公开(公告)号：US11057359B2

公开(公告)日：2021-07-06

申请号：US16102191

申请日：2018-08-13

Applicant: salesforce.com, inc.

Inventor： Scott Wisniewski ,  David Murray ,  Xiongjian Fu ,  Harish Krishnamurthy

IPC: H04L29/06 ,  H04L9/08

Abstract: A set of hardware security modules (HSMs) in a database system may implement a key management system with a database storing encryption keys or other secrets. The set of HSMs may identify a first key encryption key (KEK) and a second KEK stored in the set of HSMs. The set of HSMs may retrieve, from the database, a set of encryption keys encrypted by the first KEK and decrypt each encryption key of the set of encryption keys using the first KEK. The set of HSMs may re-encrypt each encryption key of the set of encryption keys with the second KEK and transmit, to the database, the set of encrypted encryption keys encrypted by the second KEK for storage. Then, the set of HSMs may delete the first KEK from the set of HSMs.

公开(公告)号：US11228615B2

公开(公告)日：2022-01-18

申请号：US16051147

申请日：2018-07-31

Applicant: salesforce.com, inc.

Inventor： Scott Wisniewski ,  David Lucey ,  David Murray ,  Xiongjian Fu

IPC: H04L29/06 ,  H04L29/08

Abstract: Methods, systems, and devices for transparent data encryption are described. A transparent proxy may enforce a specific encryption policy for a data transmission from a source host to a target host, where the transparent proxy determines if the data transmission is encrypted according to a specific encryption policy prior to forwarding the data transmission to the target host. As such, if the data transmission is not encrypted according to the specific encryption policy, the transparent proxy may encrypt the data transmission and then forward it to the target host. Alternatively, if the transparent proxy determines that the data transmission is encrypted according to the specific encryption policy, then the transparent proxy may refrain from further encrypting the data transmission and forward the data transmission to the target host without the additional encryption.

公开(公告)号：US20200053065A1

公开(公告)日：2020-02-13

申请号：US16102191

申请日：2018-08-13

Applicant: salesforce.com, inc.

Inventor： Scott Wisniewski ,  David Murray ,  Xiongjian Fu ,  Harish Krishnamurthy

IPC: H04L29/06 ,  H04L9/08

Abstract: A set of hardware security modules (HSMs) in a database system may implement a key management system with a database storing encryption keys or other secrets. The set of HSMs may identify a first key encryption key (KEK) and a second KEK stored in the set of HSMs. The set of HSMs may retrieve, from the database, a set of encryption keys encrypted by the first KEK and decrypt each encryption key of the set of encryption keys using the first KEK. The set of HSMs may re-encrypt each encryption key of the set of encryption keys with the second KEK and transmit, to the database, the set of encrypted encryption keys encrypted by the second KEK for storage. Then, the set of HSMs may delete the first KEK from the set of HSMs.

公开(公告)号：US10956600B2

公开(公告)日：2021-03-23

申请号：US16176514

申请日：2018-10-31

Applicant: salesforce.com, inc.

Inventor： Lei Ye ,  David Baiyor Murray ,  Vineet Deokaran Chaudhary ,  Xiongjian Fu

IPC: G06F21/62 ,  H04L9/08 ,  H04L9/14

Abstract: A system is provided for data object encryption. The system includes an encryption framework available across a plurality of runtime environments. The system is configured to receive a data object in one of the plurality of runtime environments, wherein the data object is capable of being encrypted using a content encryption key and determine an encryption module implemented in the encryption framework that is compatible with the one of the plurality of runtime environment, wherein the encryption module comprises a key service provider that provides a master key and a key wrapping algorithm for the content encryption key in the runtime environment. The system is further configured to encrypt the data object using the content encryption key, encrypt the content encryption key using the master key and key wrapping algorithm, and write the encrypted data object to networked database storage.

公开(公告)号：US20200045080A1

公开(公告)日：2020-02-06

申请号：US16051147

申请日：2018-07-31

Applicant: salesforce.com, inc.

Inventor： Scott Wisniewski ,  David Lucey ,  David Murray ,  Xiongjian Fu

IPC: H04L29/06 ,  H04L29/08

Abstract: Methods, systems, and devices for transparent data encryption are described. A transparent proxy may enforce a specific encryption policy for a data transmission from a source host to a target host, where the transparent proxy determines if the data transmission is encrypted according to a specific encryption policy prior to forwarding the data transmission to the target host. As such, if the data transmission is not encrypted according to the specific encryption policy, the transparent proxy may encrypt the data transmission and then forward it to the target host. Alternatively, if the transparent proxy determines that the data transmission is encrypted according to the specific encryption policy, then the transparent proxy may refrain from further encrypting the data transmission and forward the data transmission to the target host without the additional encryption.