| CPC H04L 63/0435 (2013.01) [H04L 9/0822 (2013.01); H04L 9/0841 (2013.01); H04L 9/0861 (2013.01)] | 18 Claims |
|
1. A data entry computing system on a first network node, the data entry computing system comprising a processing circuit configured to:
identify user-entered data as sensitive user data;
generate a content encryption key (CEK);
generate encrypted user data by encrypting the sensitive user data with the CEK;
tag the encrypted user data and the CEK with a tag readable by a database server on a network node different than the data entry computing system, the tag comprising information indicative of the encrypted user data;
transmit the encrypted user data to the database server, wherein the database server excludes a private key of a key manager on a network node different than the data entry computing system;
generate an encrypted CEK by encrypting the CEK with a public key of the key manager;
tag the encrypted CEK with the tag readable by the database server; and
transmit the encrypted CEK to the database server with the encrypted user data, wherein the key manager excludes the encrypted user data, wherein the database server is configured to transmit the encrypted CEK to the key manager in response to receiving a request for the sensitive user data from a data exit computing system comprising a public/private key pair on a different network node than the data entry computing system, identify the requested user data, based on a predefined time period, or in response to receiving instructions from the data entry computing system to send the sensitive user data to the data exit computing system, and wherein the key manager is configured to decrypt the CEK using the private key of the key manager and encrypt the CEK using a public key of the data exit computing system.
|