公开(公告)号：US11057359B2

公开(公告)日：2021-07-06

申请号：US16102191

申请日：2018-08-13

Applicant: salesforce.com, inc.

Inventor： Scott Wisniewski ,  David Murray ,  Xiongjian Fu ,  Harish Krishnamurthy

IPC: H04L29/06 ,  H04L9/08

Abstract: A set of hardware security modules (HSMs) in a database system may implement a key management system with a database storing encryption keys or other secrets. The set of HSMs may identify a first key encryption key (KEK) and a second KEK stored in the set of HSMs. The set of HSMs may retrieve, from the database, a set of encryption keys encrypted by the first KEK and decrypt each encryption key of the set of encryption keys using the first KEK. The set of HSMs may re-encrypt each encryption key of the set of encryption keys with the second KEK and transmit, to the database, the set of encrypted encryption keys encrypted by the second KEK for storage. Then, the set of HSMs may delete the first KEK from the set of HSMs.

公开(公告)号：US20200053065A1

公开(公告)日：2020-02-13

申请号：US16102191

申请日：2018-08-13

Applicant: salesforce.com, inc.

Inventor： Scott Wisniewski ,  David Murray ,  Xiongjian Fu ,  Harish Krishnamurthy

IPC: H04L29/06 ,  H04L9/08

Abstract: A set of hardware security modules (HSMs) in a database system may implement a key management system with a database storing encryption keys or other secrets. The set of HSMs may identify a first key encryption key (KEK) and a second KEK stored in the set of HSMs. The set of HSMs may retrieve, from the database, a set of encryption keys encrypted by the first KEK and decrypt each encryption key of the set of encryption keys using the first KEK. The set of HSMs may re-encrypt each encryption key of the set of encryption keys with the second KEK and transmit, to the database, the set of encrypted encryption keys encrypted by the second KEK for storage. Then, the set of HSMs may delete the first KEK from the set of HSMs.