Long term encrypted storage and key management

摘要

An encryption key not accessible outside a data storage device can be used to encrypt data stored in that device. The received data may have been encrypted under an external key, such as a key associated with a customer of a data storage service. Upon receiving the data encrypted under the external key, the data can be decrypted using a copy of the external key and then re-encrypted, inside the data storage device, using the internal key. If the external key is to be rotated, the stored data does not need to be modified as the data can be decrypted using the internal key and then re-encrypted using the new external key in response to an authorized request for the data after the change to the new external key. Such an approach provides near instant key rotation while not having to re-encrypt data under the new key unless requested.

主权项

1. A computer-implemented method, comprising:
receiving data in a write request, the data encrypted under a first external key; decrypting the data to a storage device using a copy of the first external key stored by the storage device; re-encrypting, in the storage device, the data using an internal key generated within, and inaccessible outside, the storage device; storing the data, encrypted under the internal key, in the storage device; receiving a read request to access the data encrypted under the internal key; decrypting, in the storage device, the data using the internal key; determining a current external key resulting from a rotation event; replacing the copy of the first external key, stored in the storage device, with the current external key; re-encrypting the data stored in the storage device using the current external key; and transmitting the data, re-encrypted under the current external key, from the storage device to a destination specified by the read request.