Systems and methods for hierarchical key management in encrypted distributed databases
First Claim
Patent Images
1. A distributed database system comprising:
- at least a first database node of a plurality of database nodes hosting data of the distributed database system;
at least one internal database key;
at least one database with data to be encrypted and decrypted using the at least one internal database key comprising at least a portion of the data of the distributed database system;
a memory configured to store at least one master key;
a key management server interface configured to communicate with a key management server; and
a database component, executed by at least one hardware-based processor, configured to;
receive, into the memory, the master key from the key management server via the key management server interface;
encrypt and decrypt the at least one internal database key using the at least one master key; and
manage the at least one internal and master key for the plurality of database nodes; and
wherein the database component is further configured to;
manage key rotation functions for the at least one database;
demote a current primary node to be a secondary node of a respective replica set; and
elect one of at least a first secondary node and a second secondary node to be a next primary node of the respective replica set, wherein election includes validating execution of the key rotation functions, and wherein the next primary node is configured to accept and replicate write operations to secondary nodes in the replica set.
1 Assignment
0 Petitions
Accused Products
Abstract
According to one aspect, methods and systems are provided for modifying an encryption scheme in a database system. The methods and systems can include at least one internal database key; at least one database configured to be encrypted and decrypted using the at least one internal database key; a memory configured to store a master key; a key management server interface configured to communicate with a key management server; and a database application configured to receive, into the memory, the master key from the key management server via the key management server interface, and encrypt and decrypt the at least one internal database key using the master key.
295 Citations
20 Claims
-
1. A distributed database system comprising:
-
at least a first database node of a plurality of database nodes hosting data of the distributed database system; at least one internal database key; at least one database with data to be encrypted and decrypted using the at least one internal database key comprising at least a portion of the data of the distributed database system; a memory configured to store at least one master key; a key management server interface configured to communicate with a key management server; and a database component, executed by at least one hardware-based processor, configured to; receive, into the memory, the master key from the key management server via the key management server interface; encrypt and decrypt the at least one internal database key using the at least one master key; and manage the at least one internal and master key for the plurality of database nodes; and wherein the database component is further configured to; manage key rotation functions for the at least one database; demote a current primary node to be a secondary node of a respective replica set; and elect one of at least a first secondary node and a second secondary node to be a next primary node of the respective replica set, wherein election includes validating execution of the key rotation functions, and wherein the next primary node is configured to accept and replicate write operations to secondary nodes in the replica set. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer implemented method for managing a distributed database, the method comprising:
-
at least a first database node of a plurality of database nodes hosting data of the distributed database system; at least one internal database key; encrypting and decrypting, by at least one hardware-based processor, at least a portion of the data of the distributed database stored on at least a plurality of database nodes system using at least one internal database key; communicating, by the at least one hardware-based processor, with a key management server, wherein communicating includes receiving, by the at least one hardware-based processor, the master key from the key management server via a key management server interface; encrypting and decrypting, by the at least one hardware-based processor, the at least one internal database key using the at least one master key; and managing, by the at least one hardware-based processor, the at least one internal and master key for the plurality of database nodes; and managing, by the at least one hardware-based processor, key rotation functions for the at least one database; demoting, by the at least one hardware-based processor, a current primary node to be a secondary node of a respective replica set; and electing, by the at least one hardware-based processor, one of at least a first secondary node and a second secondary node to be a next primary node of the respective replica set, wherein electing includes validating execution of the key rotation functions, and wherein the next primary node is configured to accept and replicate write operations to secondary nodes in the replica set. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
Specification