Key rotation techniques
First Claim
1. A computer-implemented method, comprising:
- for a set of data objects encrypted with a first key that is accessible to a plurality of devices, terminating access to a first subset of the set of data objects by;
transmitting a second key to the plurality of devices, the second key usable for reencrypting a second subset of the set of data objects; and
causing, until the plurality of devices complete reencryption of the second subset of the set of data objects, the first key to be usable to perform a first cryptographic operation on individual data objects of the set of data objects and to be unusable to perform a second cryptographic operation on the individual data objects; and
at a time after the second subset becomes accessible by using the second key;
verifying that each of the plurality of devices has access to the second key; and
causing the plurality of devices to lose access to the first key.
1 Assignment
0 Petitions
Accused Products
Abstract
A plurality of devices, having common access to a first key under which a set of data objects used by the plurality of devices are encrypted, is caused to replace the first key with a second key by at least causing a device of the plurality of devices to encrypt a subset of the set of data objects that are not selected for electronic shredding, allow access to a data object of the subset regardless of whether the data object is encrypted using the first key or the second key. At a time after the data object becomes accessible by using the second key, each of the plurality of devices is verified have common access to the second key, and the plurality of devices is caused to lose access to the first key.
203 Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
for a set of data objects encrypted with a first key that is accessible to a plurality of devices, terminating access to a first subset of the set of data objects by; transmitting a second key to the plurality of devices, the second key usable for reencrypting a second subset of the set of data objects; and causing, until the plurality of devices complete reencryption of the second subset of the set of data objects, the first key to be usable to perform a first cryptographic operation on individual data objects of the set of data objects and to be unusable to perform a second cryptographic operation on the individual data objects; and at a time after the second subset becomes accessible by using the second key; verifying that each of the plurality of devices has access to the second key; and causing the plurality of devices to lose access to the first key. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system, comprising memory to store instructions that, as a result of execution by one or more processors, cause the system to, for a set of data objects encrypted with a first key that is accessible to a plurality of devices:
-
initiate reencryption of a second subset of the set of data objects by providing tho a second key to the plurality of devices; during reencryption of the second subset, allow the plurality of devices to perform a first cryptographic operation and not to perform a second cryptographic operation on a first subset of the set of data objects using the first key; and at a time after the individual data object of the second subset becomes accessible by using the second key, cause the plurality of devices to lose access to the first key. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable storage medium that stores executable instructions which, when executed by one or more processors of a computer system, cause the computer system to, for a set of data objects encrypted with a first key that is accessible to a plurality of devices, at least:
-
provide a second key to allow the plurality of devices to reencrypt, using a second key, a second subset of the set of data objects different from a first subset; until the reencryption of the second subset is completed, allow the plurality of devices to perform a first cryptographic operation and not to perform a second cryptographic operation on a first subset of the set of data objects using the first key; and at a time after the second subset becomes accessible by using the second key, cause the plurality of devices to lose access to the first key. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification