Encrypting data in a storage system using a plurality of encryption keys
First Claim
Patent Images
1. A method comprising:
- transforming an initial master secret into a final master secret using one or more external secrets, wherein the one or more external secrets are stored separately from a computing system;
for each storage device of a plurality of storage devices of the computing system, encrypting data on the storage device with a device key, wherein the device key that encrypts the data on one storage device is different than another device key that encrypts data on another storage device; and
using the final master secret to both encrypt all of the device keys used to encrypt data on the plurality of storage devices, and to generate a plurality of shares from the final master secret.
1 Assignment
0 Petitions
Accused Products
Abstract
A system, method, and computer-readable storage medium for protecting a set of storage devices using a secret sharing scheme. The data of each storage device is encrypted with a key, and the key is encrypted based on a shared secret and a device-specific value. Each storage device stores a share and its encrypted key, and if a number of storage devices above a threshold are available, then the shared secret can be reconstructed from the shares and used to decrypt the encrypted keys. Otherwise, the secret cannot be reconstructed if less than the threshold number of storage devices are accessible, and then data on the storage devices will be unreadable.
-
Citations
20 Claims
-
1. A method comprising:
-
transforming an initial master secret into a final master secret using one or more external secrets, wherein the one or more external secrets are stored separately from a computing system; for each storage device of a plurality of storage devices of the computing system, encrypting data on the storage device with a device key, wherein the device key that encrypts the data on one storage device is different than another device key that encrypts data on another storage device; and using the final master secret to both encrypt all of the device keys used to encrypt data on the plurality of storage devices, and to generate a plurality of shares from the final master secret. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computing system comprising a plurality of storage devices, wherein the computing system is configured to:
-
transform an initial master secret into a final master secret using one or more external secrets, wherein the one or more external secrets are stored separately from the computing system; for each storage device of the plurality of storage devices, encrypt data on the storage device with a device key, wherein the device key that encrypts the data on one storage device is different than another device key that encrypts data on another storage device; and use the final master secret to both encrypt all of the device keys used to encrypt data on the plurality of storage devices, and to generate a plurality of shares from the final master secret. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer readable storage medium comprising program instructions, wherein the program instructions are executable to:
-
transform an initial master secret into a final master secret using one or more external secrets, wherein the one or more external secrets are stored separately from a computing system; for each storage device of a plurality of storage devices of the computing system, encrypt data on the storage device with a device key, wherein the device key that encrypts the data on one storage device is different than another device key that encrypts data on another storage device; and use the final master secret to both encrypt all of the device keys used to encrypt data on the plurality of storage devices, and to generate a plurality of shares from the final master secret. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification