System and method for securely storing cryptographic keys with encrypted data
First Claim
1. A method comprising:
- reading a first cryptographic key from a first storage device;
using the first cryptographic key to decrypt a first set of information stored on a second storage device, whereinthe second storage device is separate from the first storage device,the first set of information stored on the second storage device comprisesat least a portion of a second cryptographic key, andinformation usable to decrypt an additional portion of the second cryptographic key, andthe second cryptographic key is usable to decrypt user information stored on the first storage device.
8 Assignments
0 Petitions
Accused Products
Abstract
The payload of a set of storage devices is encrypted using a payload key that is stored within the set of storage devices itself. However, the payload key is obtainable only if a user has access to n of the storage devices. A first set of keys can be distributed among a set of n storage devices, such that each key is usable to encrypt and/or decrypt a key stored on a different one of the n storage devices. The first set of keys is usable to encrypt portions of the information needed to regenerate another key (e.g., the payload key or a key used to encrypt the payload key). A different portion of the information needed to regenerate the other key is stored on each of the n storage devices. Accordingly, the other key cannot be obtained unless the user has access to all n storage devices.
-
Citations
23 Claims
-
1. A method comprising:
-
reading a first cryptographic key from a first storage device; using the first cryptographic key to decrypt a first set of information stored on a second storage device, wherein the second storage device is separate from the first storage device, the first set of information stored on the second storage device comprises at least a portion of a second cryptographic key, and information usable to decrypt an additional portion of the second cryptographic key, and the second cryptographic key is usable to decrypt user information stored on the first storage device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
means for reading a first cryptographic key from a first storage device; and means for using the first cryptographic key to decrypt a first set of information stored on a second storage device, wherein the first set of information comprises at least a portion of a second cryptographic key, and information usable to decrypt an additional portion of the second cryptographic key, the second cryptographic key is usable to decrypt user information stored on the first storage device, and the second storage device is separate from the first storage device. - View Dependent Claims (13)
-
-
14. A non-transitory computer-readable storage medium comprising program instructions executable to:
-
read a first cryptographic key from a first storage device; and use the first cryptographic key to decrypt a set of information stored on a second storage device, wherein the second storage device is separate from the first storage device, the first set of information stored on the second storage device comprises; at least a portion of a second cryptographic key, and information usable to decrypt an additional portion of the second cryptographic key, and the second cryptographic key is usable to decrypt user information stored on the first storage device. - View Dependent Claims (15)
-
-
16. A system comprising:
a key distribution module configured to; generate a first cryptographic key and a second cryptographic key; subdivide the second cryptographic key into a plurality of portions; initiate encryption of each of the portions of the second cryptographic key, wherein at least one portion of the second cryptographic key is encrypted using the first cryptographic key; and store each encrypted portion of the second cryptographic key to a respective one of a plurality of storage devices, wherein each of the storage devices stores encrypted user data, the second cryptographic key is usable for recovery of the encrypted user data each of the storage devices stores a different encrypted portion of the second cryptographic key, the key distribution module is configured to; generate a plurality of first cryptographic keys, wherein the plurality of first cryptographic keys comprises the first cryptographic key, initiate encryption of each portion of the second cryptographic key using a respective one of the first cryptographic keys, wherein each of the first cryptographic keys is used to encrypt a different portion of the second cryptographic key, and store each of the first cryptographic keys on a different one of the plurality of storage devices than the respective portion of the second cryptographic key. - View Dependent Claims (17)
-
18. A system comprising:
-
a processor configured to; read a first cryptographic key from a first storage device; and a distributed decryption module configured to; use the first cryptographic key to decrypt a set of information stored on a second storage device, wherein the second storage device is separate from the first storage device, and the set of information is usable to obtain a second cryptographic key, and the second cryptographic key is usable to obtain user information stored on the first storage device. - View Dependent Claims (19)
-
-
20. A method comprising:
-
reading a first device key from a first storage device; reading a first set of information stored on a second storage device, wherein the second storage device is separate from the first storage device, and the first set of information stored on the second storage device is stored in encrypted form on the second storage device; using the first device key to decrypt the first set of information stored on the second storage device, wherein the first set of information stored on the second storage device comprises; a first portion of a payload key, and a second device key, reading a first set of information stored on a third storage device, wherein the third storage device is separate from the first and second storage devices, and the first set of information stored on the third storage device is stored in encrypted form on the third storage device; using the second device key to decrypt the first set of information stored on the third storage device, wherein the first set of information stored on the third storage device comprises a second portion of the payload key, and reading a payload data stored on the first storage device, wherein the payload data stored on the first storage device is stored in encrypted form on the first storage device; and using the payload key to decrypt the payload data stored on the first storage device. - View Dependent Claims (21, 22, 23)
-
Specification