Encryption management for data storage

US 9,639,705 B1
Filed: 06/17/2015
Issued: 05/02/2017
Est. Priority Date: 06/17/2015
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a data management component configured to be installed on a client device associated with a customer, the data management component configured to receive an indication of customer data for storage in a remote data service of a resource provider, the data management component configured to obtain access to an object key for encrypting the customer data;

a key management system configured to maintain a master key for wrapping the object key, the master key unexportable outside the key management system;

a data store provided as part of the remote data service, the customer having an account with the resource provider for storing the customer data to the data store;

a data ingestion station configured to receive the customer data and identifying information for the object key, the data ingestion station further configured to cause the customer data, encrypted under the object key, and the identifying information to be stored to the data store and associated with a customer identifier;

an interface for receiving a request, associated with the customer identifier, for a portion of the customer data; and

a data interface component, provided as part of the data storage service by the resource provider, configured to obtain access to the object key using the identifying information and the object key wrapped with the master key, the data interface component further configured to decrypt the portion of the customer data using the object key and transmit the portion of the decrypted customer data to an address specified by the request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Large volumes of data to be securely imported to, and exported from, a data storage service or other such location in a secure manner without a customer having to manage keys or encryption. A data management component can execute on a client device that can identify data to be stored and obtain the appropriate key for encrypting the data. Once the data is encrypted, the data can be transmitted to the data storage service. When the data is received to the data storage service, an ingestion station reads the encrypted data and causes the encrypted data to be stored to the data storage service. The data remains encrypted from the client device through being stored to the data storage service. When a request for the data is received, access to the key can be obtained and the data decrypted and returned in response to the request.

11 Citations

20 Claims

1. A system, comprising:
- a data management component configured to be installed on a client device associated with a customer, the data management component configured to receive an indication of customer data for storage in a remote data service of a resource provider, the data management component configured to obtain access to an object key for encrypting the customer data;
  
  a key management system configured to maintain a master key for wrapping the object key, the master key unexportable outside the key management system;
  
  a data store provided as part of the remote data service, the customer having an account with the resource provider for storing the customer data to the data store;
  
  a data ingestion station configured to receive the customer data and identifying information for the object key, the data ingestion station further configured to cause the customer data, encrypted under the object key, and the identifying information to be stored to the data store and associated with a customer identifier;
  
  an interface for receiving a request, associated with the customer identifier, for a portion of the customer data; and
  
  a data interface component, provided as part of the data storage service by the resource provider, configured to obtain access to the object key using the identifying information and the object key wrapped with the master key, the data interface component further configured to decrypt the portion of the customer data using the object key and transmit the portion of the decrypted customer data to an address specified by the request.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the data ingestion station is in a different geographic location than the data store.
  - 3. The system of claim 1, wherein the data ingestion station includes a high speed connection to the remote data service and is operated by an entity other than the customer.
  - 4. The system of claim 1, further comprising:
    - the key management system for managing access to the object key on behalf of the customer, the key management system configured to provide access to the object key to at least one of the customer or the data interface component in response to an authorized request.
  - 5. The system of claim 4, wherein the key management system is further configured to provide the object key wrapped with the master key for storage with the customer data.
  - 6. The system of claim 4, wherein the data ingestion station further comprises data storage for temporarily storing the customer data until the customer data is to be transmitted to the data store.

7. A computer-implemented method, comprising:
- obtaining, by a data management component, access to a first key for encrypting customer data;
  
  receiving the customer data that is encrypted under the first key and identifying information for the first key for storage to a data storage service operated by a service provider;
  
  maintaining, in a key management system, a second key for wrapping the first key, the second key unexportable outside the key management system;
  
  causing the customer data, encrypted under the key, and the identifying information for the first key to be stored to a data store of the data storage service, the customer data associated with an account and a customer identifier of the service provider;
  
  receiving, on behalf of the customer identifier, a request for a portion of the data;
  
  obtaining access to the first key using at least the second key and the identifying information;
  
  decrypting, at the data storage service, the portion of the data using the first key; and
  
  providing, from the data storage service and in response to the request, the portion of the decrypted data.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The computer-implemented method of claim 7, further comprising:
    - storing the first key to the data store, wherein obtaining access to the first key includes sending the first key, wrapped in the second key, to the key management system; and
      
      receiving, to the data storage service, access to the first key.
  - 9. The computer-implemented method of claim 8, whereinthe key management system performs an authorization before providing access to the first key.
  - 10. The computer-implemented method of claim 7, further comprising:
    - receiving metadata with the customer data, the metadata data including information for identifying the first key, wherein obtaining access to the first key includes sending at least a portion of the metadata to a key management system.
  - 11. The computer-implemented method of claim 7, wherein the customer data is received from a data ingestion station having received the customer data, encrypted under the first key, from a customer associated with the customer identifier, the data ingestion station including a high speed connection for sending the customer data to the data store and is operated by an entity other than the customer.
  - 12. The computer-implemented method of claim 7, wherein the customer data is received through an application programming interface (API).
  - 13. The computer-implemented method of claim 7, further comprising:
    - performing an authorization for the request before decrypting the portion of the customer data and providing the portion of the customer data, decrypted using the first key, in response to the request.

14. A non-transitory computer-readable storage medium storing instructions that, when executed by at least one processor of a computer system, cause the computer system to:
- obtain, by a data management component, access to a first key for encrypting customer data;
  
  receive, to a data storage service provided by a resource provider, the customer data that is encrypted under the first key and identifying information for the first key;
  
  maintain, in a key management system, a second key for wrapping the first key, the second key unexportable outside the key management system;
  
  cause the customer data, encrypted under the key, and the identifying information to be stored to a data store of the data storage service, the customer data associated with a customer identifier of an account with the resource provider;
  
  receive, on behalf of the customer identifier, a request for at least a portion of the data;
  
  obtain access to the key using at least the second key and the identifying information;
  
  decrypt the portion of the data using the first key; and
  
  provide, from the data storage service and in response to the request, the portion of the decrypted data.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the instructions when executed further cause the computer system to:
    - store the first key to the data store, wherein obtaining access to the first key includes sending the first key, wrapped in the second key, to the key management system; and
      
      receiving access to the first key.
  - 16. The non-transitory computer-readable storage medium of claim 14, wherein the key management system performs an authorization before providing access to the first key.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein the instructions when executed further cause the computer system to:
    - receive metadata with the customer data, the metadata data including information for identifying the first key, wherein obtaining access to the first key includes sending at least a portion of the metadata to the key management system.
  - 18. The non-transitory computer-readable storage medium of claim 14, wherein the instructions when executed further cause the computer system to:
    - receive the customer data from a data ingestion station that previously received the customer data, encrypted under the first key, from a customer associated with the customer identifier.
  - 19. The non-transitory computer-readable storage medium of claim 14, wherein the instructions when executed further cause the computer system to:
    - utilize a high speed connection with a data ingestion station for sending the customer data to the data store and is operated by an entity other than a customer associated with the customer identifier.
  - 20. The non-transitory computer-readable storage medium of claim 14, wherein the instructions when executed further cause the computer system to:
    - perform an authorization for the request before decrypting the portion of the customer data and providing the portion of the customer data, decrypted using the first key, in response to the request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Baer, Graeme D., Brandwine, Eric Jason
Primary Examiner(s)
Mehrmanesh, Amir
Assistant Examiner(s)
Shayanfar, Ali

Application Number

US14/742,247
Time in Patent Office

685 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

H04L 9/0894   Escrow, recovery or storing...

Encryption management for data storage

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

11 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption management for data storage

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links