Distribution of cryptographic host keys in a cloud computing environment
First Claim
1. A method comprising:
- receiving, using one or more data processing apparatuses, a plurality of different requests for an encryption key pair from a plurality of different virtual machines, wherein each virtual machine is a hardware virtualization;
for each request, generating, using the one or more data processing apparatuses, a host key pair, the host key pair comprising an encryption key and a decryption key for encrypting and decrypting communications between a respective virtual machine that sent the request and a client device that is separate from the respective virtual machine;
for each request, sending, using the one or more data processing apparatuses, the host key pair to a metadata server for the respective virtual machine that sent the request, wherein the metadata server is configured to exchange metadata with the respective virtual machine, and wherein each host key pair is sent to the respective virtual machine using a different metadata server for each host key pair; and
providing, using the one or more data processing apparatuses, the encryption key of the host key pair to the client device upon a client request from the client device.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatuses, including computer programs encoded on a computer storage medium, for distribution of cryptographic keys. In one aspect, a method includes receiving a plurality of requests, each request being received by a different respective virtual machine of a plurality of virtual machines; generating, by each of the virtual machines, a different host key pair, wherein each of the host key pairs comprises an encryption key and a decryption key that are associated with the virtual machine that generated it; providing, by each of the virtual machines, the encryption key generated by the virtual machine to a distinct metadata server that stores parameters of the virtual machine; and sending, from each of the metadata servers, the encryption key generated by the virtual machine that the metadata server is configured to communicate with to an application programming interface system.
-
Citations
30 Claims
-
1. A method comprising:
-
receiving, using one or more data processing apparatuses, a plurality of different requests for an encryption key pair from a plurality of different virtual machines, wherein each virtual machine is a hardware virtualization; for each request, generating, using the one or more data processing apparatuses, a host key pair, the host key pair comprising an encryption key and a decryption key for encrypting and decrypting communications between a respective virtual machine that sent the request and a client device that is separate from the respective virtual machine; for each request, sending, using the one or more data processing apparatuses, the host key pair to a metadata server for the respective virtual machine that sent the request, wherein the metadata server is configured to exchange metadata with the respective virtual machine, and wherein each host key pair is sent to the respective virtual machine using a different metadata server for each host key pair; and providing, using the one or more data processing apparatuses, the encryption key of the host key pair to the client device upon a client request from the client device. - View Dependent Claims (2, 3, 4)
-
-
5. A method performed by one or more data processing apparatuses, the method comprising:
-
receiving a plurality of requests for an encryption key pair, each request being received by a different respective virtual machine of a plurality of virtual machines, wherein the virtual machines are hardware virtualizations, and wherein the virtual machines execute on the one or more data processing apparatuses; generating, by each of the virtual machines, a host key pair for the virtual machine, wherein each of the host key pairs comprises an encryption key and a decryption key for encrypting and decrypting communications between the virtual machine that generated the host key pair and a client device that is separate from the each of the virtual machines; providing, by each of the virtual machines, the encryption key generated by the virtual machine to a distinct metadata server that stores parameters of the virtual machine and that is configured to communicate with the virtual machine but not with other virtual machines of the plurality of virtual machines; and sending, from each of the metadata servers, the encryption key generated by the virtual machine that the metadata server is configured to communicate with to an application programming interface system. - View Dependent Claims (6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
one or more data processing apparatus; and computer-readable medium coupled to the one or more data processing apparatus and having instructions stored thereon, which, when executed by the one or more data processing apparatus, cause the one or more data processing apparatus to perform operations comprising; receiving, using one or more data processing apparatuses, a plurality of different requests for an encryption key pair from a plurality of different virtual machines, wherein each virtual machine is a hardware virtualization; for each request, generating, using the one or more data processing apparatuses, a host key pair, the host key pair comprising an encryption key and a decryption key for encrypting and decrypting communications between a respective virtual machine that sent the request and a client device that is separate from the respective virtual machine; for each request, sending, using the one or more data processing apparatuses, the host key pair to a metadata server for the respective virtual machine that sent the request, wherein the metadata server is configured to exchange metadata with the respective virtual machine, and wherein each host key pair is sent to the respective virtual machine using a different metadata server for each host key pair; and providing, using the one or more data processing apparatuses, the encryption key of the host key pair to the client device upon a client request from the client device. - View Dependent Claims (12, 13, 14)
-
-
15. A system comprising:
-
one or more data processing apparatus; and computer-readable medium coupled to the one or more data processing apparatus and having instructions stored thereon, which, when executed by the one or more data processing apparatus, cause the one or more data processing apparatus to perform operations comprising; receiving a plurality of requests for an encryption key pair, each request being received by a different respective virtual machine of a plurality of virtual machines, wherein the virtual machines are hardware virtualizations, and wherein the virtual machines execute on the one or more data processing apparatuses; generating, by each of the virtual machines, a host key pair for the virtual machine, wherein each of the host key pairs comprises an encryption key and a decryption key for encrypting and decrypting communications between the virtual machine that generated the host key pair and a client device that is separate from the each of the virtual machines; providing, by each of the virtual machines, the encryption key generated by the virtual machine to a distinct metadata server that stores parameters of the virtual machine and that is configured to communicate with the virtual machine but not with other virtual machines of the plurality of virtual machines; and sending, from each of the metadata servers, the encryption key generated by the virtual machine that the metadata server is configured to communicate with to an application programming interface system. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A non-transitory computer-readable medium having instructions stored thereon, which, when executed by a one or more data processing apparatus, cause the one or more data processing apparatus to perform operations comprising:
-
receiving, using the one or more data processing apparatuses, a plurality of different requests for an encryption key pair from a plurality of different virtual machines, wherein each virtual machine is a hardware virtualization; for each request, generating, using the one or more data processing apparatuses, a host key pair, the host key pair comprising an encryption key and a decryption key for encrypting and decrypting communications between a respective virtual machine that sent the request and a client device that is separate from the respective virtual machine; for each request, sending, using the one or more data processing apparatuses, the host key pair to a metadata server for the respective virtual machine that sent the request, wherein the metadata server is configured to exchange metadata with the respective virtual machine, and wherein each host key pair is sent to the respective virtual machine using a different metadata server for each host key pair; and providing, using the one or more data processing apparatuses, the encryption key of the host key pair to the client device upon a client request from the client device. - View Dependent Claims (22, 23, 24)
-
-
25. A non-transitory computer-readable medium having instructions stored thereon, which, when executed by a processor, cause the processor to perform operations comprising:
-
receiving a plurality of requests for an encryption key pair, each request being received by a different respective virtual machine of a plurality of virtual machines, wherein the virtual machines are hardware virtualizations, and wherein the virtual machines execute on the one or more data processing apparatuses; generating, by each of the virtual machines, a host key pair for the virtual machine, wherein each of the host key pairs comprises an encryption key and a decryption key for encrypting and decrypting communications between the virtual machine that generated the host key pair and a client device that is separate from the each of the virtual machines; providing, by each of the virtual machines, the encryption key generated by the virtual machine to a distinct metadata server that stores parameters of the virtual machine and that is configured to communicate with the virtual machine but not with other virtual machines of the plurality of virtual machines; and sending, from each of the metadata servers, the encryption key generated by the virtual machine that the metadata server is configured to communicate with to an application programming interface system. - View Dependent Claims (26, 27, 28, 29, 30)
-
Specification