| CPC H04L 9/0825 (2013.01) [H04L 9/083 (2013.01); H04L 9/085 (2013.01); H04L 9/0841 (2013.01); H04L 9/0894 (2013.01); H04L 9/3066 (2013.01)] | 20 Claims |
|
1. A computer-implemented method for securing client data natively on a database using key agreement, the database being stored on a database server, the method comprising:
receiving, by a security module running on the database server, a request over a network channel from a client application to store data from a client device, the client application being associated with a tenant identifier;
generating, by the security module in response to receiving the request to store data, a private key-public key pair;
transmitting, over the network channel by the security module, a request to derive a symmetric key from a key server, the request for the symmetric key comprising the public key, the public key being stored in a data store otherwise inaccessible by the key server and being associated by the security module with the tenant identifier;
receiving, in response to the request to derive the symmetric key, by the security module, an identifier for the private key managed by the key server, wherein the identifier includes a key identifier and a key version identifier;
receiving, by the security module, the symmetric key from the key server via the network channel, the symmetric key being generated by the key server based on the public key and a private key managed by the key server, the private key managed by the key server being accessible by the key server and not accessible by the database server, the symmetric key being derived using a key derivation function;
encrypting, by the security module, the data received from the client device using the symmetric key; and
storing, in the database server, metadata associated with the data encrypted using the symmetric key, the metadata comprising: i) the public key associated with the tenant identifier, and ii) the identifier for the private key managed by the key server.
|