System and method for securely storing cryptographic keys with encrypted data
First Claim
1. A method comprising:
- encrypting information for storage using a first cryptographic key;
writing a respective portion of the encrypted information to each of N storage devices, wherein N is an integer greater than two;
encrypting a portion of the first cryptographic key to generate an encrypted portion of the first cryptographic key;
writing the encrypted portion of the first cryptographic key to a first one of the N storage devices; and
writing a second cryptographic key to a second one of the N storage devices, wherein the second one is not the same as the first one, and wherein access to the second cryptographic key is required to decrypt the encrypted portion of the first cryptographic key.
6 Assignments
0 Petitions
Accused Products
Abstract
The payload of a set of storage devices is encrypted using a payload key that is stored within the set of storage devices itself. However, the payload key is obtainable only if a user has access to n of the storage devices. A first set of keys can be distributed among a set of n storage devices, such that each key is usable to encrypt and/or decrypt a key stored on a different one of the n storage devices. The first set of keys is usable to encrypt portions of the information needed to regenerate another key (e.g., the payload key or a key used to encrypt the payload key). A different portion of the information needed to regenerate the other key is stored on each of the n storage devices. Accordingly, the other key cannot be obtained unless the user has access to all n storage devices.
-
Citations
8 Claims
-
1. A method comprising:
-
encrypting information for storage using a first cryptographic key; writing a respective portion of the encrypted information to each of N storage devices, wherein N is an integer greater than two; encrypting a portion of the first cryptographic key to generate an encrypted portion of the first cryptographic key; writing the encrypted portion of the first cryptographic key to a first one of the N storage devices; and writing a second cryptographic key to a second one of the N storage devices, wherein the second one is not the same as the first one, and wherein access to the second cryptographic key is required to decrypt the encrypted portion of the first cryptographic key. - View Dependent Claims (2, 3)
-
-
4. A system comprising:
-
means for encrypting; user information using a first cryptographic key, and a portion of the first cryptographic key to generate an encrypted portion of the first cryptographic key; and means for writing; a respective portion of the encrypted user information to each of N storage devices, wherein N is an integer greater than two, the encrypted portion of the first cryptographic key to a first one of the N storage devices, and a second cryptographic key to a second one of the N storage devices, wherein the second one is not the same as the first one, and wherein access to the second cryptographic key is required to decrypt the encrypted portion of the first cryptographic key.
-
-
5. A non-transitory computer readable storage medium comprising program instructions executable to:
-
encrypt user information using a first cryptographic key; encrypt a portion of the first cryptographic key to generate an encrypted portion of the first cryptographic key; write a respective portion of the encrypted user information to each of N storage devices, wherein N is an integer greater than two; write the encrypted portion of the first cryptographic key to a first one of the N storage devices; and write a second cryptographic key to a second one of the N storage devices, wherein the second one is not the same as the first one, and wherein access to the second cryptographic key is required to decrypt the encrypted portion of the first cryptographic key.
-
-
6. A system comprising:
a key distribution module configured to; generate a first cryptographic key and a second cryptographic key; subdivide the second cryptographic key into N portions, wherein N is an integer greater than two; initiate encryption of each of the portions of the second cryptographic key, wherein a portion of the second cryptographic key is encrypted to generate an encrypted portion of the second cryptographic key; and store the encrypted portion of the second cryptographic key to a first one of N storage devices, wherein each of the storage devices stores encrypted user data, the second cryptographic key is usable for recovery of the encrypted user data, and the first cryptographic key is stored on a different one of the N plurality of storage devices than the first one of the N storage devices, and access to the first cryptographic key is required to decrypt the encrypted portion of the second cryptographic key. - View Dependent Claims (7, 8)
Specification