Distributed storage network and method for storing and retrieving encryption keys

US 9,088,407 B2
Filed: 05/30/2014
Issued: 07/21/2015
Est. Priority Date: 10/30/2009
Status: Active Grant

First Claim

Patent Images

1. A method for processing an encryption key within a portion of a distributed storage network (DSN), the method comprises:

receiving an encryption key to store;

determining an encryption method;

encrypting the encryption key with the determined encryption method to produce an encrypted key;

error encoding the encrypted key;

slicing the error encoded encrypted key to produce a set of error encoded data slices; and

distributing the set of error encoded data slices across DSN memory.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a distributed storage (DS) managing unit receiving an encryption key to store. The method continues by determining an encryption method and encrypting the encryption key with the determined encryption method to produce an encrypted key. The method continues by encoding and slicing the encrypted key to produce a set of data slices; and storing the set of data slices in DSN memory. A method to retrieve the stored encryption key begins with receiving a retrieve encryption key request from a requester and continues with retrieving an encrypted key and then determining a decryption method. The method continues by decrypting the encrypted key with the determined decryption method to produce the encryption key and sending the encryption key to the requestor to decrypt one or more portions of the encrypted data.

Citations

18 Claims

1. A method for processing an encryption key within a portion of a distributed storage network (DSN), the method comprises:
- receiving an encryption key to store;
  
  determining an encryption method;
  
  encrypting the encryption key with the determined encryption method to produce an encrypted key;
  
  error encoding the encrypted key;
  
  slicing the error encoded encrypted key to produce a set of error encoded data slices; and
  
  distributing the set of error encoded data slices across DSN memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the determining an encryption method further comprises:
    - selecting a public key method or a password method.
  - 3. The method of claim 2, wherein the public key method includes:
    - retrieving a public key, from a user storage vault, to use as a key for encrypting the encryption key.
  - 4. The method of claim 2, wherein the password method includes:
    - retrieving a password from a user storage vault and hashing the password to produce a hashed password, wherein the password or the hashed password is used as a key for encrypting the encryption key.
  - 5. The method of claim 1, wherein the encryption method includes at least an encryption algorithm.
  - 6. The method of claim 5, wherein identifying the encryption algorithm is based on one or more of:
    - user device connectivity type;
      
      a user vault setting;
      
      a command;
      
      an operational parameter;
      
      availability of a public encryption key; and
      
      availability of a password.
  - 7. The method of claim 1 further comprising:
    - controlling access to the encryption key based on one or more of;
      
      a user ID;
      
      a system element ID; and
      
      a permissions list lookup.
  - 8. The method of claim 7 further comprises:
    - the permissions list including one or more permissions to retrieve and store one or more of;
      
      private encryption keys;
      
      public encryption keys;
      
      secret encryption keys; and
      
      all encryption keys.

9. A method for processing encrypted data within a distributed storage network (DSN), the method comprises:
- receiving a retrieve encryption key request from a requester;
  
  retrieving an encrypted key by;
  
  receiving a plurality of error encoded data slices stored in DSN memory, the error encoded data slices retaining the encrypted key;
  
  de-slicing the error encoded data slices;
  
  decoding the de-sliced error encoded data slices;
  
  determining a decryption method; and
  
  decrypting the decoded data slices with the determined decryption method to produce the encryption key; and
  
  sending the encryption key to the requester to decrypt the encrypted data.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein the decryption method comprises a public key method or a password method.
  - 11. The method of claim 10, wherein the public key method includes:
    - retrieving a public key, from a user storage vault, to use as a key for encrypting the encryption key.
  - 12. The method of claim 10, wherein the password method further comprises one or more of:
    - retrieving a password from a user storage vault and hashing the password to produce a hashed password, wherein the password or the hashed password is used as a key for encrypting the encryption key.
  - 13. The method of claim 9, wherein the decryption method includes at least a decryption algorithm.
  - 14. The method of claim 13, wherein identifying the decryption algorithm is based on one or more of:
    - user device connectivity type;
      
      a user vault setting;
      
      a command;
      
      an operational parameter;
      
      availability of a public encryption key; and
      
      availability of a password.
  - 15. The method of claim 9 further comprises:
    - controlling retrieving encryption key based on one or more of;
      
      a user ID;
      
      a system element ID; and
      
      a permissions list lookup.
  - 16. The method of claim 15 further comprises:
    - the permissions list including one or more permissions to retrieve and store one or more of;
      
      private encryption keys;
      
      public encryption keys;
      
      secret encryption keys; and
      
      all encryption keys.

17. A distributed storage (DS) managing unit comprises:
- a processing module operable to;
  
  store an encryption key by;
  
  receiving an encryption key to store;
  
  determining an encryption method;
  
  encrypting the encryption key with the determined encryption method to produce an encrypted key;
  
  error encoding the encrypted key;
  
  slicing the error encoded encrypted key to produce a set of data slices; and
  
  storing the set of data slices in DSN memory; and
  
  retrieve an encryption key by;
  
  receiving a retrieve encryption key request from a requester;
  
  retrieving a plurality of data slices;
  
  de-slicing the plurality of data slices; and
  
  decoding the de-sliced plurality of data slices;
  
  determining a decryption method;
  
  decrypting the decoded data slices with the determined decryption method to produce the encryption key; and
  
  sending the encryption key to the requester to decrypt the encrypted data.
- View Dependent Claims (18)
- - 18. The distributed storage (DS) managing unit of claim 17 further comprises the processing module further configured to:
    - when storing the encryption key, retrieving a public key either from a user storage vault or the encryption key to store; and
      
      when retrieving the encryption key, retrieving a private key for a user or unit, wherein the private key is retrieved either from a user storage vault or the encryption key request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
Resch, Jason K.
Primary Examiner(s)
Lipman, Jacob

Application Number

US14/292,772
Publication Number

US 20140270180A1
Time in Patent Office

417 Days
Field of Search

380/282
US Class Current

1/1
CPC Class Codes

G06F 11/1004   to protect a block of data ...

G06F 12/1408   by using cryptography for d...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

G06F 2221/2151   Time stamp

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 67/1097   for distributed storage of ...

H04L 69/04   Protocols for data compress...

H04L 9/0819   Key transport or distributi...

H04L 9/0863   involving passwords or one-...

H04L 9/0894   Escrow, recovery or storing...

Distributed storage network and method for storing and retrieving encryption keys

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed storage network and method for storing and retrieving encryption keys

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links