Automating key rotation in a distributed system
First Claim
1. A computer-implemented method for key management, comprising:
- generating a key for a plurality of computing resources;
determining a subset of computing resources from the plurality of computing resources to each receive the key, the subset of computing resources using an other key as a preferred key in performance of encryption operations;
electronically transmitting the key to the subset of computing resources as a non-preferred key;
receiving one or more messages from the subset of computing resources confirming receipt of the key, the one or more messages signed with the key; and
at a time after receiving the one or more messages, electronically transmitting to the subset of computing resources a request that the key be marked as preferred allowing the set of computing resources to replace the other key with the key marked as preferred.
1 Assignment
0 Petitions
Accused Products
Abstract
A material set, such as an asymmetric keypair, is processed using an associated workflow to prepare the material set for activation and/or use. In one embodiment, a material set is generated and information about the material set is communicated to a workflow manager. Based at least on the information, the workflow manager generates a workflow that when accomplished will allow the material set to be activated and/or used. In another embodiment, a service provider provides a key manager, workflow manager and destination for the key, such as a load balancer that terminates SSL connections. A key can be generated by the key manager, sent through the workflow manager for processing (potentially communicated to third parties such as a certificate authority, if needed) and installed at a destination.
96 Citations
24 Claims
-
1. A computer-implemented method for key management, comprising:
-
generating a key for a plurality of computing resources; determining a subset of computing resources from the plurality of computing resources to each receive the key, the subset of computing resources using an other key as a preferred key in performance of encryption operations; electronically transmitting the key to the subset of computing resources as a non-preferred key; receiving one or more messages from the subset of computing resources confirming receipt of the key, the one or more messages signed with the key; and at a time after receiving the one or more messages, electronically transmitting to the subset of computing resources a request that the key be marked as preferred allowing the set of computing resources to replace the other key with the key marked as preferred. - View Dependent Claims (4, 5, 6, 7)
-
-
2. A key management system comprising:
-
one or more processors and memory including executable instructions that, when executed by the one or more processors, cause the one or more processors to implement at least; a key manager that generates and associates a key with a plurality of computing resources and determines that the key is to be distributed to a subset of computing resources from the plurality of computing resources, the subset of computing resources using a second key as a preferred key in performance of encryption operations; and a key distribution manager that generates a workflow in response to a notification to distribute the key from the key manager, distributes the key to the subset of computing resources as a non-preferred key, receives one or more acknowledgements of receipt of the key from the subset of computing resources, the one or more acknowledgments signed with the key, and requests the subset of computing resources to mark the key as preferred allowing the subset of computing resources to replace the second key with the key marked as preferred.
-
-
3. One or more non-transitory computer-readable storage media having collectively stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
-
process a workflow based at least in part on a policy for key rotation, the workflow comprising; generating a key for a plurality of computing resources; determining a subset of computing resources from the plurality of computing resources to each receive the key, the subset of computing resources using another key as a preferred key in performance of encryption operations; communicating the key to the subset of computing resources as a non-preferred key; receiving an acknowledgement of receipt of the key from the subset of computing resources, the acknowledgement signed with the key; and communicating to the subset of computing resources that the key be marked as preferred allowing the subset of computing resources to replace uses of the non-preferred key with uses of the key marked as preferred.
-
-
8. A computer-implemented method for key management, comprising:
-
generating a key for a plurality of computing resources; determining a subset of computing resources from the plurality of computing resources to each receive the key, the subset of computing resources using an other key as a preferred key in performance of encryption operations; electronically transmitting the key to the subset of computing resources as a non-preferred key; receiving one or more messages from the subset of computing resources confirming receipt of the key, the one or more messages signed with the key; and at a time after receiving the one or more messages, electronically transmitting to the subset of computing resources a request that the key be marked as preferred allowing the set of computing resources to replace the other key with the key marked as preferred. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A key management system comprising:
-
one or more processors and memory including executable instructions that, when executed by the one or more processors, cause the one or more processors to implement at least; a key manager that generates and associates a key with a plurality of computing resources and determines that the key is to be distributed to a subset of computing resources from the plurality of computing resources, the subset of computing resources using a second key as a preferred key in performance of encryption operations; and a key distribution manager that generates a workflow in response to a notification to distribute the key from the key manager, distributes the key to the subset of computing resources as a non-preferred key, receives one or more acknowledgements of receipt of the key from the subset of computing resources, the one or more acknowledgments signed with the key, and requests the subset of computing resources to mark the key as preferred allowing the subset of computing resources to replace the second key with the key marked as preferred. - View Dependent Claims (15, 16, 17, 18)
-
-
19. One or more non-transitory computer-readable storage media having collectively stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
-
process a workflow based at least in part on a policy for key rotation, the workflow comprising; generating a key for a plurality of computing resources; determining a subset of computing resources from the plurality of computing resources to each receive the key, the subset of computing resources using another key as a preferred key in performance of encryption operations; communicating the key to the subset of computing resources as a non-preferred key; receiving an acknowledgement of receipt of the key from the subset of computing resources, the acknowledgement signed with the key; and communicating to the subset of computing resources that the key be marked as preferred allowing the subset of computing resources to replace uses of the non-preferred key with uses of the key marked as preferred. - View Dependent Claims (20, 21, 22, 23, 24)
-
Specification