| 摘要 |
A stored object may be encrypted with an "object" cryptographic key. The object cryptographic key may be stored in metadata for the object and the metadata for the object may be encrypted using an "internal" cryptographic key associated with a particular encryption domain. The internal cryptographic key may be stored in a filesystem memory block associated with the particular encryption domain. A "domain" cryptographic key may be generated and stored associated with the particular encryption domain. The domain cryptographic key may be used to encrypt the filesystem memory block. Conveniently, below the domain cryptographic key, the filesystem has a unique, totally unknown, internal cryptographic key for actual data encryption. |
