Highly available encryption framework for multiple different computing environments

US 10,956,600 B2
Filed: 10/31/2018
Issued: 03/23/2021
Est. Priority Date: 10/31/2018
Status: Active Grant

First Claim

Patent Images

1. A system for data object encryption, the system comprising:

an encryption framework available across a plurality of runtime environments;

one or more hardware processors; and

a non-transitory memory storing computer-executable instructions, that in response to execution by the one or more hardware processors, causes the system to;

receive a data object in one of the plurality of runtime environments, wherein the data object is capable of being encrypted using a content encryption key;

determine an encryption module implemented in the encryption framework that is compatible with the one of the plurality of runtime environments, wherein the encryption module comprises a key service provider that provides a master key and a key wrapping algorithm for the content encryption key in the runtime environment, and wherein the encryption module is a first one of a plurality of encryption modules;

encrypt the data object using the content encryption key;

encrypt the content encryption key using the master key and key wrapping algorithm;

write the encrypted data object to networked database storage;

determine encryption metadata for the data object based on the content encryption key and the master key, wherein the encryption metadata comprises a key identifier for the master key, the content encryption key encrypted by the master key, and modification data for a last time of modification of the master key;

determine that a second one of the plurality of encryption modules is registered with the encryption framework after encrypting the data object and the content encryption key;

scan the encryption metadata for the data object;

determine that the encryption metadata is required to be updated based on the second one of the plurality of encryption modules being registered with the encryption framework after encrypting the data object and the content encryption key; and

update the encryption metadata based on the second one of the plurality of encryption modules being registered after encrypting the data object and the content encryption key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is provided for data object encryption. The system includes an encryption framework available across a plurality of runtime environments. The system is configured to receive a data object in one of the plurality of runtime environments, wherein the data object is capable of being encrypted using a content encryption key and determine an encryption module implemented in the encryption framework that is compatible with the one of the plurality of runtime environment, wherein the encryption module comprises a key service provider that provides a master key and a key wrapping algorithm for the content encryption key in the runtime environment. The system is further configured to encrypt the data object using the content encryption key, encrypt the content encryption key using the master key and key wrapping algorithm, and write the encrypted data object to networked database storage.

46 Citations

View as Search Results

18 Claims

1. A system for data object encryption, the system comprising:
- an encryption framework available across a plurality of runtime environments;
  
  one or more hardware processors; and
  
  a non-transitory memory storing computer-executable instructions, that in response to execution by the one or more hardware processors, causes the system to;
  
  receive a data object in one of the plurality of runtime environments, wherein the data object is capable of being encrypted using a content encryption key;
  
  determine an encryption module implemented in the encryption framework that is compatible with the one of the plurality of runtime environments, wherein the encryption module comprises a key service provider that provides a master key and a key wrapping algorithm for the content encryption key in the runtime environment, and wherein the encryption module is a first one of a plurality of encryption modules;
  
  encrypt the data object using the content encryption key;
  
  encrypt the content encryption key using the master key and key wrapping algorithm;
  
  write the encrypted data object to networked database storage;
  
  determine encryption metadata for the data object based on the content encryption key and the master key, wherein the encryption metadata comprises a key identifier for the master key, the content encryption key encrypted by the master key, and modification data for a last time of modification of the master key;
  
  determine that a second one of the plurality of encryption modules is registered with the encryption framework after encrypting the data object and the content encryption key;
  
  scan the encryption metadata for the data object;
  
  determine that the encryption metadata is required to be updated based on the second one of the plurality of encryption modules being registered with the encryption framework after encrypting the data object and the content encryption key; and
  
  update the encryption metadata based on the second one of the plurality of encryption modules being registered after encrypting the data object and the content encryption key.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the content encryption key is encrypted using each of the plurality of encryption modules, and wherein the content encryption key is recoverable through decryption by the each of the plurality of encryption modules.
  - 3. The system of claim 2, wherein prior to determining the encryption module, the computer-executable instructions further cause the system to:
    - determine the content encryption key for the data object; and
      
      retrieve a plurality of master keys including the master key from a plurality of key service providers including the key service provider using the plurality of encryption modules.
  - 4. The system of claim 1, wherein the computer-executable instructions further cause the system to:
    - determine that one of the content encryption key or the master key requires renewal;
      
      renew the one of the content encryption key or the master key; and
      
      update the encryption metadata based on the renewing.
  - 5. The system of claim 1, wherein the computer-executable instructions further cause the system to:
    - transmit a read request for the encrypted data object from the networked database storage;
      
      receive the encrypted data object;
      
      determine the master key and an unwrapping algorithm from the key service provider using the encryption metadata;
      
      decrypt the content encryption key using the master key and the unwrapping algorithm; and
      
      decrypt the encrypted data object using the content encryption key.
  - 6. The system of claim 1, wherein prior to the system determining the encryption module, the computer-executable instructions further cause the system to:
    - integrate the key service provider with the encryption framework;
      
      provide a first interface to return the master key currently available with the key service provider based on integrating the key service provider;
      
      provide a second interface to retrieve the master key for decryption of the encrypted data object based on integrating the key service provider; and
      
      activate the encryption module with the encryption framework based on the first interface and the second interface.

