Search

EP-4736372-A1 - CLUSTER-WIDE ROOT SECRET KEY FOR DISTRIBUTED NODE CLUSTERS

EP4736372A1EP 4736372 A1EP4736372 A1EP 4736372A1EP-4736372-A1

Abstract

Systems and methods are provided for implementing a cluster-wide root secret ("CWRS") key for distributed node clusters. In a multi-node cluster, a leader node has a leader node security system that generates the CWRS key, which is a common secret key for all workloads (e.g., containers or VMs) in the multi-node cluster. The leader node security system encrypts the generated CWRS key using a public key and/or a bootstrap key received from a non-leader node that requests the CWRS key. In examples, the leader node security system signs the encrypted CWRS key using its private key for subsequent verification, by the requesting non-leader node, that the CWRS key was generated by the leader node security system. The CWRS thus encrypted can be securely sent to the requesting non-leader node for subsequent encryption or decryption of secret data by the security system of the non-leader node.

Inventors

  • DEWAN, PRASHANT
  • PINTILIE, Andreea Mihaela
  • CAWSTON, Mark Andrew
  • ALEKSIEV, Kaloyan Aleksandro

Assignees

  • Microsoft Technology Licensing, LLC

Dates

Publication Date
20260506
Application Date
20240619

Claims (20)

