System and method for securely replicating a configuration database of a security appliance
First Claim
Patent Images
1. A method for securely replicating a configuration database of a security appliance, the method comprising:
- loading a copy of data of an original configuration database from an original security appliance onto a cloned configuration database of a cloned security appliance, wherein the configuration database comprises encryption keys used to perform at least one of encrypting the data and decrypting the data stored on cryptainers;
generating a first non-recoverable recovery policy key of a key hierarchy for storage on the cloned configuration database; and
applying recovery keys, from a quorum of recovery cards of the cloned security appliance, to one or more recoverable recovery policy keys of the cloned configuration database to restore all keys from a corresponding recoverable portion of the key hierarchy on the cloned security appliance to thereby substantially replicate all key material of the original configuration database on the cloned configuration database of the cloned security appliance.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method securely replicates a configuration database of a security appliance. Keys stored on an original configuration database of an original security appliance are organized as a novel key hierarchy. A replica or clone of the original security appliance may be constructed in accordance with a cloning technique of the invention. Construction of the cloned security appliance illustratively involves sharing of data between the appliances, as well as substantially replicating the key hierarchy on a cloned configuration database of the cloned appliance.
71 Citations
17 Claims
-
1. A method for securely replicating a configuration database of a security appliance, the method comprising:
-
loading a copy of data of an original configuration database from an original security appliance onto a cloned configuration database of a cloned security appliance, wherein the configuration database comprises encryption keys used to perform at least one of encrypting the data and decrypting the data stored on cryptainers; generating a first non-recoverable recovery policy key of a key hierarchy for storage on the cloned configuration database; and applying recovery keys, from a quorum of recovery cards of the cloned security appliance, to one or more recoverable recovery policy keys of the cloned configuration database to restore all keys from a corresponding recoverable portion of the key hierarchy on the cloned security appliance to thereby substantially replicate all key material of the original configuration database on the cloned configuration database of the cloned security appliance. - View Dependent Claims (2, 3)
-
-
4. A system configured to securely replicate a configuration database of a security appliance, the system comprising:
-
a first configuration database including a copy of data stored on a second configuration database, wherein the configuration database comprises encryption keys used to perform at least one of encrypting the data and decrypting the data stored on cryptainers; a first security appliance coupled to the first configuration database, the first security appliance configured to generate a first non-recoverable recovery policy key of a key hierarchy for storage on the first configuration database; and one or more recovery cards of the first security appliance, the one or more recovery cards configured to apply one or more recovery keys, from a quorum of the one or more recovery cards, to one or more recoverable recovery policy keys of the first configuration database to restore all keys from a corresponding recoverable portion of the key hierarchy on the first security appliance, thereby replicating key material of the second configuration database on the first configuration database. - View Dependent Claims (5, 6, 7)
-
-
8. A key hierarchy configured to organize keys stored on a configuration database of a security appliance, the key hierarchy comprising:
-
a master key generated by a storage encryption processor (SEP) of the security appliance; a plurality of recovery policy keys generated by the SEP and wrapped with the master key; one or more domain keys generated by the SEP, each domain key wrapped with one of the recovery policy keys; one or more cryptainer keys generated by the SEP, each cryptainer key wrapped with one of the domain keys; and one or more recovery keys, from a quorum of one or more recovery cards, utilized to enable restoration of at least one recovery policy key and those domain keys and those cryptainer keys below the at least one recovery policy key in the key hierarchy. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. An apparatus configured to securely replicate a configuration database of a security appliance, the apparatus comprising:
-
means for loading a copy of data of an original configuration database from an original security appliance onto a cloned configuration database of a cloned security appliance, wherein the configuration database comprises encryption keys used to perform at least one of encrypting the data and decrypting the data stored on cryptainers; means for generating a first non-recoverable recovery policy key of a key hierarchy for storage on the cloned configuration database; and means for applying recovery keys, from a quorum of recovery cards of the cloned security appliance, to one or more recoverable recovery policy keys of the cloned configuration database to restore all keys from a corresponding recoverable portion of the key hierarchy on the cloned security appliance to thereby replicate key material of the original configuration database on the cloned configuration database of the cloned security appliance. - View Dependent Claims (15)
-
-
16. A computer readable storage medium containing program instructions executed by a processor, comprising:
-
program instructions that load a copy of data on an original configuration database from an original security appliance onto a cloned configuration database of a cloned security appliance, wherein the configuration database comprises encryption keys used to perform at least one of encrypting the data and decrypting the data stored on cryptainers; program instructions that generate a first non-recoverable recovery policy key of a key hierarchy for storage on the cloned configuration database; and program instructions that apply appropriate recovery keys, from a quorum of recovery cards of the cloned security appliance, to one or more recoverable recovery policy keys of the cloned configuration database to restore all keys from a corresponding recoverable portion of the key hierarchy on the cloned security appliance to thereby replicate key material of the original configuration database on the cloned configuration database of the cloned security appliance. - View Dependent Claims (17)
-
Specification