Browse Prior Art Database

Risk Mitigation of Encryption Key Loss Using Trusted Party Keyshares

IP.com Disclosure Number: IPCOM000243817D
Publication Date: 2015-Oct-19
Document File: 2 page(s) / 139K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a method and system to use a keyshare license to help mitigate the risk of losing encrypted data if an access key is lost.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 51% of the total text.

Page 01 of 2

Risk Mitigation of Encryption Key Loss Using Trusted Party Keyshares

On encrypted enterprise storage devices, a physical access key, stored on a universal serial bus (USB) drive or some other external storage medium, may be used to unlock the system and must be presented to the system during system startup prior to coming online. This key may contain the actual encryption key or a higher-level key used to decrypt the encrypted encryption key stored on the system. If a user loses this access key and does not have a backup, then the data on the system is no longer accessible and cannot be decrypted.

A method is needed to provide a client protection against the loss of a single storage key.

The novel solution is a method and system to use a keyshare license to help mitigate the risk of losing an access key. A

client who purchases the storage system may purchase a keyshare license. When enabled, the system performs a key split operation on the user's access key. The user keeps one or more keyshares, which are stored for safe keeping

(separate from normal access key), and then hands off a single keyshare to the entity guaranteeing that keyshare, thus ensuring against data loss. This entity can be the storage device manufacturer or another third party that holds a portion of the risk due to key loss.

The keyshare works in such a way that the third party manufacturer cannot unlock the device, thus maintaining the client's encryption security standard. After losing the access key, the client can only recover data using the associated keyshare and the other keyshare guaranteed by the third party.

To implement the keyshare solution in a preferred embod...