DATA PROTECTION IN A STORAGE SYSTEM USING EXTERNAL SECRETS
First Claim
1. A computing system comprising a plurality of storage devices, wherein the computing system is configured to:
- generate a plurality of shares from an initial master secret;
store one or more shares on one or more storage devices of the plurality of storage devices;
transform the initial master secret into a final master secret using one or more external secrets, wherein the one or more external secrets are stored separately from the computing system; and
utilize the final master secret to encrypt at least a portion of data stored on each storage device of the plurality of storage devices.
1 Assignment
0 Petitions
Accused Products
Abstract
A system, method, and computer-readable storage medium for protecting a set of storage devices using a secret sharing scheme in combination with an external secret. An initial master secret is generated and then transformed into a final master secret using an external secret. A plurality of shares are generated from the initial master secret and distributed to the storage devices. The data of each storage device is encrypted with a device-specific key, and this key is encrypted using the final master secret. In order to read the data on a given storage device, the initial master secret reconstructed from a threshold number of shares and the external secret is retrieved. Next, the initial master secret is transformed into the final master secret using the external secret, and then the final master secret is used to decrypt the encrypted key of a given storage device.
55 Citations
20 Claims
-
1. A computing system comprising a plurality of storage devices, wherein the computing system is configured to:
-
generate a plurality of shares from an initial master secret; store one or more shares on one or more storage devices of the plurality of storage devices; transform the initial master secret into a final master secret using one or more external secrets, wherein the one or more external secrets are stored separately from the computing system; and utilize the final master secret to encrypt at least a portion of data stored on each storage device of the plurality of storage devices. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method comprising:
-
generating a plurality of shares from an initial master secret; storing one or more shares on one or more storage devices of a plurality of storage devices of a computing system; transforming the initial master secret into a final master secret using one or more external secrets, wherein the one or more external secrets are stored separately from the computing system; and utilizing the final master secret to encrypt at least a portion of data stored on each storage device of the plurality of storage devices. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer readable storage medium comprising program instructions, wherein the program instructions are executable to:
-
generate a plurality of shares from an initial master secret; store one or more shares on one or more storage devices of a plurality of storage devices of a computing system; transform the initial master secret into a final master secret using one or more external secrets, wherein the one or more external secrets are stored separately from the computing system; and utilize the final master secret to encrypt at least a portion of data stored on each storage device of the plurality of storage devices. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification