	US 12,461,664 B2
	Protected data restoration using confidential computing
Sivanarayana Gaddam, Santa Clara, CA (US); Gyan Prakash, Foster City, CA (US); and Suchit Kaura, San Ramon, CA (US)
Assigned to Cohesity, Inc., Santa Clara, CA (US)
Filed by Cohesity, Inc., San Jose, CA (US)
Filed on Mar. 27, 2024, as Appl. No. 18/618,938.
Prior Publication US 2025/0306776 A1, Oct. 2, 2025
Int. Cl. G06F 3/06 (2006.01)

CPC G06F 3/0622 (2013.01) [G06F 3/065 (2013.01); G06F 3/067 (2013.01)]

20 Claims

1. A method comprising:

receiving, by a data platform implemented by a computing system, a request to restore an encrypted chunk of data, the encrypted chunk stored with first encrypted key data and second encrypted key data in a storage system by a storage cluster of the data platform, wherein the encrypted chunk is encrypted with a data encryption key generated based on first key data and second key data, the first key data distinct from the second key data;

receiving, by an enclave implemented in a trusted execution environment of the data platform, the first encrypted key data and the second encrypted key data from the storage cluster;

decrypting, by the enclave, the first encrypted key data to obtain the first key data and the second encrypted key data to obtain the second key data;

securely sending, by the enclave, the first key data and the second key data to the storage cluster;

generating, by the storage cluster and based on the first key data and the second key data, a derived data encryption key corresponding to the data encryption key; and

decrypting, by the storage cluster, the encrypted chunk with the derived data encryption key to generate a decrypted chunk.