Master key generation and distribution for storage area network devices
First Claim
1. A method, comprising:
- receiving a cryptographic node creation request;
determining that a master key cannot be obtained from another cryptographic node in a data center, in response to receiving the cryptographic node creation request;
generating the master key by using a processor, wherein the master key is included in a key hierarchy used to encrypt a data center key object, the data center key object corresponding to a data block maintained in a storage area network (SAN), wherein the data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier, wherein the data center key object is used to decrypt the encrypted key;
splitting the master key into N shares, with M shares required to recreate the key, wherein M is less than N; and
distributing the N shares to different entities.
2 Assignments
0 Petitions
Accused Products
Abstract
Mechanisms are provided for generating a master key used to secure key objects associated with data blocks in a data center. A cryptographic node creation request is received. It is determined that a master key can not be obtained from another cryptographic node in the data center. A master key is generated. The master key is included in a key hierarchy used to encrypt a data center key object, the data center key object corresponding to a data block maintained in a storage area network (SAN), where the data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier. The master key is split into N shares, with M shares required to recreate the master key, wherein M is less than N. The N shares are distributed to different entities.
76 Citations
28 Claims
-
1. A method, comprising:
-
receiving a cryptographic node creation request; determining that a master key cannot be obtained from another cryptographic node in a data center, in response to receiving the cryptographic node creation request; generating the master key by using a processor, wherein the master key is included in a key hierarchy used to encrypt a data center key object, the data center key object corresponding to a data block maintained in a storage area network (SAN), wherein the data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier, wherein the data center key object is used to decrypt the encrypted key; splitting the master key into N shares, with M shares required to recreate the key, wherein M is less than N; and distributing the N shares to different entities. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system, comprising:
-
an interface operable to receive a cryptographic node creation request; and a processor operable to determine whether a master key can be obtained from another cryptographic node in a data center in response to receiving the cryptographic node creation request, and generate the master key upon determining that a master key cannot be obtained from another cryptographic node in a data center, wherein the master key is included in a key hierarchy used to encrypt a data center key object, the data center key object corresponding to a data block maintained in a storage area network (SAN), wherein the data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier, wherein the data center key object is used to decrypt the encrypted key; wherein the processor is further operable to split the master key into N shares, with M shares required to recreate the key, wherein M is less than N. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. An apparatus, comprising:
-
means for receiving a cryptographic node creation request; means for determining that a master key cannot be obtained from another cryptographic node in a data center, in response to receiving the cryptographic node creation request; means for generating the master key, wherein the master key is included in a key hierarchy used to encrypt a data center key object, the data center key object corresponding to a data block maintained in a storage area network (SAN), wherein the data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier, wherein the data center key object belongs to a cluster of network devices, the cluster of network devices including one or more cryptographic nodes, wherein the data center key object is used to decrypt the encrypted key; means for splitting the master key into N shares, with M shares required to recreate the key, wherein M is less than N; and means for distributing the N shares to different entities. - View Dependent Claims (28)
-
Specification