Load balancing backup jobs in a virtualized storage system having a plurality of physical nodes
US-9372854-B2 · Jun 21, 2016 · US
Redundant key management
US10936729B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10936729-B2 |
| Application number | US-201815889053-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 5, 2018 |
| Priority date | Aug 8, 2012 |
| Publication date | Mar 2, 2021 |
| Grant date | Mar 2, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A data storage service redundantly stores data and keys used to encrypt the data. Data objects are encrypted with first cryptographic keys. The first cryptographic keys are encrypted by second cryptographic keys. The first cryptographic keys and second cryptographic keys are redundantly stored in a data storage system to enable access of the data objects, such as to respond to requests to retrieve the data objects. The second cryptographic keys may be encrypted by third keys and redundantly stored in the event access to a second cryptographic key is lost.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method, comprising: encrypting a data object using a first cryptographic key; causing the first cryptographic key to be encrypted using a second cryptographic key, resulting in an encrypted first cryptographic key; storing each of the encrypted data object, the encrypted first cryptographic key, and the second cryptographic key redundantly in a plurality of data storage devices; and storing, redundantly in the plurality of data storage devices, a third cryptographic key usable to encrypt the second cryptographic key, wherein the third cryptographic key is stored based on a rotation schedule of the third cryptographic key. 2. The computer-implemented method of claim 1 , wherein the first cryptographic key is uniquely generated for the data object. 3. The computer-implemented method of claim 1 , wherein the first cryptographic key is generated for other data objects, wherein a total amount of other data objects using the first cryptographic key is below a threshold number. 4. The computer-implemented method of claim 1 , wherein the third cryptographic key is rotated with other cryptographic keys based on the rotation schedule. 5. The computer-implemented method of claim 1 , further comprising: redundantly storing the third cryptographic key in a file using the plurality of data storage devices. 6. The computer-implemented method of claim 1 , wherein the second cryptographic key is stored in metadata associated with the data object. 7. The computer-implemented method of claim 1 , wherein the plurality of data storage devices redundantly store each of the encrypted data object, the encrypted first cryptographic key, and the second cryptographic key based at least in part on a set of conditions. 8. A system, comprising: memory to store instructions that, as a result of being executed by one or more processors, cause the system to at least: encrypt a data object using a first cryptographic key; cause the first cryptographic key to be encrypted using a second cryptographic key, resulting in an encrypted first cryptographic key; store each of the encrypted data object, the encrypted first cryptographic key, and the second cryptographic key redundantly in a plurality of data storage devices; and redundantly store a third cryptographic key in a file using the plurality of data storage devices, the third cryptographic key is generated to encrypt the second cryptographic key, wherein the file includes information to rotate using the third cryptographic key with other cryptographic keys based on a schedule. 9. The system of claim 8 , wherein the first cryptographic key is used solely for the data object. 10. The system of claim 8 , wherein the first cryptographic key is used for multiple data objects. 11. The system of claim 8 , wherein the file includes a timestamp for the third cryptographic key. 12. The system of claim 8 , wherein the file is used to locate the third cryptographic key in response to the second cryptographic key being lost. 13. A non-transitory computer-readable storage medium comprising executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least: encrypt a data object using a first cryptographic key; cause the first cryptographic key to be encrypted using a second cryptographic key, resulting in an encrypted first cryptographic key; store each of the encrypted data object, the encrypted first cryptographic key, and the second cryptographic key redundantly in a plurality of data storage devices; and redundantly store a third cryptographic key usable to encrypt the second cryptographic key using the plurality of data storage devices, wherein the third cryptographic key is stored in a file that comprises key rotation information. 14. The non-transitory computer-readable storage medium of claim 13 , wherein metadata is associated with the data object. 15. The non-transitory computer-readable storage medium of claim 14 , wherein the metadata associated with the data object includes cryptographic metadata and footer metadata. 16. The non-transitory computer-readable storage medium of claim 15 , wherein the cryptographic metadata includes at least: an encryption algorithm used to encrypt the data object; an identifier for the first cryptographic key; and an identifier for the second cryptographic key. 17. The non-transitory computer-readable storage medium of claim 15 , wherein the cryptographic metadata includes information identifying one or more algorithms used to generate a vector digest, the vector digest is stored in the footer metadata. 18. The non-transitory computer-readable storage medium of claim 13 , wherein the plurality of data storage devices redundantly store each of the encrypted data object, the encrypted first cryptographic key, and the second cryptographic key based at least in part on a service-level agreement associated with the data storage devices. 19. The computer-implemented method of claim 1 , wherein storing each of the encrypted data object, the encrypted first cryptographic key, and the second cryptographic key redundantly in a plurality of data storage devices comprises at least one of: storing a copy of the first cryptographic key in multiple storage devices; or storing different shards of the first cryptographic key in different data storage devices, wherein the different shards are generated based at least in part on the first cryptographic key and a redundancy encoding scheme. 20. The system of claim 8 , wherein storing the encrypted data object, the encrypted first cryptographic key, and the second cryptographic key redundantly in the plurality of data storage devices comprises at least one of: storing a copy of the first cryptographic key in multiple storage devices; or storing different shards of the first cryptographic key in different data storage devices, wherein the different shards are generated based at least in part on the first cryptographic key and a redundancy encoding scheme.
Assignees
Inventors
Classifications
- G06F21/6209Primary
to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself · CPC title
using a plurality of keys or algorithms · CPC title
Parity data used in redundant arrays of independent storages, e.g. in RAID systems · CPC title
for networked environments · CPC title
Backup restoration techniques · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10936729B2 cover?
- A data storage service redundantly stores data and keys used to encrypt the data. Data objects are encrypted with first cryptographic keys. The first cryptographic keys are encrypted by second cryptographic keys. The first cryptographic keys and second cryptographic keys are redundantly stored in a data storage system to enable access of the data objects, such as to respond to requests to retri…
- Who is the assignee on this patent?
- Amazon Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/6209. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Mar 02 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).