  1. 1. A system (100), comprising: a multi-node cluster (130) comprising a leader node (105) and a plurality of non-leader nodes (110), the leader node (100) comprising: a leader node security system (115) configured to perform operations comprising: receiving (404), from a first node among the plurality of non-leader nodes, a first bootstrap key and a first public key; producing (406) a first encrypted secret key by encrypting a cluster-wide root secret ("CWRS") key using the first public key; producing (410) a signed first encrypted secret key by signing the first encrypted secret key with a leader node private key associated with the leader node security system; producing (412) a first encrypted CWRS key by encry pting the signed first encrypted secret key using the first bootstrap key; and sending (414) the first encrypted CWRS key to the first node.
  2. 2. The system (100) of claim 1, wherein the operations further comprise: generating (402), using the leader node security system, the CWRS key, the CWRS key being a common key that is used by nodes in the multi-node cluster to encrypt or decrypt data, the CWRS key being accessible only by the leader node security system and security systems of each non-leader node.
  3. 3. The system (100) of claim 2, wherein the CWRS key is updated in a manner that is one of in response to a condition being satisfied, in response to a user-initiated trigger, periodic, or random.
  4. 4. The system (100) of claim 1, wherein sending (414) the first encrypted CWRS key to the first node comprises sending the first encrypted CWRS key via a distributed secrets layer ("DSL") that communicatively couples to each node in the multi-node cluster.
  5. 5. The system (100) of claim 1, wherein the operations further comprise: prior to signing the first encrypted secret key, appending (408) a leader node public key to the first encrypted secret key.
  6. 6. The system (100) of claim 1, wherein the operations further comprise: receiving (418), from the first node, a first certificate; and verifying (420) that the first public key is associated with a first security system associated with the first node based on the first certificate.
  7. 7. The system (100) of claim 6, wherein the first node comprises: the first security system that is configured to perform first node operations comprising: producing a signed second encrypted secret key by decrypting the first encrypted CWRS key using the first bootstrap key; verifying that a signature of the signed second encrypted secret key corresponds to the leader node private key that is received from the leader node; and based on verifying the signature of the signed second encrypted secret key, producing the CWRS key by decrypting the signed second encrypted secret key using the first public key.
  8. 8. The system (100) of claim 7, wherein the first node operations further comprise: receiving (442), from a workload, a request to encrypt or decrypt data, wherein the workload comprises one of a container or a virtual machine ("VM") running on a node among the multi-node cluster or a server or a data store communicatively coupled to the node.
  9. 9. The system (100) of claim 8, wherein the node among the multi -node cluster is the first node.
  10. 10. The system (100) of claim 1, wherein the operations further comprise: receiving, from a second node among the plurality of non-leader nodes, a second bootstrap key and a second public key; producing a third encrypted secret key by encrypting the CWRS key using the second public key; producing a signed third encrypted secret key by signing the third encrypted secret key with the leader node private key associated with the security system; producing second encrypted CWRS key by encrypting the signed third encry pted secret key using the second bootstrap key, the second encrypted CWRS key being the same as the first encrypted CWRS key; and sending the second encrypted CWRS key to the second node.
  11. 11. The system (100) of claim 10, wherein sending (414) the first encrypted CWRS key to the first node or sending the second encrypted CWRS key to the second node comprises sending the first encrypted CWRS key or the second encrypted CWRS key via a distributed secrets layer ("DSL") that communicatively couples to each node in the multi-node cluster.
  12. 12. The system (100) of claim 1, wherein the operations further comprise: storing (416), in at least one of a distributed data store or a cloud storage system, data encrypted by the first encrypted CWRS key.
  13. 13. A computer-implemented method (400), comprising: receiving (432), by a first security system of a first node among a plurality of non-leader nodes in a multi-node cluster and from a workload among a plurality of workloads, a request to encrypt first data, the multi-node cluster further comprising a leader node; encrypting (434), by the first security sy stem, the first data using a cluster-wide root secret ("CWRS") key, wherein the CWRS key is received from the leader node in the form of an encrypted CWRS key that is subsequently verified and decrypted by the first security system; and performing at least one of: sending (436), by the first security system, the encry pted first data to the workload; sending (438), by the first security system, the encrypted first data to one or more other nodes in the multi-node cluster; or storing (440) the encrypted first data.
  14. 14. The computer-implemented method (400) of claim 13, wherein receiving (432) the request from the workload, sending (436) the encrypted first data, and storing (440) the encrypted first data are performed via a distributed secrets layer ("DSL") that communicatively couples to each node in the multi-node cluster and to each workload among the plurality of workloads.
  15. 15. The computer-implemented method (400) of claim 13, wherein the workload comprises one of a container or a virtual machine ("VM") running on a node among the multinode cluster or a server or a data store communicatively coupled to the node.
  16. 16. The computer-implemented method (400) of claim 13, wherein verifying and decrypting (424) the encrypted CWRS key comprises: producing (426) a signed encrypted secret key by decr pting the encrypted CWRS key using a first bootstrap key that is associated with the first node, the first bootstrap key being used by a security system of the leader node to encrypt the signed encrypted secret key at the leader node; verifying (428) that a signature of the signed encrypted secret key corresponds to a leader node private key that is received from the leader node; and based on a determination that the signature is verified to correspond to the leader node private key, producing (430) the CWRS key by decrypting the signed encrypted secret key using the first public key; wherein the CWRS key is a common key that is used by the nodes in the multi-node cluster to encrypt or decrypt data, the CWRS key being accessible only by the leader node security system and security systems of each non-leader node.
  17. 17. A computer-implemented method (400), comprising: receiving (442), by a first security system of a first node among a plurality of non-leader nodes in a multi-node cluster and from a workload among a plurality of workloads, a request to decrypt first encrypted data, the multi-node cluster further comprising a leader node; decrypting (444), by the first security system, the first encrypted data using a cluster-wide root secret ("CWRS") key, wherein the CWRS key is received from the leader node in the form of an encrypted CWRS key that is subsequently verified and decry pted by the first security system; and performing at least one of: sending (446), by the first security system, the decry pted first data to the workload; sending (448), by the first security system, the decrypted first data to one or more other nodes in the multi-node cluster; or storing (450) the decrypted first data.
  18. 18. The computer-implemented method (400) of claim 17, wherein receiving (442) the request from the workload, sending (446) the decrypted first data, and storing (450) the decrypted first data are performed via a distributed secrets layer ("DSL") that communicatively couples to each node in the multi-node cluster and to each workload among the plurality of workloads.
  19. 19. The computer-implemented method (400) of claim 17, wherein the workload comprises one of a container or a virtual machine ("VM") running on a node among the multinode cluster or a server or a data store communicatively coupled to the node.
  20. 20. The computer-implemented method (400) of claim 17, wherein verifying and decrypting (424) the encrypted CWRS key comprises: producing (426) a signed encrypted secret key by decr pting the encrypted CWRS key using a first bootstrap key that is associated with the first node, the first bootstrap key being used by a security system of the leader node to encrypt the signed encrypted secret key at the leader node; verifying (428) that a signature of the signed encrypted secret key corresponds to a leader node private key that is received from the leader node; and based on a determination that the signature is verified to correspond to the leader node private key, producing (430) the CWRS key by decrypting the signed encrypted secret key using the first public key; wherein the CWRS key is a common key that is used by the nodes in the multi-node cluster to encrypt or decrypt data, the CWRS key being accessible only by the leader node security system and security systems of each non-leader node.

