Revocable shredding of security credentials
First Claim
1. A computer implemented method for managing a cryptographic key, comprising:
- storing, in a data store managed by a key management service, a cryptographic key for use in encrypting data for a customer of a service provider associated with the cryptographic key, the key management service being operated in a service provider environment of the service provider;
receiving a suspend request to suspend storage of the cryptographic key by the key management service;
generating a restore key to be associated with the customer;
encrypting the cryptographic key with the restore key;
encrypting at least a portion of metadata associated with the cryptographic key under the restore key to generate encrypted metadata, the at least a portion of metadata being associated with the restore key;
updating the at least a portion of metadata with audit information and retaining a copy of the encrypted metadata at the key management service;
sending, to the customer, the cryptographic key as encrypted under the restore key;
destroying any copy of the cryptographic key stored by the key management service;
receiving a restore request to cause to the key management service to store a copy of the cryptographic key, the restore request including a copy of the cryptographic key as encrypted under the restore key;
comparing at least a copy of metadata received with the restore request with the copy of the encrypted metadata at the key management service;
authorizing the restore request based at least in part on the comparing; and
decrypting the copy of the cryptographic key as encrypted under the restore key using the restore key and storing the copy of the cryptographic key and a copy of the encrypted metadata in the key management service on behalf of the customer.
1 Assignment
0 Petitions
Accused Products
Abstract
Customers accessing resources and/or data in a multi-tenant environment can obtain assurance that a provider of that environment will honor only requests associated with the customer. A multi-tenant cryptographic service can be used to manage cryptographic key material and/or other security resources in the multi-tenant environment. The cryptographic service can provide a mechanism in which the service can receive requests to use the cryptographic key material to access encrypted customer data, export key material out of the cryptographic service, destroy key material managed by the cryptographic service, among others. Such an approach can enable a customer to manage key material without exposing the key material outside a secure environment.
83 Citations
22 Claims
-
1. A computer implemented method for managing a cryptographic key, comprising:
-
storing, in a data store managed by a key management service, a cryptographic key for use in encrypting data for a customer of a service provider associated with the cryptographic key, the key management service being operated in a service provider environment of the service provider; receiving a suspend request to suspend storage of the cryptographic key by the key management service; generating a restore key to be associated with the customer; encrypting the cryptographic key with the restore key; encrypting at least a portion of metadata associated with the cryptographic key under the restore key to generate encrypted metadata, the at least a portion of metadata being associated with the restore key; updating the at least a portion of metadata with audit information and retaining a copy of the encrypted metadata at the key management service; sending, to the customer, the cryptographic key as encrypted under the restore key; destroying any copy of the cryptographic key stored by the key management service; receiving a restore request to cause to the key management service to store a copy of the cryptographic key, the restore request including a copy of the cryptographic key as encrypted under the restore key; comparing at least a copy of metadata received with the restore request with the copy of the encrypted metadata at the key management service; authorizing the restore request based at least in part on the comparing; and decrypting the copy of the cryptographic key as encrypted under the restore key using the restore key and storing the copy of the cryptographic key and a copy of the encrypted metadata in the key management service on behalf of the customer. - View Dependent Claims (2)
-
-
3. A computer implemented method, comprising:
-
storing, on behalf of a customer, a local copy of a secret usable to perform operations in a service provider environment; receiving a request at a key management service in a service provider environment to suspend storage of the local copy of the secret; generating a restore key; encrypting the local copy of the secret with the restore key to generate the secret encrypted under the restore key; encrypting at least a portion of metadata associated with the secret under the restore key to generate encrypted metadata, the at least a portion of metadata being associated with the restore key; updating the at least a portion of metadata with audit information and retaining a copy of the encrypted metadata at the key management service; providing the customer the secret encrypted under the restore key; retaining the restore key and destroying the local copy of the secret; in response to a request to store a copy of the secret, the restore request including a copy of the secret encrypted under the restore key, comparing a copy of metadata received with the restore request with the copy of the encrypted metadata; authorizing the restore request based at least in part on the comparing; and decrypting the copy of the secret as encrypted under the restore key using the restore key. - View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computing system, comprising:
-
at least one processor; and memory including instructions that, when executed by the at least one processor, cause the computing system to; store, on behalf of a customer, a local copy of a secret usable by a key management service; receive a request at the key management service to suspend storage of the local copy of the secret; encrypt the local copy of the secret with information usable to obtain the local copy of the secret; encrypt at least a portion of metadata associated with the secret under the information to generate encrypted metadata, the at least a portion of metadata being associated with the information; update the at least a portion of metadata with audit information and retain a copy of the encrypted metadata at the key management service; provide the customer with one of the encrypted secret or the information usable to reconstruct the local copy of the secret; destroy at least one copy of the local copy of the secret; in response to store a copy of the secret, the restore request including a copy of the secret encrypted under the information, comparing a copy of metadata received with the restore request with the copy of the encrypted metadata; authorizing the restore request based at least in part on the comparing; and decrypting the copy of the secret key as encrypted under the secret using the restore key. - View Dependent Claims (15, 16, 17, 18)
-
-
19. A non-transitory computer readable storage medium storing one or more sequences of instructions executable by one or more processors to perform a set of operations comprising:
-
storing, on behalf of a customer, a local copy of a secret; receiving a request at a key management service to suspend storage of the local copy of the secret; encrypting the local copy of the secret with a restore key; encrypting at least a portion of metadata associated with the secret under the restore key to generate encrypted metadata, the at least a portion of metadata being associated with the restore key; updating the at least a portion of metadata with audit information and retaining a copy of the encrypted metadata at the key management service; providing the customer with the restore key; destroying at least one copy of the local copy of the secret; in response to a request to store a copy of the secret, the restore request including a copy of the secret encrypted under the restore key, comparing a copy of metadata received with the restore request with the copy of the encrypted metadata; authorizing the restore request based at least in part on the comparing; and decrypting the copy of the secret key as encrypted under the secret using the restore key. - View Dependent Claims (20, 21, 22)
-
Specification