SECURE KEY MANAGEMENT PROTOCOL FOR DISTRIBUTED NETWORK ENCRYPTION
First Claim
1. A method of providing encryption services in a system comprising a plurality of computing machines, the method comprising:
- from a server that provides encryption rules for encrypting messages on a host on which a plurality of compute nodes (CNs) execute, receiving a key voucher at the host;
sending the key voucher to a key manager that is different than the server, in order to retrieve an encryption key, said key voucher authenticating the host as an authorized key requestor;
receiving a key from the key manager; and
encrypting a message sent by a compute node on the host using the received key.
1 Assignment
0 Petitions
Accused Products
Abstract
For an encryption management module of a host that executes one or more data compute nodes (DCNs), some embodiments of the invention provide a method of providing key management and encryption services. The method initially receives an encryption key ticket at an encryption management module to be used to retrieve an encryption key identified by the ticket from a key manager. When the encryption key has been retrieved, the method uses the encryption key to encrypt a message sent by a data compute node executing on the host requiring encryption according to an encryption rule. The encryption key ticket, in some embodiments, is generated for an encryption management module to implement the principle of least privilege. The ticket acts as a security token in retrieving encryption keys from a key manager. Ticket distribution and encryption rule distribution are independent of each other in some embodiments.
32 Citations
29 Claims
-
1. A method of providing encryption services in a system comprising a plurality of computing machines, the method comprising:
-
from a server that provides encryption rules for encrypting messages on a host on which a plurality of compute nodes (CNs) execute, receiving a key voucher at the host; sending the key voucher to a key manager that is different than the server, in order to retrieve an encryption key, said key voucher authenticating the host as an authorized key requestor; receiving a key from the key manager; and encrypting a message sent by a compute node on the host using the received key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method of providing encryption keys in a system comprising a plurality of computing machines, the method comprising:
-
receiving a key voucher at a key manager, said key voucher authenticating the host as an authorized key requestor; verifying that the key voucher is valid; and returning an encryption key identified by the key voucher to the host from which the key voucher was received for the host to use in encrypting messages sent from a compute node (CN) executing on the host. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
-
22. A method of configuring a system to provide encryption services in a system comprising a plurality of computing machines, the method comprising:
-
receiving an encryption key policy from a manager computer; generating, for an encryption management module executing on a host computer, a key voucher based on the received encryption key policy; and sending the generated key voucher to the encryption management module to be used to retrieve, from a key manager, an encryption key identified by the key voucher. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
-
Specification