US 12,010,219 B2
Key management providing high availability without key replication
Lionel L Zhang, Bellevue, WA (US)
Assigned to Salesforce, Inc., San Francisco, CA (US)
Filed by Salesforce, Inc., San Francisco, CA (US)
Filed on Oct. 25, 2021, as Appl. No. 17/510,225.
Prior Publication US 2023/0130457 A1, Apr. 27, 2023
Int. Cl. H04L 9/08 (2006.01); H04L 9/12 (2006.01); H04L 9/32 (2006.01)
CPC H04L 9/083 (2013.01) [H04L 9/0825 (2013.01); H04L 9/0841 (2013.01); H04L 9/0861 (2013.01); H04L 9/0894 (2013.01); H04L 9/3247 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A computer implemented method for obtaining an encrypted data encryption key from an instance of a key management system (KMS), the method comprising:
receiving, at a first instance of a KMS, a request for a data encryption key (DEK) from a user, the first instance of the KMS configured with a first symmetric key, a first public-private key pair that is associated with the first instance of the KMS, and a second public key that is obtained from a different second instance of a KMS system to be used in a key agreement scheme between the first and second instances of the KMS;
generating, at the first instance of the KMS, the DEK;
generating, at the first instance of the KMS, a blob, wherein the blob comprises:
a first instance of the generated DEK that is subsequently encrypted by the first symmetric key, and
a second instance of the generated DEK that is subsequently encrypted by a negotiated key that is generated based on the key agreement scheme; and
sending the blob to the user, wherein the first instance of the KMS is configured to decrypt the first instance of the generated DEK and the second instance of the KMS is configured to decrypt the second instance of the DEK.