Method and apparatus for using an external security device to secure data in a database
First Claim
1. A method for using an external security device to secure data in a database without having to modify database applications, the method comprising:
- receiving a request at the database to perform an encryption/decryption operation, wherein the encryption/decryption operation is performed with the assistance of the external security module in a manner that is transparent to database applications;
in response to the request, passing a wrapped column key to the external security module, wherein the wrapped column key is a column key encrypted with a master key that exists only within the external security module;
decrypting the wrapped column key in the external security module to retrieve the column key;
returning the column key to the database;
performing an encryption/decryption operation on data in the database using the column key; and
erasing the column key from memory in the database.
1 Assignment
0 Petitions
Accused Products
Abstract
One embodiment of the present invention provides a system that facilitates using an external security device to secure data in a database without having to modify database applications. The system operates by receiving a request at the database to perform an encryption/decryption operation, wherein the encryption/decryption operation is performed with the assistance of the external security module in a manner that is transparent to database applications. In response to the request, the system passes a wrapped (encrypted) column key (a key used to encrypt data within the database) to an external security module, wherein the wrapped column key is a column key encrypted with a master key that exists only within the external security module. The system then unwraps (decrypts) the wrapped column key in the external security module to retrieve the column key. Next, the system returns the column key to the database. The system then performs an encryption/decryption operation on data in the database using the column key. Finally, the system erases the column key from memory in the database.
109 Citations
30 Claims
-
1. A method for using an external security device to secure data in a database without having to modify database applications, the method comprising:
-
receiving a request at the database to perform an encryption/decryption operation, wherein the encryption/decryption operation is performed with the assistance of the external security module in a manner that is transparent to database applications;
in response to the request, passing a wrapped column key to the external security module, wherein the wrapped column key is a column key encrypted with a master key that exists only within the external security module;
decrypting the wrapped column key in the external security module to retrieve the column key;
returning the column key to the database;
performing an encryption/decryption operation on data in the database using the column key; and
erasing the column key from memory in the database. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for using an external security device to secure data in a database without having to modify database applications, the method comprising:
-
receiving a request at the database to perform an encryption/decryption operation, wherein the encryption/decryption operation is performed with the assistance of the external security module in a manner that is transparent to database applications;
in response to the request, passing a wrapped column key and data to the external security module, wherein the wrapped column key is a column key encrypted with a master key that exists only within the external security module;
decrypting the wrapped column key within the external security module to retrieve the column key;
performing an encryption/decryption operation on the data within the external security module using the column key; and
returning the encrypted/decrypted data to the database. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for using an external security device to secure data in a database without having to modify database applications, the method comprising:
-
receiving a request at the database to perform an encryption/decryption operation, wherein the encryption/decryption operation is performed with the assistance of the external security module in a manner that is transparent to database applications;
in response to the request, passing a wrapped column key to the external security module, wherein the wrapped column key is a column key encrypted with a master key that exists only within the external security module;
decrypting the wrapped column key in the external security module to retrieve the column key;
returning the column key to the database;
performing an encryption/decryption operation on data in the database using the column key; and
erasing the column key from memory in the database. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
-
-
24. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for using an external security device to secure data in a database without having to modify database applications, the method comprising:
-
receiving a request at the database to perform an encryption/decryption operation, wherein the encryption/decryption operation is performed with the assistance of the external security module in a manner that is transparent to database applications;
in response to the request, passing a wrapped column key and data to the external security module, wherein the wrapped column key is a column key encrypted with a master key that exists only within the external security module;
decrypting the wrapped column key within the external security module to retrieve the column key;
performing an encryption/decryption operation on the data within the external security module using the column key; and
returning the encrypted/decrypted data to the database. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
Specification