System, method, and computer-readable medium for cryptographic key rotation in a database system
First Claim
1. A method of encryption key management in a database system deployed in a computer system, comprising:
- storing a plurality of encryption keys each respectively in association with a generation identifier;
encrypting respective data of rows of a column of a database table using a respective one of the plurality of encryption keys; and
for each encrypted row of the column of the database table, storing, in the database table, cipher text resulting from encryption of the respective data and a respective generation identifier, wherein each respective generation identifier is configured to indicate the respective encryption key used to encrypt the data.
1 Assignment
0 Petitions
Accused Products
Abstract
A system, method, and computer-readable medium that facilitate key rotation without disrupting database access are provided. Generation identifiers that specify a particular encryption key are stored in association with cipher text of encrypted columns in database tables. When data is to be read from an encrypted column, the cipher text is read along with the associated generation identifier. An encryption key corresponding to the generation identifier is then read to decrypt the cipher text. When data is to be written to the encrypted column, a most recent encryption key is retrieved from the key repository to encrypt the data. The cipher text is then written to the encrypted column in association with the generation identifier of the key used to encrypt the data. Advantageously, the key rotation may be performed without requiring that the table or database to be taken offline or otherwise unavailable during key rotation.
34 Citations
20 Claims
-
1. A method of encryption key management in a database system deployed in a computer system, comprising:
-
storing a plurality of encryption keys each respectively in association with a generation identifier; encrypting respective data of rows of a column of a database table using a respective one of the plurality of encryption keys; and for each encrypted row of the column of the database table, storing, in the database table, cipher text resulting from encryption of the respective data and a respective generation identifier, wherein each respective generation identifier is configured to indicate the respective encryption key used to encrypt the data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-readable medium encoded with computer-executable instructions, the computer-executable instructions executable with a processor, the computer-readable medium comprising:
-
instructions to store a plurality of encryption keys each respectively in association with a generation identifier; instructions to encrypt respective data of rows of a column of the database table with a respective one of the plurality of encryption keys; and instructions to store, in the database table, for each encrypted row of the column of the database table, cipher text resulting from encryption of the respective data and a respective generation identifier, wherein each respective generation identifier is configured to indicate the respective encryption key used to encrypt the data. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer system having a database system deployed therein configured for encryption key management, comprising:
-
at least one storage medium on which the database system is stored; and at least one processing module that is configured to; store a plurality of encryption keys each respectively in association with a generation identifier; encrypt respective data of rows of a column of a database table, wherein each row is encrypted with a respective one of the plurality of encryption keys; and for each encrypted row of the column of the database table, store, in the database table, cipher text resulting from encryption of the respective data and a respective generation identifier, wherein each respective generation identifier is configured to indicate the respective encryption key used to encrypt the data. - View Dependent Claims (18, 19, 20)
-
Specification