Encryption key fragment distribution
First Claim
1. A method for distributing encryption key fragments across data stores located within a first geographic region and data stores located within a second geographic region that is different than and physically separated from the first geographic region, the method comprising:
- fragmenting, by a computer, an encryption key into a number, n, of encryption key fragments such that a number, k<
n, of the encryption key fragments is sufficient for reconstructing the encryption key;
distributing, by the computer, a first subset of at least k of the encryption key fragments across data stores realized at N different availability zones within the first geographic region such that less than k of the encryption key fragments are distributed to each of the N availability zones within the first geographic region;
distributing, by the computer, a second subset of at least k of the encryption key fragments across data stores realized at M different availability zones within the second geographic region such that less than k of the encryption key fragments are distributed to each of the M availability zones within the second geographic region, wherein the encryption key fragments in the first subset have no overlap with the encryption key fragments in the second subset; and
in response to determining that the computer is unable to obtain at least k of the encryption key fragments from the first geographic region, requesting encryption key fragments from the second geographic region for reconstructing the encryption key.
2 Assignments
0 Petitions
Accused Products
Abstract
An encryption key may be fragmented into n encryption key fragments such that k<n fragments are sufficient for reconstructing the encryption key. The encryption key fragments may be distributed across data stores located within first and second geographic regions. For example, at least k of the encryption key fragments may be distributed across data stores realized at N different availability zones within the first geographic region such that less than k of the encryption key fragments are distributed to each of the N availability zones within the first geographic region. Similarly, at least k of the encryption key fragments may be distributed across data stores realized at M different availability zones within the second geographic region such that less than k of the encryption key fragments are distributed to each of the M availability zones within the second geographic region.
-
Citations
15 Claims
-
1. A method for distributing encryption key fragments across data stores located within a first geographic region and data stores located within a second geographic region that is different than and physically separated from the first geographic region, the method comprising:
-
fragmenting, by a computer, an encryption key into a number, n, of encryption key fragments such that a number, k<
n, of the encryption key fragments is sufficient for reconstructing the encryption key;distributing, by the computer, a first subset of at least k of the encryption key fragments across data stores realized at N different availability zones within the first geographic region such that less than k of the encryption key fragments are distributed to each of the N availability zones within the first geographic region; distributing, by the computer, a second subset of at least k of the encryption key fragments across data stores realized at M different availability zones within the second geographic region such that less than k of the encryption key fragments are distributed to each of the M availability zones within the second geographic region, wherein the encryption key fragments in the first subset have no overlap with the encryption key fragments in the second subset; and in response to determining that the computer is unable to obtain at least k of the encryption key fragments from the first geographic region, requesting encryption key fragments from the second geographic region for reconstructing the encryption key. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An encryption key fragment storage system comprising:
-
computer hardware systems implementing N≧
2 different data stores at N corresponding different availability zones located within a first geographic region;computer hardware systems implementing M≧
2 different data stores at M corresponding different availability zones located within a second geographic region that is different from and physically separated from the first geographic region;an encryption key fragment distributor to; access a number, n, of fragments of an encryption key, where a number, k<
n, of the encryption key fragments is sufficient for reconstructing the encryption key;distribute a first subset of at least k of the encryption key fragments across the N data stores at the N availability zones within the first geographic region such that less than k of the encryption key fragments are distributed to each of the N availability zones within the first geographic region; and distribute a second subset of at least k of the encryption key fragments across the M data stores at the M availability zones within the second geographic region such that less than k of the encryption key fragments are distributed to each of the M availability zones within the second geographic region, wherein the encryption key fragments in the first subset have no overlap with the encryption key fragments in the second subset; and an encryption key fragment retriever to; in response to determining that the encryption key fragment retriever is unable to obtain at least k of the encryption key fragments from the first geographic region, request encryption key fragments from the second geographic region for reconstructing the encryption key. - View Dependent Claims (9, 10, 11)
-
-
12. A non-transitory computer-readable storage medium storing instructions that, when executed by a computing system, cause the computing system to:
-
access a number, n, of fragments of an encryption key where a number, k<
n, of the encryption key fragments is sufficient for reconstructing the encryption key;distribute a first set of at least k of the encryption key fragments across N≧
2 different data stores realized at N corresponding different availability zones within a first geographic region such that no more than k−
1 unique encryption key fragments are distributed to each of the availability zones within the first geographic region;distribute a second set of at least k of the encryption key fragments across M≧
2 different data stores realized at M corresponding different availability zones within a second geographic region that is different than and physically separated from the first geographic region such that no more than k−
1 unique encryption key fragments are distributed to each of the availability zones within the second geographic region, wherein the encryption key fragments in the first set have no overlap with the encryption key fragments in the second set; andin response to determining that the computing system is unable to obtain at least k of the encryption key fragments from the first geographic region, request encryption key fragments from the second geographic region for reconstructing the encryption key. - View Dependent Claims (13, 14, 15)
-
Specification