CRYPTOGRAPHIC ERASURE OF SELECTED ENCRYPTED DATA

US 20130305057A1
Filed: 05/14/2012
Published: 11/14/2013
Est. Priority Date: 05/14/2012
Status: Active Grant

First Claim

Patent Images

1. A method for cryptographic erasure of selected encrypted data by a processor device in a computing environment, the method comprising:

configuring data files with a plurality of derived keys, the plurality of derived keys adapted to be individually shredded in a subsequent erasure operation, wherein the plurality of derived keys allow for cryptographic erasure of the selected encrypted data in the data files without necessitating at least one of removal and rewrite of retained data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Exemplary method, system, and computer program product embodiments for cryptographic erasure of selected encrypted data are provided. In one embodiment, by way of example only, data files are configured with a derived key. The derived keys adapted to be individually shredded in a subsequent erasure operation. The derived key allows for cryptographic erasure of the selected encrypted data in the data files without necessitating at least one of removal and rewrite of retained data. Additional system and computer program product embodiments are disclosed and provide related advantages.

115 Citations

View as Search Results

24 Claims

1. A method for cryptographic erasure of selected encrypted data by a processor device in a computing environment, the method comprising:
- configuring data files with a plurality of derived keys, the plurality of derived keys adapted to be individually shredded in a subsequent erasure operation, wherein the plurality of derived keys allow for cryptographic erasure of the selected encrypted data in the data files without necessitating at least one of removal and rewrite of retained data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further including, dividing each of the plurality of derived keys into at least two key parts, wherein redundant data of the at least two parts are deleted together.
  - 3. The method of claim 1, further including placing the plurality of derived keys in a key store data set (KSDS), wherein a label is provided for each of the at least two key parts.
  - 4. The method of claim 3, further including shredding the label and the at least two key parts of the selected encrypted data, wherein failure to shred each of the at least two key parts does not prohibit the shredding.
  - 5. The method of claim 4, further including rewriting the KSDS without the deleted label and the at least two deleted key parts.
  - 6. The method of claim 5, further including preventing an external reading of the plurality of divided keys by overwriting the plurality of divided keys in the KSDS, wherein forensic recovery means are prohibited from accessing the erased selected encrypted data.
  - 7. The method of claim 3, further including, in conjunction with the placing the plurality of derived keys in the KSDS, using a pointer to associate the selected encrypted data with the KSDS.
  - 8. The method of claim 1, further including performing the cryptographically erasing of the selected encrypted data in the data files via a plurality of applications, wherein the performing occurs in a plurality of data tape technology and sequentially written storage devices.

9. A system for cryptographic erasure of selected encrypted data in a computing environment, comprising:
- at least one tape drive, andat least one processor device connected to the at least one tape drive operable in the computing environment, wherein the at least one processor device is adapted for;
  
  configuring data files with a plurality of derived keys, the plurality of derived keys adapted to be individually shredded in a subsequent erasure operation, wherein the plurality of derived keys allow for cryptographic erasure of the selected encrypted data in the data files without necessitating at least one of removal and rewrite of retained data.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, further including, dividing each of the plurality of derived keys into at least two key parts, wherein redundant data of the at least two parts are deleted together.
  - 11. The system of claim 9, wherein the processor device is further adapted for placing the plurality of derived keys in a key store data set (KSDS), wherein a label is provided for each of the at least two key parts.
  - 12. The system of claim 11, wherein the processor device is further adapted for shredding the label and the at least two key parts of the selected encrypted data, wherein failure to shred each of the at least two key parts does not prohibit the shredding.
  - 13. The system of claim 12, wherein the processor device is further adapted for rewriting the KSDS without the deleted label and the at least two deleted key parts.
  - 14. The system of claim 13, wherein the processor device is further adapted for preventing an external reading of the plurality of divided keys by overwriting the plurality of divided keys in the KSDS, wherein forensic recovery means are prohibited from accessing the erased selected encrypted data.
  - 15. The system of claim 11, wherein the processor device is further adapted for, in conjunction with the placing the plurality of derived keys in a key store data set (KSDS), using a pointer to associate the selected encrypted data with the KSDS.
  - 16. The system of claim 9, wherein the processor device is further adapted for performing the cryptographically erasing of the selected encrypted data in the data files via a plurality of applications, wherein the performing occurs in a plurality of data tape technology and sequentially written storage devices.

17. A computer program product for cryptographic erasure of selected encrypted data in a computing environment by a processor device, the computer program product comprising a non-transitory computer-readable storage medium having computer-readable program code portions stored therein, the computer-readable program code portions comprising:
- a first executable portion for configuring data files with a plurality of derived keys, the plurality of derived keys adapted to be individually shredded in a subsequent erasure operation, wherein the plurality of derived keys allow for cryptographic erasure of the selected encrypted data in the data files without necessitating at least one of removal and rewrite of retained data.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computer program product of claim 17, further including a second executable portion for dividing each of the plurality of derived keys into at least two key parts, wherein redundant data of the at least two parts are deleted together.
  - 19. The computer program product of claim 17, further including a second executable portion for, placing the plurality of derived keys in a key store data set (KSDS), wherein a label is provided for each of the at least two key parts.
  - 20. The computer program product of claim 19, further including a third executable portion for shredding the label and the at least two key parts of the selected encrypted data, wherein failure to shred each of the at least two key parts does not prohibit the shredding.
  - 21. The computer program product of claim 20, further including a fourth executable portion for rewriting the key files without the deleted label and the at least two deleted key parts.
  - 22. The computer program product of claim 21, further including a fifth executable portion for preventing an external reading of the plurality of divided keys by overwriting the plurality of divided keys in a key store data set (KSDS), wherein forensic recovery means are prohibited from accessing the erased selected encrypted data.
  - 23. The computer program product of claim 19, further including a third executable portion for, in conjunction with the placing the plurality of derived keys in a key store data set (KSDS), using a pointer to associate the selected encrypted data with the KSDS.
  - 24. The computer program product of claim 17, further including a second executable portion for performing the cryptographically erasing of the selected encrypted data in the data files via a plurality of applications, wherein the performing occurs in a plurality of data tape technology and sequentially written storage devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
GRECO, Paul Merrill, JAQUETTE, Glen Alan

Granted Patent

US 8,918,651 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 21/80   in storage media based on m...

G06F 2221/2107   File encryption

G06F 2221/2143   Clearing memory, e.g. to pr...

G06F 3/0652   Erasing, e.g. deleting, dat...

CRYPTOGRAPHIC ERASURE OF SELECTED ENCRYPTED DATA

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

115 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

CRYPTOGRAPHIC ERASURE OF SELECTED ENCRYPTED DATA

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links