Automated data re-encryption process in multi-tiered encryption system
First Claim
1. A computer-implemented method of re-encrypting data, the method comprising:
- by execution of program instructions by one or more computing devices;
receiving, from a requesting device separate from the one or more computing devices, a first request to encrypt data;
encrypting the data using a first key that is not accessed by the requesting device;
generating a key identifier associated with the first key;
transmitting, to the requesting device, the encrypted data and the key identifier;
receiving, from the requesting device, a second request to re-encrypt the encrypted data, wherein the second request comprises the encrypted data and the key identifier;
determining that the key identifier is associated with the first key and that the first key is exhausted;
generating a second key at least partly in response to determining that the first key is exhausted;
decrypting the encrypted data using the first key to generate a decrypted version of the encrypted data;
encrypting, using the second key, the decrypted version of the encrypted data to generate a re-encrypted version of the encrypted data;
associating the key identifier with the second key; and
transmitting, to the requesting device, the re-encrypted version of the data.
1 Assignment
0 Petitions
Accused Products
Abstract
A re-encryption service module in a multi-tiered encryption system that manages key rotation policies continuously or periodically re-encrypts data. Each encryption tier in the system can include a node programmed to service encryption, decryption, and/or re-encryption requests and a key store to store encryption keys. A computing node that interfaces with a requesting device may include the re-encryption service module. The re-encryption module may receive encrypted data and a key identifier identifying the key used to encrypt the data. The re-encryption module may decrypt the encrypted data using the identified key, retrieve a new key if the identified key is exhausted, and use the new key to encrypt the decrypted data. The key identifier may be updated to identify the new key and the re-encrypted data and the updated key identifier may be transmitted to the requesting device.
-
Citations
25 Claims
-
1. A computer-implemented method of re-encrypting data, the method comprising:
-
by execution of program instructions by one or more computing devices; receiving, from a requesting device separate from the one or more computing devices, a first request to encrypt data; encrypting the data using a first key that is not accessed by the requesting device; generating a key identifier associated with the first key; transmitting, to the requesting device, the encrypted data and the key identifier; receiving, from the requesting device, a second request to re-encrypt the encrypted data, wherein the second request comprises the encrypted data and the key identifier; determining that the key identifier is associated with the first key and that the first key is exhausted; generating a second key at least partly in response to determining that the first key is exhausted; decrypting the encrypted data using the first key to generate a decrypted version of the encrypted data; encrypting, using the second key, the decrypted version of the encrypted data to generate a re-encrypted version of the encrypted data; associating the key identifier with the second key; and transmitting, to the requesting device, the re-encrypted version of the data. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system comprising:
-
a computer data repository maintained in a non-transitory storage device, the computer data repository configured to at least store keys; and a computing system comprising one or more computing devices, the computing system in communication with the computer data repository and configured to at least; receive, from a requesting device separate from the computing system, a first request to encrypt data; transmit, to the requesting device, an encrypted version of the data and a key identifier associated with a first key that is not accessed by the requesting device, wherein the key identifier is used to encrypt the data; receive, from the requesting device, a second request to re-encrypt the encrypted data, wherein the second request specifies the encrypted data and the key identifier; determine that the key identifier is associated with the first key and that the first key is exhausted; generate a second key at least partly in response to determining that the first key is exhausted; decrypt the encrypted data using the first key to generate a decrypted version of the encrypted data; encrypt, using the second key, the decrypted version of the encrypted data to generate a re-encrypted version of the encrypted data; and associate the key identifier with the second key; and transmit, to the requesting device, the re-encrypted version of the data. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer storage system comprising a non-transitory storage device, said computer storage system having stored thereon executable program instructions that direct a computer system to at least:
-
receive, from a requesting device separate from the computer system, a first request to encrypt data; encrypt the data using a first key that is not accessed by the requesting device; generate a key identifier associated with the first key; transmit, to the requesting device, the encrypted data and the key identifier; receive, from the requesting device, a second request to re-encrypt data, wherein the second request specifies the encrypted data and the key identifier; determine that the first key is exhausted; generate a second key at least partly in response to determining that the first key is exhausted; decrypt the encrypted data using the first key to generate a decrypted version of the encrypted data; encrypt, using the second key, the decrypted version of the encrypted data to generate a re-encrypted version of the encrypted data; associate the key identifier with the second key; and transmit, to the requesting device, the re-encrypted version of the data. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
-
Specification