7. A method for data object encryption, the method comprising:
- receiving a data object in one of a plurality of runtime environments associated with an encryption framework, wherein the data object is capable of being encrypted using a content encryption key, and wherein the encryption framework is available across the plurality of runtime environments;
  
  determining an encryption module implemented in the encryption framework, wherein the encryption module comprises a key service provider that provides a master key and a key wrapping algorithm for the content encryption key in the runtime environment, and wherein the encryption module is a first one of a plurality of encryption modules;
  
  encrypting the data object using the content encryption key;
  
  encrypting the content encryption key using the master key and key wrapping algorithm;
  
  writing the encrypted data object to networked database storage;
  
  determining encryption metadata for the data object based on the content encryption key and the master key, wherein the encryption metadata comprises a key identifier for the master key, the content encryption key encrypted by the master key, and modification data for a last time of modification of the master key;
  
  determining that a second one of the plurality of encryption modules is registered with the encryption framework after encrypting the data object and the content encryption key;
  
  scanning the encryption metadata for the data object;
  
  determining that the encryption metadata is required to be updated based on the second one of the plurality of encryption modules being registered with the encryption framework after encrypting the data object and the content encryption key; and
  
  updating the encryption metadata based on the second one of the plurality of encryption modules being registered after encrypting the data object and the content encryption key.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein the content encryption key is encrypted using each of the plurality of encryption modules, and wherein the content encryption key is recoverable through decryption by the each of the plurality of encryption modules.
  - 9. The method of claim 8, wherein prior to the determining the encryption module, the method further comprises:
    - determining the content encryption key for the data object; and
      
      retrieving a plurality of master keys including the master key from a plurality of key service providers including the key service provider using the plurality of encryption modules.
  - 10. The method of claim 7, further comprising:
    - determining that one of the content encryption key or the master key requires renewal;
      
      renewing the one of the content encryption key or the master key; and
      
      updating the encryption metadata based on the renewing.
  - 11. The method of claim 7, further comprising:
    - transmitting a read request for the encrypted data object from the networked database storage;
      
      receiving the encrypted data object;
      
      determining the master key and an unwrapping algorithm from the key service provider using the encryption metadata;
      
      decrypting the content encryption key using the master key and the unwrapping algorithm; and
      
      decrypting the encrypted data object using the content encryption key.
  - 12. The method of claim 7, wherein prior to the determining the encryption module, the method further comprises:
    - integrating the key service provider with the encryption framework;
      
      providing a first interface to return the master key currently available with the key service provider based on integrating the key service provider;
      
      providing a second interface to retrieve the master key for decryption of the encrypted data object based on integrating the key service provider; and
      
      activating the encryption module with the encryption framework based on the first interface and the second interface.

13. A non-transitory machine readable medium having stored thereon instructions for performing a method comprising machine executable code which when executed by at least one machine, causes the machine to:
- receive a data object in one of a plurality of runtime environments associated with an encryption framework, wherein the data object is capable of being encrypted using a content encryption key, and wherein the encryption framework is available across the plurality of runtime environments;
  
  determine an encryption module implemented in the encryption framework that is compatible with the one of the plurality of runtime environments, wherein the encryption module comprises a key service provider that provides a master key and a key wrapping algorithm for the content encryption key in the runtime environment, and wherein the encryption module is a first one of a plurality of encryption modules;
  
  encrypt the data object using the content encryption key;
  
  encrypt the content encryption key using the master key and key wrapping algorithm;
  
  write the encrypted data object to networked database storage;
  
  determine encryption metadata for the data object based on the content encryption key and the master key, wherein the encryption metadata comprises a key identifier for the master key, the content encryption key encrypted by the master key, and modification data for a last time of modification of the master key;
  
  determine that a second one of the plurality of encryption modules is registered with the encryption framework after encrypting the data object and the content encryption key;
  
  scan the encryption metadata for the data object;
  
  determine that the encryption metadata is required to be updated based on the second one of the plurality of encryption modules being registered with the encryption framework after encrypting the data object and the content encryption key; and
  
  update the encryption metadata based on the second one of the plurality of encryption modules being registered after encrypting the data object and the content encryption key.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory machine readable medium of claim 13, wherein the content encryption key is encrypted using each of the plurality of encryption modules, and wherein the content encryption key is recoverable through decryption by the each of the plurality of encryption modules.
  - 15. The non-transitory machine readable medium of claim 14, storing instructions which when executed by at least one machine, further causes the machine to:
    - prior to the machine determining the encryption module, determine the content encryption key for the data object; and
      
      retrieve a plurality of master keys including the master key from a plurality of key service providers including the key service provider using the plurality of encryption modules.
  - 16. The non-transitory machine readable medium of claim 13, storing instructions which when executed by at least one machine, further causes the machine to:
    - determine that one of the content encryption key or the master key requires renewal;
      
      renew the one of the content encryption key or the master key; and
      
      update the encryption metadata based on the renewing.
  - 17. The non-transitory machine readable medium of claim 13, storing instructions which when executed by at least one machine, further causes the machine to:
    - transmit a read request for the encrypted data object to the networked database storage;
      
      receive the encrypted data object;
      
      determine the master key and an unwrapping algorithm from the key service provider using the encryption metadata;
      
      decrypt the content encryption key using the master key and the unwrapping algorithm; and
      
      decrypt the encrypted data object using the content encryption key.
  - 18. The non-transitory machine readable medium of claim 13, storing instructions which when executed by at least one machine, further causes the machine to:
    - prior to the machine determining the encryption module, integrate the key service provider with the encryption framework;
      
      provide a first interface to return the master key currently available with the key service provider based on integrating the key service provider;
      
      provide a second interface to retrieve the master key for decryption of the encrypted data object based on integrating the key service provider; and
      
      activate the encryption module with the encryption framework based on the first interface and the second interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Ye, Lei, Murray, David Baiyor, Chaudhary, Vineet Deokaran, Fu, Xiongjian
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Ahmed, Mahabub S

Application Number

US16/176,514
Publication Number

US 20200134223A1
Time in Patent Office

874 Days
Field of Search

713164
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6227   where protection concerns t...

H04L 9/0822   using key encryption key

H04L 9/083   involving central third par...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

Highly available encryption framework for multiple different computing environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

46 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Highly available encryption framework for multiple different computing environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links