Multi-tiered encryption system for efficiently regulating use of encryption keys
First Claim
1. A computer-implemented method of encrypting data, the method comprising:
- receiving, from a requesting device, a first request to encrypt data, wherein the first request comprises the data;
determining whether a first key can be used to encrypt the data;
requesting, in response to determining that the first key can be used to encrypt the data, an encrypted version of the first key from a first data store associated with a first node, wherein the first node is associated with a first tier of keys;
receiving the encrypted version of the first key and a parent key identifier from the data store, wherein the parent key identifier identifies a parent key stored in a second data store associated with a second node configured to decrypt the encrypted version of the first key, and wherein the second node is associated with a second tier of keys;
transmitting, to the second node, a second request to decrypt the encrypted version of the first key, wherein the second request comprises the encrypted version of the first key and the parent key identifier;
receiving, from the second node, a decrypted version of the first key, wherein the second node generates the decrypted version of the first key using the parent key after the parent key is retrieved from the second data store;
encrypting the data using the decrypted version of the first key;
generating a key identifier associated with the first key; and
transmitting, to the requesting device, the encrypted data and the key identifier.
1 Assignment
0 Petitions
Accused Products
Abstract
A multi-tiered encryption system efficiently regulates the use of encryption keys to encrypt and decrypt data. The system can include one or more encryption tiers. Each encryption tier can include a computing node programmed to service encryption and/or decryption requests and a key store to store encryption keys. At a root encryption tier, an unencrypted root encryption key can be stored in the key store. Each subsequent encryption tier includes encryption keys that are encrypted by encryption keys stored at a lower encryption tier. The encryption tiers collectively implement an encryption policy in which keys are automatically created and rotated such that a requesting device can request encryption services from the multi-tiered encryption system and receive the encryption services independent of key creation or key rotation and without access to the unencrypted root encryption key.
-
Citations
25 Claims
-
1. A computer-implemented method of encrypting data, the method comprising:
-
receiving, from a requesting device, a first request to encrypt data, wherein the first request comprises the data; determining whether a first key can be used to encrypt the data; requesting, in response to determining that the first key can be used to encrypt the data, an encrypted version of the first key from a first data store associated with a first node, wherein the first node is associated with a first tier of keys; receiving the encrypted version of the first key and a parent key identifier from the data store, wherein the parent key identifier identifies a parent key stored in a second data store associated with a second node configured to decrypt the encrypted version of the first key, and wherein the second node is associated with a second tier of keys; transmitting, to the second node, a second request to decrypt the encrypted version of the first key, wherein the second request comprises the encrypted version of the first key and the parent key identifier; receiving, from the second node, a decrypted version of the first key, wherein the second node generates the decrypted version of the first key using the parent key after the parent key is retrieved from the second data store; encrypting the data using the decrypted version of the first key; generating a key identifier associated with the first key; and transmitting, to the requesting device, the encrypted data and the key identifier. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising:
-
a first computer data repository that stores an encrypted version of a first key and a parent key identifier associated with the first key, the first computer data repository comprising a non-transitory storage device; and a first computing system comprising one or more first computing devices, the first computing system in communication with the first computer data repository and programmed to implement; a network interface configured to receive, from a requesting device, a first request to encrypt data, wherein the first request comprises the data; a data retriever configured to retrieve the encrypted version of the first key and the parent key identifier from the first computer data repository, wherein the parent key identifier identifies a parent key stored in a second computer data repository that is configured to decrypt the encrypted version of the first key, wherein the network interface is further configured to transmit, to a second computing system comprising one or more second computing devices, a second request to decrypt the encrypted version of the first key, wherein the second request comprises the encrypted version of the first key and the parent key identifier, wherein the network interface is further configured to receive, from the second computing system, a decrypted version of the first key, and wherein the second computing system generates the decrypted version of the first key using the parent key; an encrypter configured to encrypt the data using the decrypted version of the first key; and a literal key identification generator configured to generate a key identifier associated with the first key, wherein the network interface is further configured to transmit, to the requesting device, the encrypted data and the key identifier. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer storage system comprising a non-transitory
storage device, said computer storage system having stored thereon executable program instructions that direct a computer system to at least: -
receive, from a requesting device, a first request to encrypt data, wherein the first request comprises the data; retrieve an encrypted version of a first key and a parent key identifier from a computer data repository, wherein the parent key identifier identifies a parent key stored in the computer data repository that is configured to decrypt the encrypted version of the first key; transmit, to a second computer system, a second request to decrypt the encrypted version of the first key, wherein the second request comprises the encrypted version of the first key and the parent key identifier; receive, from the second computer system, a decrypted version of the first key, wherein the second computing system generates the decrypted version of the first key using the parent key; encrypt the data using the decrypted version of the first key; generate a key identifier associated with the first key; and transmit, to the requesting device, the encrypted data and the key identifier. - View Dependent Claims (17, 18, 19, 20, 21)
-
-
22. A computer-implemented method of decrypting data, the method comprising:
-
receiving, by a first computing system from a requesting device, a first request to decrypt encrypted data, wherein the first request comprises the encrypted data and a key identifier; determining that the key identifier is associated with a first key; retrieving, from a data store, an encrypted version of the first key and a parent key identifier that is associated with the first key; transmitting, to a second computing system, a second request to decrypt the encrypted version of the first key, wherein the second request comprises the encrypted version of the first key and the parent key identifier; receiving, from the second computing system, a decrypted version of the first key, wherein the second computing system generates the decrypted version of the first key using the parent key; decrypting the encrypted data using the decrypted version of the first key; and transmitting, to the requesting device, the decrypted data. - View Dependent Claims (23, 24, 25)
-
Specification