Multi-tiered encryption system for efficiently regulating use of encryption keys

摘要

A multi-tiered encryption system efficiently regulates the use of encryption keys to encrypt and decrypt data. The system can include one or more encryption tiers. Each encryption tier can include a computing node programmed to service encryption and/or decryption requests and a key store to store encryption keys. At a root encryption tier, an unencrypted root encryption key can be stored in the key store. Each subsequent encryption tier includes encryption keys that are encrypted by encryption keys stored at a lower encryption tier. The encryption tiers collectively implement an encryption policy in which keys are automatically created and rotated such that a requesting device can request encryption services from the multi-tiered encryption system and receive the encryption services independent of key creation or key rotation and without access to the unencrypted root encryption key.

主权项

1. A computer-implemented method of encrypting data, the method comprising:
receiving, from a requesting device, a first request to encrypt data, wherein the first request comprises the data; determining whether a first key can be used to encrypt the data; requesting, in response to determining that the first key can be used to encrypt the data, an encrypted version of the first key from a first data store associated with a first node, wherein the first node is associated with a first tier of keys; receiving the encrypted version of the first key and a parent key identifier from the data store, wherein the parent key identifier identifies a parent key stored in a second data store associated with a second node configured to decrypt the encrypted version of the first key, and wherein the second node is associated with a second tier of keys; transmitting, to the second node, a second request to decrypt the encrypted version of the first key, wherein the second request comprises the encrypted version of the first key and the parent key identifier; receiving, from the second node, a decrypted version of the first key, wherein the second node generates the decrypted version of the first key using the parent key after the parent key is retrieved from the second data store; encrypting the data using the decrypted version of the first key; generating a key identifier associated with the first key; and transmitting, to the requesting device, the encrypted data and the key identifier.