Cryptographic erasure of selected encrypted data
First Claim
Patent Images
1. A method for cryptographic erasure of selected encrypted data by a processor device in a computing environment, the method comprising:
- encrypting data files with a plurality of derived keys, wherein;
each derived key comprises both a shred key for deleting the data files and a served key for encrypting the data files, andthe plurality of derived keys are adapted to be individually shredded in a subsequent erasure operation;
placing the plurality of derived keys in a key store data set (KSDS);
encrypting the KSDS with a different key than any of the plurality of derived keys;
providing a label for each of the shred key and the served key in the KSDS;
shredding the label, the shred key, and the served key, wherein failure to shred the shred key and the served key does not prohibit the shredding; and
rewriting the KSDS without the deleted label, the shred key, and the served key.
1 Assignment
0 Petitions
Accused Products
Abstract
Exemplary method, system, and computer program product embodiments for cryptographic erasure of selected encrypted data are provided. In one embodiment, by way of example only, data files are configured with a derived key. The derived keys adapted to be individually shredded in a subsequent erasure operation. The derived key allows for cryptographic erasure of the selected encrypted data in the data files without necessitating at least one of removal and rewrite of retained data. Additional system and computer program product embodiments are disclosed and provide related advantages.
-
Citations
12 Claims
-
1. A method for cryptographic erasure of selected encrypted data by a processor device in a computing environment, the method comprising:
-
encrypting data files with a plurality of derived keys, wherein; each derived key comprises both a shred key for deleting the data files and a served key for encrypting the data files, and the plurality of derived keys are adapted to be individually shredded in a subsequent erasure operation; placing the plurality of derived keys in a key store data set (KSDS); encrypting the KSDS with a different key than any of the plurality of derived keys; providing a label for each of the shred key and the served key in the KSDS; shredding the label, the shred key, and the served key, wherein failure to shred the shred key and the served key does not prohibit the shredding; and rewriting the KSDS without the deleted label, the shred key, and the served key. - View Dependent Claims (2, 3, 4)
-
-
5. A system for cryptographic erasure of selected encrypted data in a computing environment, comprising:
-
at least one tape drive; and at least one processor device connected to the at least one tape drive operable in the computing environment, wherein the at least one processor device is adapted for; encrypting data files with a plurality of derived keys, wherein; each derived key comprises both a shred key for deleting the data files and a served key for encrypting the data files, and the plurality of derived keys are adapted to be individually shredded in a subsequent erasure operation, placing the plurality of derived keys in a key store data set (KSDS), encrypting the KSDS with a different key than any of the plurality of derived keys, providing a label for each of the shred key and the served key in the KSDS, shredding the label, the shred key, and the served key, wherein failure to shred the shred key and the served key does not prohibit the shredding, and rewriting the KSDS without the deleted label, the shred key, and the served key. - View Dependent Claims (6, 7, 8)
-
-
9. A computer program product for cryptographic erasure of selected encrypted data in a computing environment by a processor device, the computer program product comprising a non-transitory computer-readable storage medium having computer-readable program code portions stored therein, the computer-readable program code portions comprising:
-
computer code for encrypting data files with a plurality of derived keys, wherein; each derived key comprises both a shred key for deleting the data files and a served key for encrypting the data files, and the plurality of derived keys are adapted to be individually shredded in a subsequent erasure operation; computer code for placing the plurality of derived keys in a key store data set (KSDS); computer code for encrypting the KSDS with a different key than any of the plurality of derived keys; computer code providing a label for each of the shred key and the served key in the KSDS; computer code shredding the label the shred key and the served key, wherein failure to shred the shred key and the served key does not prohibit the shredding; and computer code rewriting the KSDS without the deleted label, the shred key and the served key. - View Dependent Claims (10, 11, 12)
-
Specification