Virtual cryptographic module with load balancer and cryptographic module fleet
First Claim
Patent Images
1. A system, comprising:
- a fleet of hardware security modules comprising a plurality of physical hardware security modules; and
a virtual load balancer comprising a hardware security module interface that;
monitors utilization of the fleet of hardware security modules to generate utilization information about the fleet of hardware security modules;
determines, based at least in part on the utilization information, that at least one condition to scale the fleet of hardware security modules is satisfied;
selects, from a pool of hardware security modules outside of the fleet of hardware security modules, a first hardware security module;
provides, to a second hardware security module that is in the fleet of hardware security modules, a network address of the first hardware security module;
obtains an indication that a cryptographically protected communications session was established between the first hardware security module and the second hardware security module and as a result generates a determination that the first hardware security module has joined the fleet;
updates a fleet directory to include the network address of the first hardware security module, as a result of obtaining the indication;
receives, to the hardware security module interface, a request to perform a cryptographic operation; and
routes the request to the first hardware security module.
1 Assignment
0 Petitions
Accused Products
Abstract
A virtual cryptographic module is used to perform cryptographic operations. The virtual cryptographic module may include a fleet of cryptographic modules and a load balancer that determines when a cryptographic module should be added to or removed from the fleet. The fleet size may be adjusted based on detecting a set of conditions that includes the utilization level of the fleet. One or more cryptographic modules of the fleet may be used to fulfill requests to perform cryptographic operations. A cryptographic module may be a hardware security module (“HSM”).
23 Citations
20 Claims
-
1. A system, comprising:
-
a fleet of hardware security modules comprising a plurality of physical hardware security modules; and a virtual load balancer comprising a hardware security module interface that; monitors utilization of the fleet of hardware security modules to generate utilization information about the fleet of hardware security modules; determines, based at least in part on the utilization information, that at least one condition to scale the fleet of hardware security modules is satisfied; selects, from a pool of hardware security modules outside of the fleet of hardware security modules, a first hardware security module; provides, to a second hardware security module that is in the fleet of hardware security modules, a network address of the first hardware security module; obtains an indication that a cryptographically protected communications session was established between the first hardware security module and the second hardware security module and as a result generates a determination that the first hardware security module has joined the fleet; updates a fleet directory to include the network address of the first hardware security module, as a result of obtaining the indication; receives, to the hardware security module interface, a request to perform a cryptographic operation; and routes the request to the first hardware security module. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-implemented method, comprising:
-
determining that at least one condition for scaling up a fleet of cryptographic modules is satisfied, the fleet of cryptographic modules comprising at least one physical cryptographic module and backing a virtual cryptographic module comprising a cryptographic module interface; providing, to a first cryptographic module in the fleet of cryptographic modules, information that causes the first cryptographic module to communicate with a second cryptographic module outside of the fleet of cryptographic modules; verifying that the second cryptographic module has joined the fleet of cryptographic modules by at least obtaining an indication that configuration data of the fleet of cryptographic modules was successfully transmitted through a cryptographically protected session established between the first cryptographic module and the second cryptographic module; updating, as a result of obtaining the indication, a fleet directory to indicate that the second cryptographic module has been added to the fleet of cryptographic modules; and causing a request to perform a cryptographic operation received to the cryptographic module interface to be fulfilled using the second cryptographic module. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory computer-readable storage medium comprising executable instructions that, as a result of execution by one or more processors of a computer system, cause the computer system to at least:
-
detect satisfaction of a condition for scaling a fleet of cryptographic modules, two or more cryptographic modules of the fleet of cryptographic modules sharing copies of shared cryptographic information and performing cryptographic operations based at least in part on the shared cryptographic information; cause a first cryptographic module in the fleet of cryptographic modules to provide a copy of the shared cryptographic information to a second cryptographic module that is outside of the fleet of cryptographic modules; obtain an indication that an add operation was completed successfully and the copy of the shared cryptographic information is encrypted; update, as a result of obtaining the indication, a fleet directory to indicate that the second cryptographic module has been added to the fleet of cryptographic modules; and cause a first request transmitted by a requestor to a cryptographic module interface associated with the fleet of cryptographic modules to be fulfilled using the second cryptographic module. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification