapped persistent encryption key for the requested encrypted resource.
  - 4. The method of claim 1, wherein the requested encrypted resource comprises a secure container of a secure container system.
  - 5. The method of claim 1, further comprising deleting the unwrapped persistent encryption key after receiving an event notification indicating a termination of access to the decrypted resource.
  - 6. The method of claim 2, wherein the key map comprises tuples, each tuple comprising:
    - a key identifier identifying a customer-supplied encryption key; and
      
      a resource identifier identifying an encrypted resource and the wrapped persistent encryption key for the encrypted resource.
  - 7. The method of claim 2, wherein the key map is stored on the one or more non-volatile memory hosts of the distributed system.
  - 8. The method of claim 3, further comprising:
    - determining, by the data processing hardware, whether the customer-supplied encryption key of the client request is the customer-supplied encryption key identified by a key identifier obtained from the metadata associated with the requested encrypted resource; and
      
      when the customer-supplied encryption key of the client request is the customer-supplied encryption key identified by the key identifier, unwrapping, by the data processing hardware, the wrapped persistent encryption key for the requested encrypted resource using the customer-supplied encryption key of the client request.
  - 9. The method of claim 8, wherein determining whether the customer-supplied encryption key of the client request is the customer-supplied encryption key identified by the key identifier comprises determining whether a hash of the customer-supplied encryption key of the client request equals the key identifier.

10. A method comprising:
- receiving, at data processing hardware, a client request from a customer device for access to an encrypted resource of a distributed system, the client request including a customer-supplied encryption key;
  
  storing, by the data processing hardware, the customer-supplied encryption key of the received client request only on one or more volatile memory hosts of the distributed system;
  
  obtaining, by the data processing hardware, a key identifier that identifies the customer-supplied encryption key associated with the encrypted resource;
  
  determining, by the data processing hardware, whether the customer-supplied encryption key of the client request is the customer-supplied encryption key identified by the key identifier by determining whether a hash of the customer-supplied encryption key of the client request equals the key identifier;
  
  when the customer-supplied encryption key of the client request is the customer-supplied encryption key identified by the key identifier, unwrapping, by the data processing hardware, a wrapped persistent encryption key associated with the requested encrypted resource using the customer-supplied encryption key, the unwrapped persistent encryption key configured to decrypt the requested encrypted resource;
  
  decrypting, by the data processing hardware, the requested encrypted resource using the unwrapped persistent encryption key; and
  
  sending the decrypted resource from the data processing hardware to the customer device.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, further comprising obtaining, by the data processing hardware, the key identifier that identifies the customer-supplied encryption key from metadata associated with the encrypted resource.
  - 12. The method of claim 10, further comprising identifying, by the data processing hardware, the wrapped persistent encryption key using a key map mapping wrapped persistent encryption keys for encrypted resources of the distributed system to customer-supplied encryption keys.
  - 13. The method of claim 10, further comprising deleting the unwrapped persistent encryption key and the customer-supplied encryption key after receiving an event notification indicating a termination of access to the decrypted resource.
  - 14. The method of claim 10, further comprising storing the unwrapped persistent encryption key only on the one or more volatile memory hosts of the distributed system.
  - 15. The method of claim 10, wherein the requested encrypted resource comprises a secure container of a secure container system.
  - 16. The method of claim 12, wherein the key map comprises tuples, each tuple comprising:
    - a key identifier identifying a customer-supplied encryption key; and
      
      a resource identifier identifying an encrypted resource and the wrapped persistent encryption key for the encrypted resource.
  - 17. The method of claim 12, wherein the key map is stored on one or more non-volatile memory hosts of the distributed system.
  - 18. The method of claim 16, further comprising obtaining, by the data processing hardware, the key identifier that identifies the customer-supplied encryption key from the key map.

19. A method comprising:
- receiving, at data processing hardware, a key map mapping persistent encryption keys for encrypted resources of a distributed system, the persistent encryption keys stored wrapped in a wrapper on one or more non-volatile memory hosts of the distributed system;
  
  storing, by the data processing hardware, the key map on the one or more non-volatile memory hosts of the distributed system;
  
  receiving, at the data processing hardware, a client request from a customer device for access to a requested encrypted resource of the distributed system, the client request including a customer-supplied encryption key, the customer-supplied encryption key associated with the wrapped persistent encryption keys for the encrypted resources;
  
  storing, by the data processing hardware, the customer-supplied encryption key of the received client request only on one or more volatile memory hosts of the distributed system;
  
  receiving, at the data processing hardware, a volatile cryptographic token from the customer device;
  
  combining, by the data processing hardware, the volatile cryptographic token and the customer-supplied encryption key using a key derivation function to derive a persistent encryption key;
  
  unwrapping, by the data processing hardware, a wrapped persistent encryption key corresponding to the requested encrypted resource using the derived persistent encryption key, the unwrapped persistent encryption key configured to decrypt the requested encrypted resource;
  
  decrypting, by the data processing hardware, the requested encrypted resource using the corresponding unwrapped persistent encryption key; and
  
  sending the decrypted resource from the data processing hardware to the customer device.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The method of claim 19, further comprising accessing, by the data processing hardware, at least one encrypted resource using at least one unwrapped persistent encryption key.
  - 21. The method of claim 19, further comprising deleting the volatile cryptographic token after unwrapping the wrapper.
  - 22. The method of claim 19, further comprising deleting the derived persistent encryption key after receiving an event notification indicating a termination of access to the decrypted resource.
  - 23. The method of claim 19, further comprising:
    - creating, by the data processing hardware, the persistent encryption keys for the encrypted resources of the distributed system;
      
      enumerating, by the data processing hardware, the persistent encryption keys; and
      
      wrapping, by the data processing hardware, the persistent encryption keys.
  - 24. The method of claim 19, wherein the encrypted resources comprise encrypted data stored on the one or more non-volatile memory hosts of the distributed system.
  - 25. The method of claim 20, further comprising storing the unwrapped persistent encryption keys only on the one or more volatile memory hosts of the distributed system.
  - 26. The method of claim 25, further comprising deleting the unwrapped persistent encryption keys from the one or more volatile memory hosts of the distributed system after receiving an event notification indicating a termination of access to the at least one encrypted resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google LLC (Alphabet Inc.)
Inventors
Halcrow, Michael, Dierks, Timothy
Primary Examiner(s)
Hoffman, Brandon S
Assistant Examiner(s)
Salehi, Helai

Application Number

US15/163,716
Time in Patent Office

944 Days
Field of Search
US Class Current
CPC Class Codes

G06F 3/0623   in relation to content

G06F 3/0661   Format or protocol conversi...

G06F 3/067   Distributed or networked st...

H04L 2463/061   applying further key deriva...

H04L 63/067   using one-time keys cryptog...

Volatile encryption keys

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Volatile encryption keys

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links