Automatic provisioning of key material rotation information to services
US-2021152336-A1 · May 20, 2021 · US
System generated data set encryption key
US11277262B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11277262-B2 |
| Application number | US-202016918298-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 1, 2020 |
| Priority date | Jul 1, 2020 |
| Publication date | Mar 15, 2022 |
| Grant date | Mar 15, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Generating unique data encryption keys for a data set, by allocating a data set associated with a security policy, where the security policy specifies a key encryption key (KEK) label, retrieving the KEK label from the security policy, storing the KEK label as metadata of the data set, opening the data set for a first time write, generating a data encryption key (DEK), retrieving a KEK from a key store according to the KEK label, encrypting the DEK using the KEK, storing the encrypted DEK as metadata of the data set, and encrypting the data set using the DEK.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer implemented method for generating unique keys for a data set, the method comprising: allocating, by one or more computer processors, resources for a data set associated with a security policy, wherein the security policy specifies a key encryption key (KEK) label; retrieving, by the one or more computer processors, the KEK label from the security policy; storing, by the one or more computer processors, the KEK label as metadata of the data set; opening, by the one or more computer processors, the data set for a first time write; generating, by the one or more computer processors, a data encryption key (DEK); retrieving, by the one or more computer processors, a KEK from a key store according to the KEK label; encrypting, by the one or more computer processors, the DEK using the KEK; storing, by the one or more computer processors, the encrypted DEK as metadata of the data set; encrypting, by the one or more computer processors, the data set using the DEK; and writing the encrypted data set to the allocated resources. 2. The computer implemented method according to claim 1 , further comprising opening, by the one or more computer processors, the encrypted data set; retrieving, by the one or more computer processors, the KEK from the key store according to the KEK label of the encrypted data set; retrieving, by the one or more computer processors, the encrypted DEK from metadata of the encrypted data set; decrypting, by the one or more computer processors, the encrypted DEK using the KEK; decrypting, by the one or more computer processors, the encrypted data set using the DEK; and providing, by the one or more computer processors, a user access to the data set data. 3. The computer implemented method according to claim 1 , further comprising: allocating, by the one or more computer processors, a target data set associated with the security policy; retrieving, by the one or more computer processors, the KEK label from the security policy; storing, by the one or more computer processors, the KEK label as metadata of the target data set; opening, by the one or more computer processors, the target data set for a first time write; generating, by the one or more computer processors, a target data set DEK; retrieving, by the one or more computer processors, the KEK from the key store according to the KEK label; encrypting, by the one or more computer processors, the target data set DEK using the KEK; storing, by the one or more computer processors, the encrypted DEK as metadata of the target data set; and encrypting, by the one or more computer processors, a source data set as the target data set using the target data set DEK. 4. The computer implemented method according to claim 3 , further comprising deleting the source data. 5. The computer implemented method according to claim 1 , further comprising validating a user's access to the allocated data set. 6. The computer implemented method according to claim 1 , further comprising validating a user's access to the KEK label. 7. The computer implemented method according to claim 1 , further comprising: opening, by the one or more computer processors, an encrypted source data set; retrieving, by the one or more computer processors, the KEK associated with the KEK label from the key store according to the KEK label; retrieving, by the one or more computer processors, the encrypted DEK from data set metadata; decrypting, by the one or more computer processors, the encrypted DEK using the KEK; decrypting, by the one or more computer processors, the encrypted source data set using the DEK; allocating, by the one or more computer processors, a target data set associated with the security policy; retrieving, by the one or more computer processors, the KEK label from the security policy; storing, by the one or more computer processors, the KEK label as metadata of the target data set; opening, by the one or more computer processors, the target data set for a first time write; generating, by the one or more computer processors, a target data set DEK; retrieving, by the one or more computer processors, a KEK from the key store according to the KEK label; encrypting, by the one or more computer processors, the target data set DEK using the KEK; storing, by the one or more computer processors, the encrypted DEK as target data set metadata; and encrypting, by the one or more computer processors, the source data set data as the target data set using the target data set DEK. 8. A computer program product for generating unique keys for a data set, the computer program product comprising one or more computer readable storage devices and program instructions collectively stored on the one or more computer readable storage devices, the stored program instructions comprising: program instructions to allocate resources for a data set associated with a security policy, wherein the security policy specifies a key encryption key (KEK) label; program instructions to retrieve the KEK label from the security policy; program instructions to store the KEK label metadata of the as data set; program instructions to open the data set for a first time write; program instructions to generate a data encryption key (DEK); program instructions to retrieve a KEK from a key store according to the KEK label; program instructions to encrypt the DEK using the KEK; program instructions to store the encrypted DEK as metadata of the data set; program instructions to encrypt the data set using the DEK; and program instructions to write the encrypted data set to the allocated resources. 9. The computer program product according to claim 8 , the stored program instructions further comprising: program instructions to open an encrypted data set; program instructions to retrieve the KEK from the key store according to the KEK label of the encrypted data set; program instructions to retrieve the encrypted DEK from metadata of the encrypted data set; program instructions to decrypt the encrypted DEK using the KEK; program instructions to decrypt the encrypted data set using the DEK; and program instructions to provide the user access to the data set data. 10. The computer program product according to claim 8 , the stored program instructions further comprising: program instructions to allocate a target data set associated with the security policy; program instructions to retrieve the KEK label from the security policy; program instructions to store the KEK label as metadata of the target data set; program instructions to open the target data set for a first time write; program instructions to generate a target data set DEK; program instructions to retrieve the KEK from the key store according to the KEK label; program instructions to encrypt the target data set DEK using the KEK; program instructions to store the encrypted DEK as metadata of the target data set; and program instructions to encrypt source data set as the target data set using the target data set DEK. 11. The computer program product according to claim 10 , the stored program instructions further comprising program instructions to delete the source data. 12. The computer program product according to claim 8 , the stored program instructions further comprising program instructions to validate a user's access to the allocated data set. 13. The computer program product according to claim 8 , the stored program instructions further comprising program instructions to validate a user's access to the KEK label. 14. The computer program product according to
Assignees
Inventors
Classifications
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
Generation of secret information including derivation or calculation of cryptographic keys or passwords · CPC title
- H04L9/0822Primary
using key encryption key · CPC title
- H04L9/088Primary
Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms (network architectures or network communication protocols for using time-dependent keys in a packet data network H04L63/068) · CPC title
using a plurality of keys or algorithms · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11277262B2 cover?
- Generating unique data encryption keys for a data set, by allocating a data set associated with a security policy, where the security policy specifies a key encryption key (KEK) label, retrieving the KEK label from the security policy, storing the KEK label as metadata of the data set, opening the data set for a first time write, generating a data encryption key (DEK), retrieving a KEK from a k…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification H04L9/0822. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 15 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).