Redundant key management
First Claim
Patent Images
1. A computer-implemented method, comprising:
- for each set of data objects of at least a plurality of sets of data objects;
for each data object in the set of data objects;
storing the data object in a first data store; and
while the data object is stored in the first data store, providing an identifier for the data object that is usable to retrieve the data object after removal of the data object from the first data store;
generating a first cryptographic key for the set of data objects;
encrypting one or more data objects in the set using the first cryptographic key to generate one or more encrypted data objects;
causing the first cryptographic key to be encrypted using a second cryptographic key, thereby resulting in an encrypted first cryptographic key; and
redundantly storing the one or more encrypted data objects and the encrypted first cryptographic key, to achieve a first durability for the data object and a second durability for the encrypted first cryptographic key, using a plurality of data storage devices used by a second data storage system to persistently store the data objects, the second durability being greater than the first durability.
1 Assignment
0 Petitions
Accused Products
Abstract
A data storage service redundantly stores data and keys used to encrypt the data. Data objects are encrypted with first cryptographic keys. The first cryptographic keys are encrypted by second cryptographic keys. The first cryptographic keys and second cryptographic keys are redundantly stored in a data storage system to enable access of the data objects, such as to respond to requests to retrieve the data objects. The second cryptographic keys may be encrypted by third keys and redundantly stored in the event access to a second cryptographic key is lost.
215 Citations
20 Claims
-
1. A computer-implemented method, comprising:
for each set of data objects of at least a plurality of sets of data objects; for each data object in the set of data objects; storing the data object in a first data store; and while the data object is stored in the first data store, providing an identifier for the data object that is usable to retrieve the data object after removal of the data object from the first data store; generating a first cryptographic key for the set of data objects; encrypting one or more data objects in the set using the first cryptographic key to generate one or more encrypted data objects; causing the first cryptographic key to be encrypted using a second cryptographic key, thereby resulting in an encrypted first cryptographic key; and redundantly storing the one or more encrypted data objects and the encrypted first cryptographic key, to achieve a first durability for the data object and a second durability for the encrypted first cryptographic key, using a plurality of data storage devices used by a second data storage system to persistently store the data objects, the second durability being greater than the first durability. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A system, comprising:
-
one or more processors; and memory storing instructions that, as a result of execution by the one or more processors, cause the system to; obtain a first cryptographic key for a set of data objects, the set of data objects comprising a data object stored in a first data store, the data object having an identifier for the data object that is usable to retrieve the data object after removal of the data object from the first data store; encrypt the data object using the first cryptographic key; cause the first cryptographic key to be encrypted using a second cryptographic key, resulting in an encrypted first cryptographic key; and redundantly store the data object and the encrypted first cryptographic key, to achieve a first durability for the data object and a second durability for the encrypted first cryptographic key, using a plurality of data storage devices used by a second data storage system to persistently store data objects, the second durability being at least the first durability. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. One or more non-transitory computer-readable storage media having collectively stored thereon instructions that, when executed by one or more processors of a computer system, cause the computer system to:
-
before a data object is removed from a first data store for storage in a second data store, provide an identifier for the data object that is usable to obtain the data object after removal of the data object from the first data store; obtain a first cryptographic key; encrypt a data object using the first cryptographic key to generate an encrypted data object; cause the first cryptographic key to be encrypted using a second cryptographic key; and redundantly store the data object, encrypted first cryptographic key and encrypted second cryptographic key among a plurality of data storage devices of a second data store of a data storage system such that the data object is stored at a first durability and the first cryptographic key is stored a second durability that is greater than the first durability. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification