Distributed storage network and method for storing and retrieving encryption keys
First Claim
1. A method for processing an encryption key within a portion of a distributed storage network (DSN), the method comprises:
- receiving an encryption key to store;
determining an encryption method;
encrypting the encryption key with the determined encryption method to produce an encrypted key;
determining a pillar width of a DSN user storage vault as a parameter of a dispersed storage error coding function;
encoding the encrypted key in accordance with the dispersed storage error coding function to produce a set of encoded encrypted key slices, wherein a number of encoded encrypted key slices in the set of encoded encrypted key slices is equal to the pillar width, wherein a decode threshold number of the encoded encrypted key slices of the set of encoded encrypted key slices is required to reconstruct the encrypted key; and
storing in a distributed manner across the DSN user storage vault the set of encoded encrypted key slices in DSN memory.
5 Assignments
0 Petitions
Accused Products
Abstract
A method begins by a distributed storage (DS) managing unit receiving an encryption key to store. The method continues by determining an encryption method and encrypting the encryption key with the determined encryption method to produce an encrypted key. The method continues by encoding and storing the encrypted key in accordance with a dispersed storage error coding function to produce a set of encoded encrypted key slices, wherein a decode threshold number of the encoded encrypted key slices of the set of encoded encrypted key slices are required to reconstruct the encrypted key. Retrieval of the stored encryption key includes retrieving and decoding at least a decode threshold number of the encoded encrypted key slices of a set of encoded encrypted key slices from storage units of the DSN. The method may include raising or lowering the decode threshold or modifying the retrieval order to increase/decrease security.
88 Citations
20 Claims
-
1. A method for processing an encryption key within a portion of a distributed storage network (DSN), the method comprises:
-
receiving an encryption key to store; determining an encryption method; encrypting the encryption key with the determined encryption method to produce an encrypted key; determining a pillar width of a DSN user storage vault as a parameter of a dispersed storage error coding function; encoding the encrypted key in accordance with the dispersed storage error coding function to produce a set of encoded encrypted key slices, wherein a number of encoded encrypted key slices in the set of encoded encrypted key slices is equal to the pillar width, wherein a decode threshold number of the encoded encrypted key slices of the set of encoded encrypted key slices is required to reconstruct the encrypted key; and storing in a distributed manner across the DSN user storage vault the set of encoded encrypted key slices in DSN memory. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for processing encrypted data within a distributed storage network (DSN), the method comprises:
-
receiving a retrieve encryption key request from a requester; determining a width of a DSN user storage vault, the width including a number of storage pillars; determining a decode threshold number of storage pillars for successful retrieval; retrieving, in response to the retrieve encryption key request, at least the decode threshold number of encoded encrypted key slices of a set of encoded encrypted key slices from the storage pillars of the DSN; decoding the at least the decode threshold number of the encoded encrypted key slices to produce an encrypted encryption key; determining a decryption method; decrypting the encrypted encryption key with the determined decryption method to produce an encryption key; and sending the encryption key to the requester to decrypt one or more portions of the encrypted data. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A distributed storage (DS) managing unit comprises:
-
a first module operable to; store an encryption key by; receiving an encryption key to store; determining an encryption method; encrypting the encryption key with the determined encryption method to produce an encrypted key; determining a pillar width of a distributed storage network (DSN) user storage vault as a parameter of a dispersed storage error coding function; encoding the encrypted key in accordance with the dispersed storage error coding function to produce a set of encoded encrypted key slices, wherein a number of encoded encrypted key slices in the set of encoded encrypted key slices is equal to the pillar width, wherein a decode threshold number of the encoded encrypted key slices of the set of encoded encrypted key slices is required to reconstruct the encrypted key; and storing the set of encoded encrypted key slices in DSN memory; and a second module operable to; retrieve an encryption key by; receiving a retrieve encryption key request from a requester; determining the pillar width; determining a decode threshold number of storage pillars for successful retrieval in accordance with the dispersed storage error coding function; retrieving, in response to the retrieve encryption key request, at least the decode threshold number of the encoded encrypted key slices of a set of encoded encrypted key slices from storage units of the DSN; decoding the at least the decode threshold number of the encoded encrypted key slices to produce an encrypted encryption key; determining a decryption method; decrypting the encrypted encryption key with the determined decryption method to produce the encryption key; and sending the encryption key to the requester to decrypt one or more portions of encrypted data. - View Dependent Claims (20)
-
Specification