Encryption key rotation based on dataset size or time between key rotation intervals
US-2023224154-A1 · Jul 13, 2023 · US
Encryption technique rotation using input/output operations
US12578879B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12578879-B2 |
| Application number | US-202418596952-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 6, 2024 |
| Priority date | Mar 6, 2024 |
| Publication date | Mar 17, 2026 |
| Grant date | Mar 17, 2026 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques are provided for encryption technique rotation using input/output (I/O) operations. One method comprises obtaining an I/O request to write designated data to a storage device, wherein at least some of the existing data stored by the storage device prior to the obtaining is protected using a first encryption technique associated with a first time period; protecting the designated data using a second encryption technique associated with a second time period that is subsequent to the first time period; and writing the protected designated data to a sector of the at least one storage device. The sector may be marked as comprising re-encrypted data. For an I/O request to read data, a determination is made as to whether the requested read data is stored in a sector comprising re-encrypted data; and the requested read data is decrypted using a decryption key obtained based on a result of the determining.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method, comprising: obtaining at least one input/output (I/O) request from a user to write designated data to at least one storage device, wherein at least a portion of existing data stored by the at least one storage device prior to the obtaining the at least one I/O request to write the designated data is protected using a first encryption technique associated with a first time period, wherein the first time period occurred prior to the obtaining; protecting the designated data using a second encryption technique associated with a second time period, wherein the second time period is subsequent to the first time period and the second encryption technique is different than the first encryption technique, wherein the second time period comprises at least a first portion and a distinct second portion, wherein the first portion employs one or more user write operations to encrypt data using the second encryption technique and wherein the second portion employs one or more user write operations and one or more user read operations to encrypt data using the second encryption technique; and writing the protected designated data to at least one sector of the at least one storage device; wherein the method is performed by at least one processing device comprising a processor coupled to a memory. 2 . The method of claim 1 , further comprising marking the at least one sector as comprising re-encrypted data. 3 . The method of claim 1 , further comprising: obtaining at least one I/O request to read data; determining if the requested read data is stored in at least one sector comprising re-encrypted data; and decrypting the requested read data using a decryption key obtained based at least in part on a result of the determining. 4 . The method of claim 1 , comprising, in response to an occurrence of one or more designated events: obtaining at least one I/O request to read data; determining if the requested read data is stored in at least one sector comprising re-encrypted data; and in response to determining that the requested read data is not stored in at least one sector comprising re-encrypted data: decrypting the requested read data using a first decryption key associated with the first encryption technique to generate decrypted data; encrypting the decrypted data using a second encryption key associated with the second encryption technique to generate encrypted data; and writing the encrypted data to at least one sector of the at least one storage device. 5 . The method of claim 4 , wherein the steps performed in response to the occurrence of the one or more designated events are performed for at least one portion of a designated key duration. 6 . The method of claim 1 , wherein the method is performed in response to an occurrence of at least one of: a first encryption key, associated with the first encryption technique, being compromised; the first encryption key satisfying one or more designated expiration criteria; and an amount of data encrypted using the first encryption key satisfying one or more designated encryption limit criteria. 7 . The method of claim 1 , further comprising providing an acknowledgement to at least one user in response to a completion of the at least one I/O request to write the designated data. 8 . The method of claim 1 , comprising, in response to an occurrence of one or more designated events: determining if at least one sector of the at least one storage device comprises re-encrypted data; and in response to determining that the at least one sector of the at least one storage device does not comprise re-encrypted data: decrypting data stored in the at least one sector of the at least one storage device using a first decryption key associated with the first encryption technique to generate decrypted data; encrypting the decrypted data using a second encryption key associated with the second encryption technique to generate encrypted data; and writing the encrypted data to the at least one sector of the at least one storage device. 9 . The method of claim 8 , wherein the one or more designated events comprise determining that the at least one storage device satisfies one or more designated idle criteria. 10 . The method of claim 1 , wherein the first encryption technique associated with the first time period employs one or more of a first encryption key and a first encryption algorithm and wherein the second encryption technique associated with the second time period employs one or more of a second encryption key and a second encryption algorithm. 11 . The method of claim 1 , further comprising: monitoring a re-encryption ratio of the at least one storage device; and in response to identifying a deviation of a measured re-encryption ratio from an expected re-encryption ratio, performing one or more of: (a) obtaining at least one I/O request to read data; determining if the requested read data is stored in at least one sector comprising re-encrypted data; and in response to determining that the requested read data is not stored in at least one sector comprising re-encrypted data: decrypting the requested read data using a first decryption key associated with the first encryption technique to generate decrypted data; encrypting the decrypted data using a second encryption key associated with the second encryption technique to generate encrypted data; and writing the encrypted data to at least one sector of the at least one storage device; and (b) determining if at least one sector of the at least one storage device comprises re-encrypted data; and in response to determining that the at least one sector of the at least one storage device does not comprise re-encrypted data: decrypting the data stored in the at least one sector of the at least one storage device using a first decryption key associated with the first encryption technique to generate decrypted data; encrypting the decrypted data using a second encryption key associated with the second encryption technique to generate encrypted data; and writing the encrypted data to the at least one sector of the at least one storage device. 12 . An apparatus comprising: at least one processing device comprising a processor coupled to a memory; the at least one processing device being configured to implement the following steps: obtaining at least one input/output (I/O) request from a user to write designated data to at least one storage device, wherein at least a portion of existing data stored by the at least one storage device prior to the obtaining the at least one I/O request to write the designated data is protected using a first encryption technique associated with a first time period, wherein the first time period occurred prior to the obtaining; protecting the designated data using a second encryption technique associated with a second time period, wherein the second time period is subsequent to the first time period and the second encryption technique is different than the first encryption technique, wherein the second time period comprises at least a first portion and a distinct second portion, wherein the first portion employs one or more user write operations to encrypt data using the second encryption technique and wherein the second portion employs one or more user write operations and one or more user read operations to encrypt data using the second encryption technique; and writing the protected designated data to at least one sector of the at least one storage device. 13 . The apparatus of claim 12 , further comprising: obtaining at least one I/O request to read data; determining if t
Assignees
Inventors
Classifications
Revocation or update of secret information, e.g. encryption key update or rekeying · CPC title
Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms (network architectures or network communication protocols for using time-dependent keys in a packet data network H04L63/068) · CPC title
- G06F3/061Primary
Improving I/O performance · CPC title
Vertical data movement, i.e. input-output transfer; data movement between one or more hosts and one or more storage devices · CPC title
Non-volatile semiconductor memory device, e.g. flash memory, one time programmable memory [OTP] · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12578879B2 cover?
- Techniques are provided for encryption technique rotation using input/output (I/O) operations. One method comprises obtaining an I/O request to write designated data to a storage device, wherein at least some of the existing data stored by the storage device prior to the obtaining is protected using a first encryption technique associated with a first time period; protecting the designated data…
- Who is the assignee on this patent?
- Dell Products Lp
- What technology area does this patent fall under?
- Primary CPC classification G06F3/061. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Mar 17 2026 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).