EP-4740361-A1 - SYSTEM AND METHOD FOR PROVIDING EXTERNAL KEY MANAGEMENT FOR USE WITH A CLOUD COMPUTING INFRASTRUCTURE

Abstract

A key management service (KMS) in a cloud computing environment has an internal vault for cryptographic operations by an internal cryptographic key within the cloud environment and a proxy key vault communicatively coupled to an external key manager (EKM) that stores an external cryptographic key. The KMS uses a provider-agnostic application program interface (API) that permits the cloud service customer to use the same interface request and format for cryptographic operation requests regardless of whether the request is for an operation directed to an internal vault or to an external vault and regardless of the particular vendor of the external key management service operating on the external hardware device.

Inventors

• AWASTHI, APURV
• SHAH, MUKESH
• MOHAN, Mauruthi Geetha
• BOSCO, Frederick Anthonisamy
• SHIVRAM, Bharat
• MANJUNATH, Madhu
• KUMAR, DEEPAK
• MIGLANI, Raj
• MALL, Akshay
• BAJPAI, Mayank
• TONG, JUN

Assignees

• Oracle International Corporation

Dates

Publication Date

20260513

Application Date

20240705

Claims (16)

1. 1. One or more non-transitory computer readable media comprising instructions that, when executed by one or more hardware processors, cause performance of operations comprising: receiving, at a key management service (KMS) operating in a cloud computing environment, a first vault creation request to create an internal key vault for accessing internal cryptographic keys; creating, by the KMS, the internal key vault, wherein creating the internal key vault comprises: associating, by the KMS, an internal hardware device in the cloud environment with the internal key vault, wherein the internal hardware device is configured to store the internal cryptographic keys; adding, by the KMS to a set of endpoint records, a first endpoint record associated with the internal key vault; receiving, at the KMS, a second vault creation request to create a proxy key vault for accessing external cryptographic keys; and creating, by the KMS, the proxy key vault, wherein creating the proxy key vault comprises: creating, by the KMS, an authenticated communication path between the proxy key vault and an external hardware device, wherein the external hardware device is configured to store the external cryptographic keys; adding, by the KMS to the set of endpoint records, a second endpoint record associated with the proxy key vault; wherein data stored in the cloud environment is encrypted/decrypted using a set of cryptographic keys comprising the internal cryptographic keys and the external cryptographic keys; wherein the set of endpoint records is a directory for a set of key vaults comprising the internal key vault and the proxy key vault.
2. 2. The non-transitory media of Claim 1, wherein no component of the cloud computing environment stores the external cryptographic keys.
3. 3. The non-transitory media of Claim 1, wherein the first vault creation request and the second vault creation request are initiated by a same cloud environment entity of the cloud environment.
4. 4. The non-transitory media of Claim 1, wherein the set of endpoint records is a set of Domain Name System (DNS) records.
5. 5. The non-transitory media of Claim 4, wherein the set of endpoint records is a set of private DNS records.
6. 6. The non-transitory media of Claim 4, wherein the set of endpoint records is a set of public DNS records.
7. 7. The non-transitory media of Claim 1, the operations further comprising: receiving, at the KMS from a cloud environment entity, a first request for a first cryptographic operation, the first request comprising a first identifier of the internal key vault associated with an internal cryptographic key to be used in the first cryptographic operation; performing the first cryptographic operation within the internal key vault; receiving, by the KMS from the internal key vault, a first set of results of the first cryptographic operation; receiving, at the KMS from the cloud environment entity, a second request for a second cryptographic operation, the second request comprising a second identifier of the proxy key vault associated with an external cryptographic key to be used in the second cryptographic operation; forwarding the second request from the proxy key vault to the external hardware device via the authenticated communication path; and receiving, by the proxy key vault from the external hardware device, a second set of results of the second cryptographic operation.
8. 8. The non-transitory media of Claim 7, wherein the first request and the second request include a key type and a vault type.
9. 9. The non-transitory media of Claim 7, wherein the first request is in a first format that is independent of a configuration of the internal hardware device, wherein the second request is in a second format that is independent of a configuration of the external hardware device, and wherein the first format and the second format are the same.
10. 10. The non-transitory media of Claim 7, the operations further comprising: receiving, at a Domain Name System (DNS) resolver, the first request and the second request; identifying, by the DNS resolver, a first Internet Protocol (IP) address of the internal key vault based on the first identifier and a second IP address of the proxy key vault based on the second identifier; responsive to the first request, returning, by the DNS resolver, the first IP address of the internal key vault for accessing the internal cryptographic key; and responsive to the second request, returning, by the DNS resolver, the second IP address of the proxy key vault for accessing the external cryptographic key.
11. 11. The non-transitory media of Claim 7, the operations further comprising: prior to receiving the second request: receiving, by the KMS, a first key reference for a first external cryptographic key of the external cryptographic keys; mapping, in the key proxy vault, the first key reference to the first external cryptographic key; and responsive to receiving the second request, wherein the second request includes the first key reference: using the mapping to identify the first external cryptographic key from the first key reference; and including an identification of the first external key with the forwarded second request to the external hardware device.
12. 12. The non-transitory media of Claim 7, the operations further comprising: adding, from the proxy key vault, a communication credential to the forwarded second request to the external hardware device, wherein the communication credential is signed with a private key associated with the external hardware device.
13. 13. The non-transitory media of Claim 1, wherein the authenticated communication path comprises a reverse-connection private endpoint (RCE) configured to communicatively couple the proxy key vault to the external hardware device.
14. 14. The non-transitory media of Claim 1, the operations further comprising: transmitting, by the proxy key vault, a first heartbeat signal to the external hardware device to determine a status associated with at least one of the external hardware device or one or more of the external cryptographic keys; and responsive to receiving an indication that the external hardware device is unavailable and/or that one or more of the external cryptographic keys are unavailable or invalid, raising an alert corresponding to the indication.
15. 15. A method comprising operations as recited in any of Claims 1-14.
16. 16. A system comprising: at least one device including a hardware processor; the system being configured to perform operations comprising as recited in any of claims 1-14.

