Managing encrypted data and encryption keys

US 8,837,734 B2
Filed: 09/14/2012
Issued: 09/16/2014
Est. Priority Date: 09/14/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

encrypting a first portion of a drive in a computing device in a data center, using a first encryption key;

encrypting the first encryption key using a second encryption key to obtain an encrypted encryption key;

responsive to obtaining the encrypted encryption key, deleting the first encryption key;

responsive to deleting the first encryption key, storing the second encryption key in a first location within the data center;

storing the encrypted encryption key in a second location within the data center, wherein access to the second location from outside the data center is selectively prevented by an access server and wherein the second location is separate from the first location; and

providing, by a processing device, an access component located on a second portion of the drive, the access component providing access to the encrypted encryption key, wherein the second portion of the drive is unencrypted, and wherein the access component, via the access server, selectively prevents access to the encrypted encryption key from outside the data center when the drive is outside the data center and communicatively coupled to the data center;

wherein the access component further provides access to the second encryption key when the second encryption key is not stored on the computing device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data module encrypts a first portion of a drive in a data center using a first encryption key. The data module encrypts the first encryption key using a second encryption key to obtain an encrypted encryption key. The data module stores the second encryption key in a first location and stores the encrypted encryption key in a second location that is separate from the first location and that is inaccessible from outside the data center.

11 Citations

View as Search Results

17 Claims

1. A method comprising:
- encrypting a first portion of a drive in a computing device in a data center, using a first encryption key;
  
  encrypting the first encryption key using a second encryption key to obtain an encrypted encryption key;
  
  responsive to obtaining the encrypted encryption key, deleting the first encryption key;
  
  responsive to deleting the first encryption key, storing the second encryption key in a first location within the data center;
  
  storing the encrypted encryption key in a second location within the data center, wherein access to the second location from outside the data center is selectively prevented by an access server and wherein the second location is separate from the first location; and
  
  providing, by a processing device, an access component located on a second portion of the drive, the access component providing access to the encrypted encryption key, wherein the second portion of the drive is unencrypted, and wherein the access component, via the access server, selectively prevents access to the encrypted encryption key from outside the data center when the drive is outside the data center and communicatively coupled to the data center;
  
  wherein the access component further provides access to the second encryption key when the second encryption key is not stored on the computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - receiving a request to access the drive from a client device;
      
      obtaining the second encryption key from the first location;
      
      obtaining the encrypted encryption key from the second location;
      
      decrypting the encrypted encryption key to obtain the first encryption key;
      
      determining whether the request comprises a read request or a write request;
      
      when the request comprises the read request;
      
      decrypting the first portion of the drive using the first encryption key;
      
      accessing, in the first portion of the drive, a first data requested by the client device; and
      
      providing the first data to the client device; and
      
      when the request comprises the write request;
      
      encrypting a second data provided by the client device; and
      
      writing the encrypted second data to the drive.
  - 3. The method of claim 2, further comprising:
    - requesting an access credential;
      
      authenticating the access credential prior to obtaining the second encryption key from the first location.
  - 4. The method of claim 1, wherein the second location comprises one or more of:
    - a server within the data center;
      
      ora removable storage device coupled to the server within the data center.
  - 5. The method of claim 1, wherein the first location is within the second portion of the drive.
  - 6. The method of claim 1, wherein the first location comprises a secure memory within the computing device.
  - 7. The method of claim 1, wherein the second encryption key comprises a public-private key pair.
  - 8. The method of claim 1, wherein the access component comprises at least one of:
    - a file that includes instructions for accessing the second location;
      
      an application;
      
      ora script.

