Encryption management for data storage
First Claim
1. A system, comprising:
- a data management component configured to be installed on a client device associated with a customer, the data management component configured to receive an indication of customer data for storage in a remote data service of a resource provider, the data management component configured to obtain access to an object key for encrypting the customer data;
a key management system configured to maintain a master key for wrapping the object key, the master key unexportable outside the key management system;
a data store provided as part of the remote data service, the customer having an account with the resource provider for storing the customer data to the data store;
a data ingestion station configured to receive the customer data and identifying information for the object key, the data ingestion station further configured to cause the customer data, encrypted under the object key, and the identifying information to be stored to the data store and associated with a customer identifier;
an interface for receiving a request, associated with the customer identifier, for a portion of the customer data; and
a data interface component, provided as part of the data storage service by the resource provider, configured to obtain access to the object key using the identifying information and the object key wrapped with the master key, the data interface component further configured to decrypt the portion of the customer data using the object key and transmit the portion of the decrypted customer data to an address specified by the request.
1 Assignment
0 Petitions
Accused Products
Abstract
Large volumes of data to be securely imported to, and exported from, a data storage service or other such location in a secure manner without a customer having to manage keys or encryption. A data management component can execute on a client device that can identify data to be stored and obtain the appropriate key for encrypting the data. Once the data is encrypted, the data can be transmitted to the data storage service. When the data is received to the data storage service, an ingestion station reads the encrypted data and causes the encrypted data to be stored to the data storage service. The data remains encrypted from the client device through being stored to the data storage service. When a request for the data is received, access to the key can be obtained and the data decrypted and returned in response to the request.
11 Citations
20 Claims
-
1. A system, comprising:
-
a data management component configured to be installed on a client device associated with a customer, the data management component configured to receive an indication of customer data for storage in a remote data service of a resource provider, the data management component configured to obtain access to an object key for encrypting the customer data; a key management system configured to maintain a master key for wrapping the object key, the master key unexportable outside the key management system; a data store provided as part of the remote data service, the customer having an account with the resource provider for storing the customer data to the data store; a data ingestion station configured to receive the customer data and identifying information for the object key, the data ingestion station further configured to cause the customer data, encrypted under the object key, and the identifying information to be stored to the data store and associated with a customer identifier; an interface for receiving a request, associated with the customer identifier, for a portion of the customer data; and a data interface component, provided as part of the data storage service by the resource provider, configured to obtain access to the object key using the identifying information and the object key wrapped with the master key, the data interface component further configured to decrypt the portion of the customer data using the object key and transmit the portion of the decrypted customer data to an address specified by the request. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-implemented method, comprising:
-
obtaining, by a data management component, access to a first key for encrypting customer data; receiving the customer data that is encrypted under the first key and identifying information for the first key for storage to a data storage service operated by a service provider; maintaining, in a key management system, a second key for wrapping the first key, the second key unexportable outside the key management system; causing the customer data, encrypted under the key, and the identifying information for the first key to be stored to a data store of the data storage service, the customer data associated with an account and a customer identifier of the service provider; receiving, on behalf of the customer identifier, a request for a portion of the data; obtaining access to the first key using at least the second key and the identifying information; decrypting, at the data storage service, the portion of the data using the first key; and providing, from the data storage service and in response to the request, the portion of the decrypted data. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory computer-readable storage medium storing instructions that, when executed by at least one processor of a computer system, cause the computer system to:
-
obtain, by a data management component, access to a first key for encrypting customer data; receive, to a data storage service provided by a resource provider, the customer data that is encrypted under the first key and identifying information for the first key; maintain, in a key management system, a second key for wrapping the first key, the second key unexportable outside the key management system; cause the customer data, encrypted under the key, and the identifying information to be stored to a data store of the data storage service, the customer data associated with a customer identifier of an account with the resource provider; receive, on behalf of the customer identifier, a request for at least a portion of the data; obtain access to the key using at least the second key and the identifying information; decrypt the portion of the data using the first key; and provide, from the data storage service and in response to the request, the portion of the decrypted data. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification