公开(公告)号：US11374748B2

公开(公告)日：2022-06-28

申请号：US16849401

申请日：2020-04-15

Applicant: salesforce.com, inc.

Inventor： Vadiraj Govardhan Hosur ,  Andrew Tucker ,  Terry Chong ,  Raghavendran Hanumantharau ,  Dhanashree Kashid ,  Scott Daniel Wisniewski ,  Prithviraj Vasanth ,  Pranesh Radhakrishnan

IPC: H04L9/08 ,  G06F21/60 ,  G06F21/62

Abstract: Disclosed techniques relate to caching tenant encryption keys for a multi-tenant database. In some embodiments, a computing system encrypts data for a database in a multi-tenant database system using encryption keys assigned to respective tenants that are using the database. The computing system may store the encryption keys in a cache and, in response to a key rotation request for a first tenant, invalidate an entry in the cache for the first encryption key of the first tenant. The computing system may block writes for the first tenant until a new key is cached (e.g., based on retrieval from a key management system). In various embodiments, disclosed techniques may reduce encryption latency.

公开(公告)号：US20210377020A1

公开(公告)日：2021-12-02

申请号：US16889285

申请日：2020-06-01

Applicant: salesforce.com, inc.

Inventor： Dhanashree Kashid ,  Raghavendran Hanumantharau ,  Terry Chong ,  Andrew Stewart Tucker ,  Vadiraj Govardhan Hosur

IPC: H04L9/08 ,  G06F21/60 ,  H04L9/14 ,  G06F21/62

Abstract: Disclosed techniques relate to storing a key cache within a secure enclave. In some embodiments, a computing system receives, from an application, a request to access a database, where the request is associated with a particular account. The computing system then accesses, using an identifier associated with the particular account, a key cache stored in a secure enclave of a memory of the computing system to determine at least one private key associated with the request, where the key cache stores private keys of a key management system (KMS) for a plurality of accounts. The computing system performs a cryptographic operation for accessing the database within the secure enclave using the at least one private key. In various embodiments, disclosed techniques may improve the security of cryptographic private keys cached for a plurality of tenants.

公开(公告)号：US11483150B2

公开(公告)日：2022-10-25

申请号：US16889285

申请日：2020-06-01

Applicant: salesforce.com, inc.

Inventor： Dhanashree Kashid ,  Raghavendran Hanumantharau ,  Terry Chong ,  Andrew Stewart Tucker ,  Vadiraj Govardhan Hosur

IPC: H04L29/06 ,  H04L9/08 ,  G06F21/60 ,  G06F21/62 ,  H04L9/14

Abstract: Disclosed techniques relate to storing a key cache within a secure enclave. In some embodiments, a computing system receives, from an application, a request to access a database, where the request is associated with a particular account. The computing system then accesses, using an identifier associated with the particular account, a key cache stored in a secure enclave of a memory of the computing system to determine at least one private key associated with the request, where the key cache stores private keys of a key management system (KMS) for a plurality of accounts. The computing system performs a cryptographic operation for accessing the database within the secure enclave using the at least one private key. In various embodiments, disclosed techniques may improve the security of cryptographic private keys cached for a plurality of tenants.

公开(公告)号：US20210328789A1

公开(公告)日：2021-10-21

申请号：US16849401

申请日：2020-04-15

Applicant: salesforce.com, inc.

Inventor： Vadiraj Govardhan Hosur ,  Andrew Tucker ,  Terry Chong ,  Raghavendran Hanumantharau ,  Dhanashree Kashid ,  Scott Daniel Wisniewski ,  Prithviraj Vasanth ,  Pranesh Radhakrishnan

IPC: H04L9/08 ,  G06F21/60 ,  G06F21/62

Abstract: Disclosed techniques relate to caching tenant encryption keys for a multi-tenant database. In some embodiments, a computing system encrypts data for a database in a multi-tenant database system using encryption keys assigned to respective tenants that are using the database. The computing system may store the encryption keys in a cache and, in response to a key rotation request for a first tenant, invalidate an entry in the cache for the first encryption key of the first tenant. The computing system may block writes for the first tenant until a new key is cached (e.g., based on retrieval from a key management system). In various embodiments, disclosed techniques may reduce encryption latency.