Secure cloud storage and encryption management system

摘要

An embodiment of the invention allows a user to back-up/store data to a cloud-based storage system and synchronize that data on the user's devices coupled to the storage system. The devices have secure out-of-band cryptoprocessors that conceal a private key. The private key corresponds to a public key that is used to encrypt a session key and information, both of which are passed to and through cloud based storage, all while remaining encrypted. The encrypted material is communicated from the cloud to another of the user's devices where the encrypted material is decrypted within a secure out-of-band cryptoprocessor (using the private key that corresponds to the aforementioned public key) located within the device. The embodiment allows for secure provisioning of the private key to the devices. The private key is only decrypted within the cryptoprocessor so the private key is not “in the open”. Other embodiments are described herein.

主权项

1. A system of computing nodes comprising:
a first computing node comprising a first secure cryptoprocessor having out-of-band non-volatile first memory that stores a hardware-based first private key that is non-visible to a first operating system (OS) for the first computing node; a second computing node comprising a second secure cryptoprocessor having out-of-band non-volatile second memory that stores a hardware-based second private key that is non-visible to a second OS for the second computing node and that corresponds to a second public key; and at least one non-transitory storage medium having instructions stored thereon to cause:
the first computing node to: receive the second public key; determine a first session key and encrypt first information with the first session key; encrypt the first session key with the second public key; bind the encrypted first session key to the encrypted first information; and communicate the bound encrypted first session key and encrypted first information to cloud based storage; andthe second computing node to receive and decrypt the bound encrypted first session key with the second private key, while the second private key is still located within the second cryptoprocessor, and the encrypted first information with the decrypted first session key; wherein the at least one medium further comprises instructions to cause:
the first secure cryptoprocessor to encrypt the first private key and communicate the encrypted first private key to the first computing node;the first computing node to communicate the encrypted first private key to a third computing node; andthe second computing node to receive the encrypted first private key from the third computing node.