Management of cryptographic keys for securing stored data
First Claim
1. A system for securing stored data, comprising:
- at least one storage system adapted to receive storage and retrieval requests, each storage system further adapted to, in response to each storage request received at the storage system, obtain a current cryptographic key and an identifier of the current cryptographic key within a sequence of cryptographic keys for the storage system, encrypt data from the storage request into encrypted data using the current cryptographic key, and store the encrypted data and the identifier in a storage media, and each storage system further adapted to, in response to each retrieval request received at the storage system, retrieve encrypted data and an identifier from the storage media, obtain a cryptographic key corresponding to the identifier within the sequence for the storage system, and decrypt the encrypted data using the cryptographic key; and
a management system coupled to the at least one storage system and adapted to generate the sequence of cryptographic keys for each storage system, the management system further adapted for each storage system to provide the current cryptographic key and the identifier of the current cryptographic key within the sequence for the storage system, and provide the cryptographic key corresponding to an identifier within the sequence for the storage system.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods secure data in storage. A management system generates a sequence of keys and an identifier of each key in the sequence. A current key in the sequence and the identifier of the current key are transferred from the management system to a storage system. The storage system encrypts the data into encrypted data using the current key. The storage system stores the identifier and the encrypted data. The identifier and the encrypted data are retrieved from the storage system. The key in the sequence identified by the identifier is transferred from the management system to the storage system. The storage system decrypts the encrypted data using the decryption key.
-
Citations
22 Claims
-
1. A system for securing stored data, comprising:
-
at least one storage system adapted to receive storage and retrieval requests, each storage system further adapted to, in response to each storage request received at the storage system, obtain a current cryptographic key and an identifier of the current cryptographic key within a sequence of cryptographic keys for the storage system, encrypt data from the storage request into encrypted data using the current cryptographic key, and store the encrypted data and the identifier in a storage media, and each storage system further adapted to, in response to each retrieval request received at the storage system, retrieve encrypted data and an identifier from the storage media, obtain a cryptographic key corresponding to the identifier within the sequence for the storage system, and decrypt the encrypted data using the cryptographic key; and a management system coupled to the at least one storage system and adapted to generate the sequence of cryptographic keys for each storage system, the management system further adapted for each storage system to provide the current cryptographic key and the identifier of the current cryptographic key within the sequence for the storage system, and provide the cryptographic key corresponding to an identifier within the sequence for the storage system. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for securing first data in storage, comprising:
-
generating a sequence of combinations at a management system, wherein each combination includes an encryption key, a decryption key, and an identifier that identifies the combination; transferring the identifier and the encryption key of a current one of the combinations from the management system to a storage system; encrypting the first data into second data at the storage system using the encryption key; storing the identifier and the second data in the storage system; retrieving the identifier and the second data from the storage system; transferring the decryption key of a combination identified in the sequence by the identifier from the management system to the storage system; and decrypting the second data into third data at the storage system using the decryption key, wherein the third data matches the first data. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. An article of manufacture, comprising:
-
a processor-readable program storage medium configured with instructions for securing stored data, wherein execution of the instructions by a plurality of processors causes the processors to perform operations including, client operations including receiving a storage request with data, and in response to the storage request, issuing an encryption request including an address of one of a plurality of storage systems, receiving an encryption reply including a current cryptographic key and an identifier of the current cryptographic key within a sequence for the storage system, encrypting the data into encrypted data using the current cryptographic key, storing the encrypted data and the identifier in the storage system, the client operations further including receiving a retrieval request, and in response to the retrieval request, retrieving encrypted data and an identifier from the storage system, issuing a decryption request including the identifier and the address of the storage system, receiving a decryption reply including the cryptographic key corresponding to the identifier within the sequence for the storage system, and decrypting the encrypted data using the cryptographic key; and management operations including generating the sequence of cryptographic keys for each of the plurality of storage systems, the management operations further including, in response to each encryption request from each storage system, issuing an encryption reply including the current cryptographic key and the identifier of the current cryptographic key within the sequence associated with the address from the encryption request, and, in response to each decryption request from each storage system, issuing the decryption reply including the cryptographic key corresponding to the identifier from the decryption request within the sequence associated with the address from the decryption request.
-
Specification