| CPC H04L 9/0825 (2013.01) [H04L 9/0822 (2013.01); H04L 9/14 (2013.01); H04L 67/561 (2022.05)] | 19 Claims |
|
1. A system, comprising:
one or more processors configured to:
receive a request to access data stored within a tenant database associated with a tenant, wherein the data is encrypted based at least in part on a tenant service encryption key (TSEK) corresponding to the tenant database;
determine a wrapper key used in connection with encrypting the TSEK based at least in part on a TSEK metadata stored in association with the TSEK, comprising determining a tenant key encryption key (TKEK) based at least in part on a mapping of TKEKs to keys used to encrypt the TSEKs, wherein:
an encrypted version of the TKEK is stored in the tenant database;
the tenant is associated with an entity;
the wrapper key is associated with the entity;
the wrapper key is determined based at least in part on a TKEK metadata stored in association with the TKEK;
the TSEK metadata is stored in the tenant database; and
an encrypted version of the wrapper key is stored in a key management service (KMS) that is in communication with the tenant database;
determine a top-level key used in connection with encrypting the wrapper key based at least in part on wrapper key metadata stored in association with the encrypted version of the wrapper key;
obtain the data stored within the tenant database, comprising decrypting at least part of the data based at least in part on (i) the TSEK, (ii) the wrapper key, and (iii) the top-level key; and
provide the data in response to the request; and
a memory coupled to the one or more processors and configured to provide the one or more processors with instructions.
|