Description

SYSTEM AND METHOD FOR PROVIDING EXTERNAL KEY MANAGEMENT FOR USE WITH A CLOUD COMPUTING INFRASTRUCTURE BENEFIT CLAIMS; RELATED APPLICATIONS; INCORPORATION BY REFERENCE [0001] This application claims benefit of U.S. Non-Provisional Patent Application 18/764,594, filed July 5, 2024; and U.S. Provisional Patent Application 63/525,105, filed July 5, 2023, that are hereby incorporated by reference. [0002] The Applicant hereby rescinds any disclaimer of claim scope in the parent application(s) or the prosecution history thereof and advises the USPTO that the claims in this application may be broader than any claim in the parent application(s). TECHNICAL FIELD [0003] The present disclosure relates to key management in cloud computing environments that provide cryptography services. In particular, the present disclosure relates to external key management and use for cloud computing environment customers and a two-way trust model for external key management and use. BACKGROUND [0004] A cloud computing environment can be used to provide access to a range of complementary cloud-based components, such as software applications or services, that enable organizations or enterprise customers to operate their applications and services in a highly available hosted environment. [0005] Some cloud computing environments provide cryptography services that allow a customer to use cloud services in combination with their data in a secure manner. A key management service in the cloud computing environment manages encryption keys for a customer and controls how those keys can be used to access the customer’s data stored within the cloud environment. [0006] In some instances, the customer’s encryption keys are stored within the cloud environment for use by the key management service and other cloud services. However, some cloud customers have regulatory needs directed to maintaining the provenance and access to encryption keys that are used to secure their data. Generally, such entities require their encryption keys to be stored outside of the cloud environment. [0007] The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, one should not assume that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section. BRIEF DESCRIPTION OF THE DRAWINGS [0008] The embodiments are illustrated by way of example and not by way of limitation in the figures of the accompanying drawings. References to “an” or “one” embodiment in this disclosure are not necessarily to the same embodiment, and they mean at least one. In the drawings: [0009] FIGs. 1-4 are block diagrams illustrating patterns for implementing a cloud infrastructure as a service system in accordance with one or more embodiments; [0010] FIG. 5 is a hardware system in accordance with one or more embodiments; [0011] FIG. 6 illustrates a key management service for use with a cloud infrastructure environment in accordance with one or more embodiments; [0012] FIG. 7 illustrates the relationship between a key management service vault and an identity service application in accordance with one or more embodiments; [0013] FIG. 8 illustrates configuring a private endpoint for use with an external key management proxy service and a customer on-premise environment in accordance with one or more embodiments; [0014] FIG. 9 illustrates an example process for configuring and using a key management service with a cloud infrastructure environment in accordance with one or more embodiments; [0015] FIG. 10 illustrates a sequence diagram or process flow associated with creating a private endpoint with reverse connection functionality as a reverse connection endpoint in accordance with one or more embodiments; [0016] FIG. 11 illustrates a sequence diagram or process flow associated with creating a proxy key vault in accordance with one or more embodiments; [0017] FIG. 12 illustrates a sequence diagram or process flow associated with creating a communication credential in accordance with one or more embodiments; [0018] FIG. 13 illustrates a sequence diagram or process flow associated with creating and using an external key reference in accordance with one or more embodiments; and [0019] FIG. 14 illustrates a sequence diagram or process flow associated with using an external key reference to encrypt or decrypt data in accordance with one or more embodiments. DETAILED DESCRIPTION [0020] In the following description, for the purposes of explanation, numerous specific details are set forth to provide a thorough understanding. One or more embodiments may be practiced without these specific details. Features described in one embodiment may be combined with features described in a different embodiment. In some examples, well-known structures and devices are described with reference to a block diagram form to avoid un