9. An apparatus comprising:
- a memory to store one or more keys;
  
  a processing device, coupled to the memory, to;
  
  encrypt a first portion of a drive in a computing device in a data center, using a first encryption key;
  
  encrypt the first encryption key using a second encryption key to obtain an encrypted encryption key;
  
  responsive to obtaining the encrypted encryption key, deleting the first encryption key;
  
  responsive to deleting the first encryption key, store the second encryption key in a first location within the data center;
  
  store the encrypted encryption key at a second location within the data center, wherein access to the second location from outside the data center is selectively prevented by an access server and wherein the second location is separate from the first location; and
  
  provide, by a processing device, an access component located on a second portion of the drive, the access component providing access to the encrypted encryption key, wherein the second portion of the drive is unencrypted, and wherein the access component, via the access server, selectively prevents access to the encrypted encryption key from outside the data center when the drive is outside the data center and communicatively coupled to the data center;
  
  wherein the access component further provides access to the second encryption key when the second encryption key is not stored on the computing device.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The apparatus of claim 9, wherein the processing device is further configured to:
    - receive a request to access the drive from a client device;
      
      obtain the second encryption key from the first location;
      
      obtain the encrypted encryption key from the second location;
      
      decrypt the encrypted encryption key to obtain the first encryption key;
      
      determine whether the request comprises a read request or a write request;
      
      when the request comprises the read request;
      
      decrypt the first portion of the drive using the first encryption key;
      
      access, in the first portion of the drive, a first data requested by the client device; and
      
      provide the first data to the client device; and
      
      when the request comprises the write request;
      
      encrypt a second data provided by the client device; and
      
      write the encrypted second data to the drive.
  - 11. The apparatus of claim 10, wherein the processing device is further configured to:
    - request an access credential;
      
      authenticate the access credential prior to obtaining the second encryption key from the first location.
  - 12. The apparatus of claim 9, wherein the second location comprises at least one of:
    - a server within the data center;
      
      ora removable storage device coupled to the server within the data center.
  - 13. The apparatus of claim 9, wherein the first location is within the second portion of the drive.
  - 14. The apparatus of claim 9, wherein the first location comprises a secure memory within the computing device.
  - 15. The apparatus of claim 9, wherein the access component comprises at least one of:
    - a file that includes instructions for accessing the second location;
      
      an application;
      
      ora script.

16. A non-transitory computer readable storage medium having instructions that, when executed by a processing device, cause the processing device to perform operations comprising:
- encrypting a first portion of a drive in a computing device in a data center, using a first encryption key;
  
  encrypting the first encryption key using a second encryption key to obtain an encrypted encryption key;
  
  responsive to obtaining the encrypted encryption key, deleting the first encryption key;
  
  responsive to deleting the first encryption key, storing the second encryption key in a first location within the data center;
  
  storing the encrypted encryption key in a second location within the data center, wherein access to the second location from outside the data center is selectively prevented by an access server and wherein the second location is separate from the first location; and
  
  providing, by a processing device, an access component located on a second portion of the drive, the access component providing access to the encrypted encryption key, wherein the second portion of the drive is unencrypted, and wherein the access component, via the access server, selectively prevents access to the encrypted encryption key from outside the data center when the drive is outside the data center and communicatively coupled to the data center;
  
  wherein the access component further provides access to the second encryption key when the second encryption key is not stored on the computing device.
- View Dependent Claims (17)
- - 17. The non-transitory computer readable storage medium of claim 16, wherein the operations further comprise:
    - receiving a request to access the drive from a client device;
      
      obtaining the encrypted encryption key from the first location;
      
      obtaining the second encryption key from the second location;
      
      decrypting the encrypted encryption key to obtain the first encryption key;
      
      determining whether the request comprises a read request or a write request;
      
      when the request comprises the read request;
      
      decrypting the first portion of the drive using the first encryption key;
      
      accessing, in the first portion of the drive, a first data requested by the client device; and
      
      providing the first data to the client device; and
      
      when the request comprises the write request;
      
      encrypting a second data provided by the client device; and
      
      writing the encrypted second data to the drive.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
McCallum, Nathaniel, Young, Adam, Trmac, Miloslav, Lee, Ade
Primary Examiner(s)
SHAW, BRIAN F

Application Number

US13/618,289
Publication Number

US 20140079221A1
Time in Patent Office

732 Days
Field of Search

380/277, 713/189, 713/193, 726/3, 726/7, 726/2, 711/156, 711/170
US Class Current

380/277
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 2463/062   applying encryption of the ...

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 67/1097   for distributed storage of ...

H04L 9/0822   using key encryption key

H04L 9/0894   Escrow, recovery or storing...

Managing encrypted data and encryption keys

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

11 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Managing encrypted data and encryption keys

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others