Description

CLUSTER-WIDE ROOT SECRET KEY FOR DISTRIBUTED NODE CLUSTERS BACKGROUND [0001] In distributed clusters of nodes, nodes in the cluster of nodes utilize secret keys to encrypt and decrypt data including secret data. Such secret keys, however, are by nature nodespecific and are not shared or synchronized across nodes, making scaling untenable and replacement of non-working nodes unworkable. It is with respect to this general technical environment to which aspects of the present disclosure are directed. In addition, although relatively specific problems have been discussed, it should be understood that the examples should not be limited to solving the specific problems identified in the background. SUMMARY [0002] This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description section. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended as an aid in determining the scope of the claimed subject matter. [0003] The currently disclosed technology, among other things, provides for a cluster-wide root secret ("CWRS") key for distributed node clusters. In a multi-node cluster, a leader node has a leader node security system that generates the CWRS key, which is a common secret key for all workloads (e.g., containers, virtual machines ("VMs"), servers, or databases or data stores) in the multi-node cluster. The leader node security system encrypts the generated CWRS key using a public key and/or a bootstrap key that are received from a non-leader node that is requesting the CWRS key. In examples, the leader node security system signs the encrypted CWRS key using its private key for subsequent verification, by the requesting non-leader node, that the CWRS key was generated by the leader node security system. The CWRS thus encrypted can be securely sent to the requesting non-leader node for subsequent encryption or decryption of secret data by the security system of the non-leader node, the secret data being transferred, migrated, or stored within the multi-node cluster. [0004] The details of one or more aspects are set forth in the accompanying drawings and description below. Other features and advantages will be apparent from a reading of the following detailed description and a review of the associated drawings. It is to be understood that the following detailed description is explanatory only and is not restrictive of the invention as claimed. BRIEF DESCRIPTION OF THE DRAWINGS [0005] A further understanding of the nature and advantages of particular embodiments may be realized by reference to the remaining portions of the specification and the drawings, which are incorporated in and constitute a part of this disclosure. [0006] Fig. 1 depicts an example system for implementing a cluster-wide root secret ("CWRS") key for distributed node clusters. [0007] Fig. 2 depicts a block diagram illustrating an example data flow using a distributed secrets layer ("DSL") for implementing a CWRS key for distributed node clusters. [0008] Fig. 3A depicts an example sequence flow for generating, encrypting, and sending a CWRS to a non-leader node in a multi-node cluster while implementing the CWRS key for distributed node clusters. [0009] Figs. 3B and 3C depict example sequence flows for a non-leader node in a multi-node cluster encrypting and decrypting secret data using a CWRS key while implementing the CWRS key for distributed node clusters. [0010] Figs. 4A-4C depict example methods for implementing a CWRS key for distributed node clusters. [0011] Fig. 5 depicts a block diagram illustrating example physical components of a computing device with which aspects of the technology may be practiced. DETAILED DESCRIPTION OF CERTAIN EMBODIMENTS [0012] In distributed clusters of nodes, like Kubemetes® clusters, the nodes in the multi-node clusters can be constituted from distinct virtual machines ("VMs") running disparate operating systems or physically separate servers running disparate VMs. Many of the workloads (commonly containers or VMs) running on nodes in a multi-node cluster require a root secret key from the multi-node cluster to encrypt their own secrets to produce ciphertext. Once encrypted, the ciphertext is either stored in some distributed data store or a cloud storage such that the cipher text is accessible to the workload from any node in the multi-node cluster. For example, in a Hypertext Transfer Protocol ("HTTP") server-database workload combination, the HTTP server needs a root secret key (secured in hardware) to encrypt secret data (e.g., a login and a password) of the data store and to securely save the encrypted secret data. To support resilience and recovery, these workloads are not bound to a single node, and can be stopped and started on any node in the multinode cluster by an orchestrator (e.g., a Kubemetes® application programming interface ("API") server). As a