| 摘要 |
A method, system and program are provided for enabling selective access to multiple users' encrypted data in a single storage cartridge. A unique, derived key is generated for each user's data by performing cryptographic operations on a combination of a common base key and metadata related to the data to be encrypted (e.g. its total block count). The base data key is wrapped with one or more encryption keys to form one or more encryption encapsulated data keys (EEDKs). The base key and the derived key are wrapped to create a session encrypted data key (SEDK), which along with the EEDKs, are conveyed to the tape drive, where the SEDK is decrypted. The EEDKs are then stored in one or more places on the storage cartridge. The base key and the derived key are used to encrypt a predetermined user's data, with the derived key stored on the cartridge with the encrypted data. The encrypted data may be subsequently decrypted by retrieving the EEDK and decrypting it with a decryption key to extract the base data key. The extracted base data key can then be used with other information to calculate the derived key. Once calculated, the derived key is used to decrypt its associated encrypted data. |
