Secure information storage
First Claim
1. A method of secure storage, comprising:
- receiving a request to securely store data associated with a customer, the request comprising data to be stored;
generating an initialization vector to be used during encryption of the data to be stored;
transmitting the data to be stored and the initialization vector to an encryption service for encryption,wherein the encryption service is configured to, based on receiving the data to be stored and the initialization vector, retrieve an encrypted private key from a first secure data store associated with the encryption service, and generate an encrypted version of the data to be stored using the initialization vector and a decrypted customer-specific key, andwherein a remote key vault is configured to generate the decrypted customer-specific key by decrypting the retrieved encrypted private key based on a customer-specific partition of the remote key vault;
receiving information comprising the encrypted version of the data to be stored from the encryption service; and
storing the encrypted version of the data to be stored and the initialization vector in a second secure data store that is independent of the first secure data store.
7 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the disclosure include systems and methods for secure storage and/or retrieval of customer secrets by, e.g., a cloud services provider. According to methods, secret data that is to be securely stored may be transmitted, along with an initialization vector, to an encryption service for encryption using a private key stored on in a remote key vault. The encrypted data can be returned and stored, in its encrypted form, in a secure storage along with the initialization vector data. To retrieve the securely stored data, embodiments disclose retrieving the encrypted form of the data and transmitting it, along with its related initialization vector data, to the encryption service for decryption using the private key stored in the remote key vault. The decrypted data can then be made available to a requesting product service.
17 Citations
18 Claims
-
1. A method of secure storage, comprising:
-
receiving a request to securely store data associated with a customer, the request comprising data to be stored; generating an initialization vector to be used during encryption of the data to be stored; transmitting the data to be stored and the initialization vector to an encryption service for encryption, wherein the encryption service is configured to, based on receiving the data to be stored and the initialization vector, retrieve an encrypted private key from a first secure data store associated with the encryption service, and generate an encrypted version of the data to be stored using the initialization vector and a decrypted customer-specific key, and wherein a remote key vault is configured to generate the decrypted customer-specific key by decrypting the retrieved encrypted private key based on a customer-specific partition of the remote key vault; receiving information comprising the encrypted version of the data to be stored from the encryption service; and storing the encrypted version of the data to be stored and the initialization vector in a second secure data store that is independent of the first secure data store. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of secure storage, comprising:
-
receiving, from a product service, a request for securely stored data associated with a customer of the product service; based on receiving the request, retrieving, from a first secure data store, an encrypted version of the data and an associated initialization vector; transmitting the encrypted version of the data and the associated initialization vector to an encryption service for decryption, wherein the encryption service is configured to, based on receiving the encrypted version of the data and the associated initialization vector, retrieve an encrypted private key from a second secure data store that is associated with the encryption service and is independent of the first secure data store, and generate a decrypted version of the data by decrypting the encrypted version of the data using the initialization vector and a decrypted customer specific key, and wherein a remote key vault is configured to generate the decrypted customer-specific key by decrypting the retrieved encrypted private key based on a customer-specific partition of the remote key vault; receiving information comprising the decrypted version of the data from the encryption service; and providing, to the product service, the decrypted version of the data. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system, comprising:
-
one or more processors; and a memory storing computer-readable instructions that, when executed by the one or more processors, configure the one or more processors to; receive, from a product service, a request for stored data, associated with a customer of the product service; based on receiving the request, retrieve, from a first secure data store, an encrypted version of the data and an associated initialization vector; transmit the encrypted version of the data and the associated initialization vector to an encryption service for decryption, wherein the encryption service is configured to, based on receiving the encrypted version of the data and the associated initialization vector, provide an encrypted private key, and generate a decrypted version of the data by decrypting the encrypted version of the data using the initialization vector and a decrypted customer-specific key, and wherein a remote key vault is configured to generate a decrypted customer-specific key by decrypting the encrypted private key based on a customer-specific partition of the remote key vault; receive information comprising the decrypted version of the data from the encryption service; and provide, to the product service, the decrypted version of the data, wherein the encryption service is further configured to store the encrypted private key in a second secure data store that is independent of the first secure data store.
-
Specification