Highly available encryption framework for multiple different computing environments
First Claim
1. A system for data object encryption, the system comprising:
- an encryption framework available across a plurality of runtime environments;
one or more hardware processors; and
a non-transitory memory storing computer-executable instructions, that in response to execution by the one or more hardware processors, causes the system to;
receive a data object in one of the plurality of runtime environments, wherein the data object is capable of being encrypted using a content encryption key;
determine an encryption module implemented in the encryption framework that is compatible with the one of the plurality of runtime environments, wherein the encryption module comprises a key service provider that provides a master key and a key wrapping algorithm for the content encryption key in the runtime environment, and wherein the encryption module is a first one of a plurality of encryption modules;
encrypt the data object using the content encryption key;
encrypt the content encryption key using the master key and key wrapping algorithm;
write the encrypted data object to networked database storage;
determine encryption metadata for the data object based on the content encryption key and the master key, wherein the encryption metadata comprises a key identifier for the master key, the content encryption key encrypted by the master key, and modification data for a last time of modification of the master key;
determine that a second one of the plurality of encryption modules is registered with the encryption framework after encrypting the data object and the content encryption key;
scan the encryption metadata for the data object;
determine that the encryption metadata is required to be updated based on the second one of the plurality of encryption modules being registered with the encryption framework after encrypting the data object and the content encryption key; and
update the encryption metadata based on the second one of the plurality of encryption modules being registered after encrypting the data object and the content encryption key.
1 Assignment
0 Petitions
Accused Products
Abstract
A system is provided for data object encryption. The system includes an encryption framework available across a plurality of runtime environments. The system is configured to receive a data object in one of the plurality of runtime environments, wherein the data object is capable of being encrypted using a content encryption key and determine an encryption module implemented in the encryption framework that is compatible with the one of the plurality of runtime environment, wherein the encryption module comprises a key service provider that provides a master key and a key wrapping algorithm for the content encryption key in the runtime environment. The system is further configured to encrypt the data object using the content encryption key, encrypt the content encryption key using the master key and key wrapping algorithm, and write the encrypted data object to networked database storage.
46 Citations
18 Claims
-
1. A system for data object encryption, the system comprising:
-
an encryption framework available across a plurality of runtime environments; one or more hardware processors; and a non-transitory memory storing computer-executable instructions, that in response to execution by the one or more hardware processors, causes the system to; receive a data object in one of the plurality of runtime environments, wherein the data object is capable of being encrypted using a content encryption key; determine an encryption module implemented in the encryption framework that is compatible with the one of the plurality of runtime environments, wherein the encryption module comprises a key service provider that provides a master key and a key wrapping algorithm for the content encryption key in the runtime environment, and wherein the encryption module is a first one of a plurality of encryption modules; encrypt the data object using the content encryption key; encrypt the content encryption key using the master key and key wrapping algorithm; write the encrypted data object to networked database storage; determine encryption metadata for the data object based on the content encryption key and the master key, wherein the encryption metadata comprises a key identifier for the master key, the content encryption key encrypted by the master key, and modification data for a last time of modification of the master key; determine that a second one of the plurality of encryption modules is registered with the encryption framework after encrypting the data object and the content encryption key; scan the encryption metadata for the data object; determine that the encryption metadata is required to be updated based on the second one of the plurality of encryption modules being registered with the encryption framework after encrypting the data object and the content encryption key; and update the encryption metadata based on the second one of the plurality of encryption modules being registered after encrypting the data object and the content encryption key. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for data object encryption, the method comprising:
-
receiving a data object in one of a plurality of runtime environments associated with an encryption framework, wherein the data object is capable of being encrypted using a content encryption key, and wherein the encryption framework is available across the plurality of runtime environments; determining an encryption module implemented in the encryption framework, wherein the encryption module comprises a key service provider that provides a master key and a key wrapping algorithm for the content encryption key in the runtime environment, and wherein the encryption module is a first one of a plurality of encryption modules; encrypting the data object using the content encryption key; encrypting the content encryption key using the master key and key wrapping algorithm; writing the encrypted data object to networked database storage; determining encryption metadata for the data object based on the content encryption key and the master key, wherein the encryption metadata comprises a key identifier for the master key, the content encryption key encrypted by the master key, and modification data for a last time of modification of the master key; determining that a second one of the plurality of encryption modules is registered with the encryption framework after encrypting the data object and the content encryption key; scanning the encryption metadata for the data object; determining that the encryption metadata is required to be updated based on the second one of the plurality of encryption modules being registered with the encryption framework after encrypting the data object and the content encryption key; and updating the encryption metadata based on the second one of the plurality of encryption modules being registered after encrypting the data object and the content encryption key. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A non-transitory machine readable medium having stored thereon instructions for performing a method comprising machine executable code which when executed by at least one machine, causes the machine to:
-
receive a data object in one of a plurality of runtime environments associated with an encryption framework, wherein the data object is capable of being encrypted using a content encryption key, and wherein the encryption framework is available across the plurality of runtime environments; determine an encryption module implemented in the encryption framework that is compatible with the one of the plurality of runtime environments, wherein the encryption module comprises a key service provider that provides a master key and a key wrapping algorithm for the content encryption key in the runtime environment, and wherein the encryption module is a first one of a plurality of encryption modules; encrypt the data object using the content encryption key; encrypt the content encryption key using the master key and key wrapping algorithm; write the encrypted data object to networked database storage; determine encryption metadata for the data object based on the content encryption key and the master key, wherein the encryption metadata comprises a key identifier for the master key, the content encryption key encrypted by the master key, and modification data for a last time of modification of the master key; determine that a second one of the plurality of encryption modules is registered with the encryption framework after encrypting the data object and the content encryption key; scan the encryption metadata for the data object; determine that the encryption metadata is required to be updated based on the second one of the plurality of encryption modules being registered with the encryption framework after encrypting the data object and the content encryption key; and update the encryption metadata based on the second one of the plurality of encryption modules being registered after encrypting the data object and the content encryption key. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification