Remote key encryption key management in a collaborative cloud based environment

摘要

Content item 402 indicated by content request 401 is encrypted using a CEK (content encryption key) 404. The CEK is encrypted using a local KEK (key encryption key), e.g. at server 100 (fig. 1). A reason code is determined which enumerates the reason for the request. A remote key encryption request 406 is initiated, typically to a remote key service engine 420 at a client 102 (fig. 1), which includes the once-encrypted KEK and the reason code. Preferably, a twice-encrypted key, encrypted with a remote KEK, is returned in response and stored locally 415 with the local and remote KEKs and encrypted data item 403. Subsequent access (see fig. 4B) to the item identifies a reason code which enumerates the reason for that request. The twice-encrypted key is accessed from the data store and a remote key decryption request initiated which includes the twice-encrypted key, reason code and remote KEK. Preferably, the once-encrypted key, decrypted using the remote KEK, is returned in response and decrypted locally using the local KEK. The CEK can then be used to decrypt the item. A remote key request is accepted or rejected based on a set of preconfigured rules and the reason.