Management of cryptographic keys for securing stored data
First Claim
Patent Images
1. A system for securing stored data, comprising:
- a storage system to;
receive storage and retrieval requests;
in response to the storage request received at the storage system, issue, to a management system, an encryption request including an address of the storage system;
in response to the encryption request, receive, from the management system, an encryption reply including a current cryptographic key and an identifier of the current cryptographic key within a sequence of cryptographic keys for the storage system;
encrypt data of the storage request into encrypted data using the current cryptographic key;
store the encrypted data and the identifier in a storage media;
in response to the retrieval request received at the storage system, retrieve encrypted data and a particular identifier from the storage media;
in response to the retrieval request received at the storage system, issue, to the management system, a decryption request including the particular identifier retrieved from the storage media and the address of the storage system;
receive, from the management system in response to the decryption request, a decryption reply including a cryptographic key corresponding to the particular identifier within the sequence for the storage system; and
decrypt the retrieved encrypted data using the cryptographic key in the decryption reply.
2 Assignments
0 Petitions
Accused Products
Abstract
A management system generates a sequence of keys and an identifier of each key in the sequence. A current key in the sequence and the identifier of the current key are transferred from the management system to a storage system. The storage system encrypts the data into encrypted data using the current key. The storage system stores the identifier and the encrypted data. The identifier and the encrypted data are retrieved from the storage system. The key in the sequence identified by the identifier is transferred from the management system to the storage system. The storage system decrypts the encrypted data using the decryption key.
47 Citations
12 Claims
-
1. A system for securing stored data, comprising:
a storage system to; receive storage and retrieval requests; in response to the storage request received at the storage system, issue, to a management system, an encryption request including an address of the storage system; in response to the encryption request, receive, from the management system, an encryption reply including a current cryptographic key and an identifier of the current cryptographic key within a sequence of cryptographic keys for the storage system; encrypt data of the storage request into encrypted data using the current cryptographic key; store the encrypted data and the identifier in a storage media; in response to the retrieval request received at the storage system, retrieve encrypted data and a particular identifier from the storage media; in response to the retrieval request received at the storage system, issue, to the management system, a decryption request including the particular identifier retrieved from the storage media and the address of the storage system; receive, from the management system in response to the decryption request, a decryption reply including a cryptographic key corresponding to the particular identifier within the sequence for the storage system; and decrypt the retrieved encrypted data using the cryptographic key in the decryption reply. - View Dependent Claims (2, 3, 4)
-
5. A method for securing first data, comprising:
-
receiving a storage request at a storage system to store the first data; in response to the storage request, issuing, by the storage system to a management system, an encryption request that includes a unique address of the storage system; receiving, at the storage system from the management system, a particular identifier and a particular encryption key in response to the encryption request, where the particular identifier and the particular encryption key are from a respective one of a sequence of combinations provided by the management system, and where each of the combinations includes a corresponding encryption key, a decryption key, and identifier of the corresponding combination; encrypting the first data into second data at the storage system using the particular encryption key; storing the particular identifier and the second data in the storage system; receiving a retrieval request at the storage system to retrieve the first data; in response to the retrieval request, retrieving the particular identifier and the second data, and issuing, by the storage system to the management system, a decryption request that includes the particular identifier and the unique address of the storage system; receiving, by the storage system from the management system in response to the decryption request, a decryption key of the combination identified in the sequence by the particular identifier; and decrypting the second data into third data at the storage system using the received decryption key, wherein the third data matches the first data. - View Dependent Claims (6, 7, 8, 9, 10, 11)
-
-
12. An article of manufacture, comprising:
a non-transitory computer-readable storage medium configured with instructions for securing first data, wherein execution of the instructions by a storage system causes the storage system to; receive a storage request to store the first data; in response to the storage request, issue, to a management system, an encryption request that includes a unique address of the storage system; receive, from the management system, a particular identifier and a particular encryption key in response to the encryption request, where the particular identifier and the particular encryption key are from a respective one of a sequence of combinations provided by the management system, and where each of the combinations includes a corresponding encryption key, a decryption key, and identifier of the corresponding combination; encrypt the first data into second data at the storage system using the particular encryption key; store the particular identifier and the second data in the storage system; receive a retrieval request at the storage system to retrieve the first data; in response to the retrieval request, retrieve the particular identifier and the second data, and issue, to the management system, a decryption request that includes the particular identifier and the unique address of the storage system; receive, from the management system in response to the decryption request, a decryption key of the combination identified in the sequence by the particular identifier; and decrypt the second data into third data at the storage system using the received decryption key, wherein the third data matches the first data.
Specification