Systems and methods for hierarchical key management in encrypted distributed databases

US 10,673,623 B2
Filed: 05/25/2017
Issued: 06/02/2020
Est. Priority Date: 09/25/2015
Status: Active Grant

First Claim

Patent Images

1. A distributed database system comprising:

at least a first database node of a plurality of database nodes hosting data of the distributed database system;

at least one internal database key;

at least one database with data to be encrypted and decrypted using the at least one internal database key comprising at least a portion of the data of the distributed database system;

a memory configured to store at least one master key;

a key management server interface configured to communicate with a key management server; and

a database component, executed by at least one hardware-based processor, configured to;

receive, into the memory, the master key from the key management server via the key management server interface;

encrypt and decrypt the at least one internal database key using the at least one master key; and

manage the at least one internal and master key for the plurality of database nodes; and

wherein the database component is further configured to;

manage key rotation functions for the at least one database;

demote a current primary node to be a secondary node of a respective replica set; and

elect one of at least a first secondary node and a second secondary node to be a next primary node of the respective replica set, wherein election includes validating execution of the key rotation functions, and wherein the next primary node is configured to accept and replicate write operations to secondary nodes in the replica set.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one aspect, methods and systems are provided for modifying an encryption scheme in a database system. The methods and systems can include at least one internal database key; at least one database configured to be encrypted and decrypted using the at least one internal database key; a memory configured to store a master key; a key management server interface configured to communicate with a key management server; and a database application configured to receive, into the memory, the master key from the key management server via the key management server interface, and encrypt and decrypt the at least one internal database key using the master key.

295 Citations

20 Claims

1. A distributed database system comprising:
- at least a first database node of a plurality of database nodes hosting data of the distributed database system;
  
  at least one internal database key;
  
  at least one database with data to be encrypted and decrypted using the at least one internal database key comprising at least a portion of the data of the distributed database system;
  
  a memory configured to store at least one master key;
  
  a key management server interface configured to communicate with a key management server; and
  
  a database component, executed by at least one hardware-based processor, configured to;
  
  receive, into the memory, the master key from the key management server via the key management server interface;
  
  encrypt and decrypt the at least one internal database key using the at least one master key; and
  
  manage the at least one internal and master key for the plurality of database nodes; and
  
  wherein the database component is further configured to;
  
  manage key rotation functions for the at least one database;
  
  demote a current primary node to be a secondary node of a respective replica set; and
  
  elect one of at least a first secondary node and a second secondary node to be a next primary node of the respective replica set, wherein election includes validating execution of the key rotation functions, and wherein the next primary node is configured to accept and replicate write operations to secondary nodes in the replica set.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The database system of claim 1, further comprising a storage engine configured to write encrypted data to the at least one database, the encrypted data generated with reference to the at least one internal database key.
  - 3. The database system of claim 1, wherein the database component is further configured to manage key rotation functions for the at least one database.
  - 4. The database system of claim 3, wherein the key rotation functions are performed within respective replica sets comprising a first primary node and at least a first and second secondary node, while the respective replica set of the database is available for read and write operations.
  - 5. The database system of claim 4, wherein the database component is further configured to perform a key rotation function on a node in a replica set by performing the key rotation function on the first secondary node of a respective replica set.
  - 6. The database system of claim 5, wherein the database component is further configured to validate the key rotation function prior to continuation of rotation operation on other nodes within the respective replica set of the distributed database.
  - 7. The database system of claim 5, wherein the database component is further configured to perform a key rotation function on a node in a replica set by performing the key rotation function on a second secondary node.
  - 8. The database system of claim 5, wherein the distribute database further comprises at least one storage API configured to:
    - manage retrieval and storage of the at least the portion of the database data using the at least one internal key.
  - 9. The database system of claim 8, wherein the database component is further configured to:
    - validate execution of the rotation function on at least the first and second secondary nodes prior to demotion of the current primary and election of the next primary.
  - 10. The database system of claim 8, wherein the database component is configured to disable read and write access to the demoted primary node and execute the key rotation function on the demoted primary node.
  - 11. The database system of claim 10, wherein the database component executes client requests for write and read operations on the respective replica set, replicating write operations executed on the next primary node to respective secondary nodes.

12. A computer implemented method for managing a distributed database, the method comprising:
- at least a first database node of a plurality of database nodes hosting data of the distributed database system;
  
  at least one internal database key;
  
  encrypting and decrypting, by at least one hardware-based processor, at least a portion of the data of the distributed database stored on at least a plurality of database nodes system using at least one internal database key;
  
  communicating, by the at least one hardware-based processor, with a key management server, wherein communicating includes receiving, by the at least one hardware-based processor, the master key from the key management server via a key management server interface;
  
  encrypting and decrypting, by the at least one hardware-based processor, the at least one internal database key using the at least one master key; and
  
  managing, by the at least one hardware-based processor, the at least one internal and master key for the plurality of database nodes; and
  
  managing, by the at least one hardware-based processor, key rotation functions for the at least one database;
  
  demoting, by the at least one hardware-based processor, a current primary node to be a secondary node of a respective replica set; and
  
  electing, by the at least one hardware-based processor, one of at least a first secondary node and a second secondary node to be a next primary node of the respective replica set, wherein electing includes validating execution of the key rotation functions, and wherein the next primary node is configured to accept and replicate write operations to secondary nodes in the replica set.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The method of claim 12, further comprising writing encrypted data to the at least one database, the encrypted data generated with reference to the at least one internal database key.
  - 14. The method of claim 12, further comprising managing key rotation functions for the at least one database.
  - 15. The method of claim 14, further comprising performing the key rotation functions within respective replica sets comprising a first primary node and at least a first and second secondary node, while the respective replica set of the database is available for read and write operations.
  - 16. The method of claim 15, wherein performing the key rotation function includes performing the key rotation function on the first secondary node of a respective replica set.
  - 17. The method of claim 16, further comprising validating the key rotation function prior to continuation of rotation operation on other nodes within the respective replica set of the distributed database.
  - 18. The method of claim 16, wherein performing the key rotation function includes performing the key rotation function on a second secondary node.
  - 19. The method of claim 16, further comprising managing retrieval and storing of the at least the portion of the database data with the at least one internal key via at least one storage API.
  - 20. The method of claim 19, further comprising validating execution of the rotation function on at least the first and second secondary nodes prior to demotion of the current primary and election of the next primary.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
MongoDB, Inc.
Original Assignee
MongoDB, Inc.
Inventors
Horowitz, Eliot, Nilsson, Per Andreas
Primary Examiner(s)
Lemma, Samson B

Application Number

US15/605,512
Publication Number

US 20170264432A1
Time in Patent Office

1,104 Days
Field of Search

380277, 713193
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

H04L 9/0822   using key encryption key

Systems and methods for hierarchical key management in encrypted distributed databases

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

295 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for hierarchical key management in encrypted distributed databases

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

295 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links