Data storage key rotation
First Claim
1. A computer-implemented method, comprising:
- storing encrypted data on a data storage system, the data storage system accessible to a client computer system via a network, and the encrypted data encrypted with a first cryptographic key;
generating a second cryptographic key to replace the first cryptographic key;
providing the second cryptographic key to the data storage system;
obtaining executable code that is compatible with an execution environment on the data storage system, wherein the execution environment is sandboxed to prevent the executable code from interfering with other components of the data storage system;
uploading the executable code to the execution environment; and
initiating execution of the executable code within the execution environment, the execution of the executable code causing the data storage system to;
read the encrypted data from the data storage system into the execution environment;
decrypt the encrypted data, according to a cryptographic algorithm determined by the client computer system, using the first cryptographic key to produce plaintext data;
encrypt the plaintext data, according to a cryptographic algorithm determined by the client computer system, with a second cryptographic key to produce re-encrypted data; and
store the re-encrypted data to the data storage system.
1 Assignment
0 Petitions
Accused Products
Abstract
The present document describes a data storage system that includes a sandboxed execution environment. The execution environment is made available to clients of the data storage system. Clients are able to upload executable instructions to the execution environment, which can be used to manipulate data stored on the data storage system. In various examples, clients use the execution environment to perform key rotation operations on encrypted data stored on the data storage system. Clients transfer executable instructions and cryptographic keys to the execution environment, where the encrypted data stored on the data storage system can be read into the execution environment, decrypted with an old key, re-encrypted with a new key, and returned to the data storage system.
27 Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
storing encrypted data on a data storage system, the data storage system accessible to a client computer system via a network, and the encrypted data encrypted with a first cryptographic key; generating a second cryptographic key to replace the first cryptographic key; providing the second cryptographic key to the data storage system; obtaining executable code that is compatible with an execution environment on the data storage system, wherein the execution environment is sandboxed to prevent the executable code from interfering with other components of the data storage system; uploading the executable code to the execution environment; and initiating execution of the executable code within the execution environment, the execution of the executable code causing the data storage system to; read the encrypted data from the data storage system into the execution environment; decrypt the encrypted data, according to a cryptographic algorithm determined by the client computer system, using the first cryptographic key to produce plaintext data; encrypt the plaintext data, according to a cryptographic algorithm determined by the client computer system, with a second cryptographic key to produce re-encrypted data; and store the re-encrypted data to the data storage system. - View Dependent Claims (2, 3, 4)
-
-
5. A system, comprising a computing device that implements a data storage service to:
-
obtain, from a client computer system, encoded data that is encoded in accordance with a first encoding; store, on a data storage device connected to the computing device, the encoded data; obtain, from the client computer system, a second encoding and executable instructions that are compatible with an execution environment on the computing device, wherein the execution environment is sandboxed to prevent interference with other execution environments; and decrypt the encoded data and re-encrypt the encoded data so that the encoded data is in accordance with the second encoding by at least in part executing the executable instructions, the executable instructions determining an algorithm for cryptographic operations, within the execution environment. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium comprising executable instructions that, as a result of being executed by one or more processors of a storage controller, cause the storage controller to at least:
-
obtain, from a client computer system, encrypted data that is encrypted with a first cryptographic key; store the encrypted data on a data storage device associated with the storage controller; obtain, from a client computer system, the first cryptographic key and a second cryptographic key; obtain, from the client computer system, information describing operations that are able to be performed within an execution environment on the storage controller, wherein the execution environment is sandboxed to prevent interference with other components of the storage controller; and perform, within the execution environment, a sequence of operations, the sequence of operations causing the storage controller to; decrypt the encrypted data, according to a cryptographic algorithm determined by the client computer system, using the first cryptographic key to produce plaintext data; and encrypt the plaintext data, according to a cryptographic algorithm determined by the client computer system, using the second cryptographic key. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification