Generating master and wrapper keys for connected devices in a key generation scheme
US-2017093563-A1 · Mar 30, 2017 · US
Three layer key wrapping for securing encryption keys in a data storage system
US9735962B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-9735962-B1 |
| Application number | US-201514870660-A |
| Country | US |
| Kind code | B1 |
| Filing date | Sep 30, 2015 |
| Priority date | Sep 30, 2015 |
| Publication date | Aug 15, 2017 |
| Grant date | Aug 15, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Securing encryption keys in a data storage system using three layer key wrapping that encrypts a data encryption key using a key encryption key, encrypts the key encryption key using a controller encryption key, and encrypts the controller encryption key using a public key of an asymmetric key pair. The private key is stored on a removable storage device. A separate encryption accelerator component decrypts the encryption keys in order to encrypt and/or decrypt host data from a memory of a storage processor. The removable storage drive must be inserted into a receptacle of the encryption accelerator for encryption and/or decryption to be performed, since the encryption accelerator accesses the private key from the removable storage device in order to decrypt the encrypted controller key. The encryption accelerator generates key handles for the storage processor to use when requesting encryption and/or decryption operations.
First claim
Opening claim text (preview).
What is claimed is: 1. A method of securing encryption keys in a data storage system, comprising: storing an encrypted data encryption key, an encrypted key encryption key, and an encrypted controller encryption key in a memory of an encryption accelerator, wherein the encryption accelerator is a hardware component having a receptacle for a removable data storage device and is separate from a storage processor in the data storage system; and encrypting a set of host data stored in a memory of the storage processor by: i) decrypting, by the encryption accelerator, the encrypted controller encryption key, using a controller private key stored on the removable data storage device and accessed by the encryption accelerator through the receptacle of the encryption accelerator, to obtain a plaintext controller encryption key, ii) decrypting, by the encryption accelerator, the encrypted key encryption key, using the plaintext controller encryption key, to obtain a plaintext key encryption key, iii) decrypting, by the encryption accelerator, the encrypted data encryption key, using the plaintext key encryption key, to obtain a plaintext data encryption key, iv) encrypting, by the encryption accelerator, the set of host data, using the plaintext data encryption key, to generate a set of encrypted host data, and v) deleting, by the encryption accelerator, the plaintext controller encryption key, plaintext key encryption key, and plaintext data encryption key, from the encryption accelerator. 2. The method of claim 1 , wherein decrypting the encrypted controller encryption key by the encryption accelerator includes sending a controller encryption key handle identifying the plaintext controller encryption key from the encryption accelerator to the storage processor; wherein decrypting the encrypted key encryption key is in response to receipt of the controller encryption key handle by the encryption accelerator from the storage processor, and includes sending a key encryption key handle identifying the plaintext key encryption key from the encryption accelerator to the storage processor; wherein decrypting the encrypted data encryption key is in response to receipt of the key encryption key handle by the encryption accelerator from the storage processor, and includes sending a data encryption key handle identifying the plaintext data encryption key from the encryption accelerator to the storage processor; and wherein encrypting the set of host data is in response to receipt of the data encryption key handle by the encryption accelerator from the storage processor. 3. The method of claim 2 , wherein the controller encryption key handle identifying the plaintext controller encryption key indicates a location at which the plaintext controller encryption key is stored within a memory of the encryption accelerator; wherein the key encryption key handle identifying the plaintext key encryption key indicates a location at which the plaintext data encryption key is stored within the memory of the encryption accelerator; and wherein the data encryption key handle identifying the plaintext data encryption key indicates a location at which the plaintext data encryption key is stored within the memory of the encryption accelerator. 4. The method of claim 3 , wherein encrypting the set of host data stored in the memory of the storage processor further comprises writing the set of encrypted host data from the memory of the encryption accelerator to the memory of the storage processor, and further comprising: writing the set of encrypted host data from the memory of the storage processor to at least one storage device within the data storage system. 5. The method of claim 4 , wherein the encryption accelerator and the storage processor are communicably coupled by a serial bus over which communications between the encryption accelerator and the storage processor are conveyed; and wherein writing the set of encrypted host data from the memory of the encryption accelerator to the memory of the storage processor comprises sending the set of encrypted host data over the serial bus from the encryption accelerator to the storage processor. 6. The method of claim 5 , further comprising: generating, in a key management system that is separate from the data storage system and communicable with the data storage system over a computer network, the plaintext controller encryption key, the plaintext key encryption key, and the plaintext data encryption key; encrypting, in the key management system, using the plaintext key encryption key, the plaintext data encryption key to generate the encrypted data encryption key; encrypting, in the key management system using the plaintext controller encryption key, the plaintext key encryption key to generate the encrypted key encryption key; generating, in the key management system, a key pair comprising the controller private key and a controller public key, wherein the controller public key is an encryption key, and wherein any plaintext encrypted by the controller public key can only be decrypted using the controller private key; encrypting, in the key management system using the controller public key, the plaintext controller encryption key to generate the encrypted controller encryption key; storing the controller private key into the removable data storage device through a removable data storage device receptacle of the key management system; and transmitting, from the key management system over the computer network, through a secure communication channel to the data storage system, the encrypted controller encryption key, encrypted key encryption key, and encrypted data encryption key. 7. The method of claim 6 , further comprising: decrypting the set of encrypted host data stored in the memory of the storage processor by: i) decrypting, by the encryption accelerator, the encrypted controller encryption key, using the controller private key stored on the removable data storage device and accessed by the encryption accelerator through the receptacle of the encryption accelerator, to obtain the plaintext controller encryption key, ii) decrypting, by the encryption accelerator, the encrypted key encryption key, using the plaintext controller encryption key, to obtain the plaintext key encryption key, iii) decrypting, by the encryption accelerator, the encrypted data encryption key, using the plaintext key encryption key, to obtain the plaintext data encryption key, iv) decrypting, by the encryption accelerator, the set of encrypted host data, using the plaintext data encryption key, to obtain a set of plaintext host data, and v) deleting the plaintext controller encryption key, plaintext key encryption key, and plaintext data encryption key from the encryption accelerator. 8. A system for securing encryption keys in a data storage system, comprising: a storage processor, within the data storage system, wherein the storage processor includes processing circuitry and a memory coupled to the processing circuitry; a hardware encryption accelerator, within the data storage system, wherein the hardware encryption accelerator is separate from and communicably coupled to the storage processor, wherein the hardware encryption accelerator includes integrated circuit logic, a receptacle for a removable data storage device, and a memory coupled to the integrated circuit logic, wherein the memory in the hardware encryption accelerator stores an encrypted data encryption key, an encrypted key encryption key, and an encrypted controller encryption key, and wherein the integrated circuit logic in the encryption accelerator is configured and arranged to encrypt a set of host data stored in the memory of the storage processor by: i) decrypti
Assignees
Inventors
Classifications
using key encryption key · CPC title
- H04L9/0897Primary
involving additional devices, e.g. trusted platform module [TPM], smartcard or USB · CPC title
using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM] · CPC title
- H04L9/0825Primary
using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9735962B1 cover?
- Securing encryption keys in a data storage system using three layer key wrapping that encrypts a data encryption key using a key encryption key, encrypts the key encryption key using a controller encryption key, and encrypts the controller encryption key using a public key of an asymmetric key pair. The private key is stored on a removable storage device. A separate encryption accelerator compo…
- Who is the assignee on this patent?
- Emc Corp, Emc Ip Holding Co Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/0897. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Aug 15 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).