ENCRYPTION KEY FRAGMENT DISTRIBUTION
First Claim
1. A computer-implemented method for distributing encryption key fragments across data stores located within a first geographic region and data stores located within a second geographic region that is different than and physically separated from the first geographic region, the method comprising:
- fragmenting an encryption key into a number, n, of encryption key fragments such that a number, k<
n, of the encryption key fragments is sufficient for reconstructing the encryption key;
distributing at least k of the encryption key fragments across data stores realized at N different availability zones within the first geographic region such that less than k of the encryption key fragments are distributed to each of the N availability zones within the first geographic region; and
distributing at least k of the encryption key fragments across data stores realized at M different availability zones within the second geographic region such that less than k of the encryption key fragments are distributed to each of the M availability zones within the second geographic region.
2 Assignments
0 Petitions
Accused Products
Abstract
An encryption key may be fragmented into n encryption key fragments such that k<n fragments are sufficient for reconstructing the encryption key. The encryption key fragments may be distributed across data stores located within first and second geographic regions. For example, at least k of the encryption key fragments may be distributed across data stores realized at N different availability zones within the first geographic region such that less than k of the encryption key fragments are distributed to each of the N availability zones within the first geographic region. Similarly, at least k of the encryption key fragments may be distributed across data stores realized at M different availability zones within the second geographic region such that less than k of the encryption key fragments are distributed to each of the M availability zones within the second geographic region.
229 Citations
15 Claims
-
1. A computer-implemented method for distributing encryption key fragments across data stores located within a first geographic region and data stores located within a second geographic region that is different than and physically separated from the first geographic region, the method comprising:
-
fragmenting an encryption key into a number, n, of encryption key fragments such that a number, k<
n, of the encryption key fragments is sufficient for reconstructing the encryption key;distributing at least k of the encryption key fragments across data stores realized at N different availability zones within the first geographic region such that less than k of the encryption key fragments are distributed to each of the N availability zones within the first geographic region; and distributing at least k of the encryption key fragments across data stores realized at M different availability zones within the second geographic region such that less than k of the encryption key fragments are distributed to each of the M availability zones within the second geographic region. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An encryption key fragment storage system comprising:
-
computer hardware systems implementing N≧
2 different data stores at N corresponding different availability zones located within a first geographic region;computer hardware systems implementing M≧
2 different data stores at M corresponding different availability zones located within a second geographic region that is different from and physically separated from the first geographic region;an encryption key fragment distributor to; access a number, n, of fragments of an encryption key;
where a number, k<
n, of the encryption key fragments is sufficient for reconstructing the encryption key;distribute at least k of the encryption key fragments across the N data stores at the N availability zones within the first geographic region such that less than k of the encryption key fragments are distributed to each of the N availability zones within the first geographic region; and distribute at least k of the encryption key fragments across the M data stores at the M availability zones within the second geographic region such that less than k of the encryption key fragments are distributed to each of the M availability zones within the second geographic region. - View Dependent Claims (9, 10, 11)
-
-
12. A non-transitory computer-readable storage medium storing instructions that, when executed by a computing system, cause the computing system to:
-
access a number, n, of fragments of an encryption key where a number, k<
n, of the encryption key fragments is sufficient for reconstructing the encryption key;distribute a first set of at least k of the encryption key fragments across N≧
2 different data stores realized at N corresponding different availability zones within a first geographic region such that no more than k−
1 unique encryption key fragments are distributed to each of the availability zones within the first geographic region; andis distribute a second set of at least k of the encryption key fragments across M≧
2 different data stores realized at M corresponding different availability zones within a second geographic region that is different than and physically separated from the first geographic region such that no more than k−
1 unique encryption key fragments are distributed to each of the availability zones within the second geographic region. - View Dependent Claims (13, 14, 15)
-
Specification