MANAGING ENCRYPTED DATA AND ENCRYPTION KEYS

US 20140079221A1
Filed: 09/14/2012
Published: 03/20/2014
Est. Priority Date: 09/14/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

encrypting a first portion of a drive in a data center, using a first encryption key;

encrypting the first encryption key using a second encryption key to obtain an encrypted encryption key;

storing the second encryption key in a first location;

storing the encrypted encryption key in a second location, wherein the second location is inaccessible from outside the data center and wherein the second location is separate from the first location; and

providing, by a processing device, an access component to provide access to the encrypted encryption key, in a second portion of the drive, wherein the second portion of the drive is unencrypted and wherein the access component is unable to provide access to the encrypted encryption key from outside the data center.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data module encrypts a first portion of a drive in a data center using a first encryption key. The data module encrypts the first encryption key using a second encryption key to obtain an encrypted encryption key. The data module stores the second encryption key in a first location and stores the encrypted encryption key in a second location that is separate from the first location and that is inaccessible from outside the data center.

51 Citations

20 Claims

1. A method comprising:
- encrypting a first portion of a drive in a data center, using a first encryption key;
  
  encrypting the first encryption key using a second encryption key to obtain an encrypted encryption key;
  
  storing the second encryption key in a first location;
  
  storing the encrypted encryption key in a second location, wherein the second location is inaccessible from outside the data center and wherein the second location is separate from the first location; and
  
  providing, by a processing device, an access component to provide access to the encrypted encryption key, in a second portion of the drive, wherein the second portion of the drive is unencrypted and wherein the access component is unable to provide access to the encrypted encryption key from outside the data center.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - receiving a request to access the drive from a client device;
      
      obtaining the second encryption key from the first location;
      
      obtaining the encrypted encryption key from the second location;
      
      decrypting the encrypted encryption key to obtain the first encryption key;
      
      determining whether the request comprises a read request or a write request;
      
      when the request comprises the read request;
      
      decrypting the first portion of the drive using the first encryption key;
      
      accessing, in the first portion of the drive, a first data requested by the client device; and
      
      providing the first data to the client device; and
      
      when the request comprises the write request;
      
      encrypting a second data provided by the client device; and
      
      writing the encrypted second data to the drive.
  - 3. The method of claim 2, further comprising:
    - requesting an access credential;
      
      authenticating the access credential prior to obtaining the second encryption key from the first location.
  - 4. The method of claim 1, wherein the second location comprises one or more of:
    - a server within the data center;
      
      ora removable storage device coupled to the server within the data center.
  - 5. The method of claim 1, wherein the first location is within the second portion of the drive.
  - 6. The method of claim 1, wherein the first location comprises a secure memory within a computing device and wherein the drive is located in the computing device.
  - 7. The method of claim 1, further comprising:
    - deleting the first encryption key after obtaining the encrypted encryption key.
  - 8. The method of claim 1, wherein the second encryption key comprises a public-private key pair.
  - 9. The method of claim 1, wherein the access component comprises one or more of:
    - a file that includes instructions for accessing the second location;
      
      an application;
      
      ora script.

10. An apparatus comprising:
- a memory to store one or more keys;
  
  a processing device coupled to the memory and to;
  
  encrypt a first portion of a drive in a data center, using a first encryption key;
  
  encrypt the first encryption key using a second encryption key to obtain an encrypted encryption key;
  
  store the second encryption key in a first location;
  
  store the encrypted encryption key at a second location, wherein the second location is separate from the first location; and
  
  provide an access component to provide access to the encrypted encryption key, in a second portion of the drive, wherein the second portion of the drive is unencrypted and wherein the access component is unable to provide access to the encrypted encryption key from outside the data center.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The apparatus of claim 10, wherein the processing device is further to:
    - receive a request to access the drive from a client device;
      
      obtain the second encryption key from the first location;
      
      obtain the encrypted encryption key from the second location;
      
      decrypt the encrypted encryption key to obtain the first encryption key;
      
      determine whether the request comprises a read request or a write request;
      
      when the request comprises the read request;
      
      decrypt the first portion of the drive using the first encryption key;
      
      access, in the first portion of the drive, a first data requested by the client device; and
      
      provide the first data to the client device; and
      
      when the request comprises the write request;
      
      encrypt a second data provided by the client device; and
      
      write the encrypted second data to the drive.
  - 12. The apparatus of claim 11, wherein the processing device is further to:
    - request an access credential;
      
      authenticate the access credential prior to obtaining the second encryption key from the first location.
  - 13. The apparatus of claim 10, wherein the second location comprises one or more of:
    - a server within the data center;
      
      ora removable storage device coupled to the server within the data center.
  - 14. The apparatus of claim 10, wherein the first location is within the second portion of the drive.
  - 15. The apparatus of claim 10, wherein the first location comprises a secure memory within a computing device and wherein the drive is located in the computing device.
  - 16. The apparatus of claim 10, wherein the processing device is further to:
    - delete the first encryption key after obtaining the encrypted encryption key.
  - 17. The apparatus of claim 10, wherein the access component comprises one or more of:
    - a file that includes instructions for accessing the second location;
      
      an application;
      
      ora script.

18. A non-transitory computer readable storage medium having instructions that, when executed by a processing device, cause the processing device to perform a method comprising:
- encrypting a first portion of a drive in a data center, using a first encryption key;
  
  encrypting the first encryption key using a second encryption key to obtain an encrypted encryption key;
  
  storing the encrypted encryption key in a first location;
  
  storing the second encryption key at a second location, wherein the second location is inaccessible from outside the data center and wherein the second location is separate from the first location; and
  
  providing, by the processing device, an access component to provide access to the encrypted encryption key, in a second portion of the drive, wherein the second portion of the drive is unencrypted and wherein the access component is unable to provide access to the encrypted encryption key from outside the data center.
- View Dependent Claims (19, 20)
- - 19. The non-transitory computer readable storage medium of claim 18, wherein the method further comprises:
    - receiving a request to access the drive from a client device;
      
      obtaining the encrypted encryption key from the first location;
      
      obtaining the second encryption key from the second location;
      
      decrypting the encrypted encryption key to obtain the first encryption key;
      
      determining whether the request comprises a read request or a write request;
      
      when the request comprises the read request;
      
      decrypting the first portion of the drive using the first encryption key;
      
      accessing, in the first portion of the drive, a first data requested by the client device; and
      
      providing the first data to the client device; and
      
      when the request comprises the write request;
      
      encrypting a second data provided by the client device; and
      
      writing the encrypted second data to the drive.
  - 20. The non-transitory computer readable storage medium of claim 18, wherein the method further comprises:
    - deleting the first encryption key after obtaining the encrypted encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
McCallum, Nathaniel, Lee, Ade, Young, Adam, Trmac, Miloslav

Granted Patent

US 8,837,734 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/277
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 2463/062   applying encryption of the ...

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 67/1097   for distributed storage of ...

H04L 9/0822   using key encryption key

H04L 9/0894   Escrow, recovery or storing...

MANAGING ENCRYPTED DATA AND ENCRYPTION KEYS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

51 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MANAGING ENCRYPTED DATA AND ENCRYPTION KEYS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links