A method of encryption key management in a storage system having a plurality of nodes and more than one key manager, performed by the storage system, is provided. The method includes setting, in a first atomic operation to a distributed store of the plurality of nodes, a version identifier to a new value, and writing shards of a key encryption key, to node-specific memory of the plurality of nodes. The method includes committing the shards of the key encryption key by updating, in a second atomic operation, a set of version identifiers in the distributed store including a current version identifier, responsive to finding no change to the new value of the version identifier.

Some embodiments of the invention provide a method for authenticating a security device (e.g., a smart card or other highly secured device) to modify a security state (e.g., unlocking, decrypting, etc.) at a target device (e.g., laptop computers, mobile phones, tablets, etc.). In some embodiments, the security device does not have a volatile storage for storing volatile parameters for the particular device to use to perform the authentication process. The method of some embodiments sends an encrypted challenge to the security device, in which the encrypted challenge can only be decrypted by the security device. The method receives a response and modifies accessibility for the target device when the response is a valid response. The method of some embodiments determines that a response is valid based on the decrypted contents of the response and/or based on a period of time between the issuance of the challenge and the received response.

Disclosed herein are systems and techniques for using a content delivery network to perform various functions within a digital advertising ecosystem, in ways that yield technological benefits such as improved security, efficiency, and speed (for example, reduction in publisher load times). As one specific example, a content delivery network can be used for the creation of electronic tokens for user identity protection between demand side platforms, supply side platforms, content creators (for example, advertisers), and publishers.

A method for configuring multiple electronic devices in a batch, is described. The method can include initializing, by a first computing device a communication network based on a pre-defined configuration parameter. The pre-defined configuration parameter is associated with a first instance of an application on the first computing device. Further, the method includes identifying, by the first computing device, an initialization of a second instance of an application at a second computing device. In response to identifying the initialization of the second instance of the application at the second computing device, the method includes, sending, by the first computing device configuration settings for the second computing device over a secured communication network. In this regard, the configuration settings can comprise at least the pre-defined configuration parameter for configuring the second computing device.

Techniques for securely migrating servers from customer networks into service provider systems are described. A backup proxy can be deployed in a customer's network and associated with one or more servers in the customer's network and with a server migration service of a service provider system. A customer can identify a server in the customer's network to migrate and the server migration service coordinates the migration with the backup proxy. The backup proxy can be instructed to obtain replication data for the server, obtain an encryption key associated with the customer from a key management service (KMS), encrypt the replication data, and upload the encrypted replication data to the service provider system. The service provider system can obtain the same encryption key used to encrypt the replication data from the KMS and decrypt the uploaded encrypted replication data to generate migrated server resources at the service provider system.

An electronic device (such as an IoT controller) that distributes a link key is described. During operation, while an administrator is logged in, the electronic device may receive the link key using a secure widget, where the link key may facilitate secure communication via a link. Then, the electronic device may generate an access key, and may generate an encrypted version of the link key based at least in part on the access key and the link key, where the access key enables access to the link key based at least in part on the encrypted version of the link key. Next, the electronic device may store the link key, the access key and/or the encrypted version of the link key in a trusted envelope or partition in the memory with encryption. Moreover, when the administrator logs out, the electronic device may disable access to the trusted envelope.

A trust relationship may be established between a host system and a storage system. An asymmetric key pair including a private key unique to a host system and a public key may be generated. During provisioning of the host system to the storage system, the host system may send the public key to the storage system. The storage system may be configured to record the public key for the host system, for example, in a masking table that defines I/O connectivity for logical storage units between a host system and the storage system. The public key may be used later to validate the host system to the storage system. The private key may be stored on the host system and be unreadable, or may be encrypted with an unreadable encryption key stored on the host system.

An approach for full-path data encryption, where user virtualized computers (e.g., user VMs) are configured to communicate with other virtualized computers or VMs using IPsec protocol encryption standards. The user VMs may send a first encryption or authorization key to the other VMs, which the other VMs may use to authenticate the user VMs and encrypt and decrypt data stored to storage devices using a second encryption key. In some approaches, the other VMs may interpret or decrypt the data sent via IPsec and then perform data optimizations (e.g., compression, deduplication) on the data before decrypting/encrypting with the second key.

A method of implementing a network-enabled secure door lock, comprising determining, at a first component of the lock, a nonce; wirelessly transmitting the nonce to a second component of the door lock, the first component and second component selectively mechanically engagable with one another to prevent relative movement between the first component and second component to prevent opening of a door; receiving, at the first component, a first message; using a cryptographic key associated with the second component and the nonce to validate the first message; and as a result of determining that the message is valid, transmitting a second message indicating that the first component and second component have become mechanically engaged with one another.

A system, method, and computer-readable recording media for a user account secure with a single sign on (SSO) password hidden authentication. Receiving credential information (CI) and generating the SSO password through at least one client device (CD). Encrypting the SSO password. Storing the SSO password in the CD and an electronic device (ED). Transmit the SSO password and encrypted SSO password to a cloud services platform (CSP), where the CSP stores both. Storing the SSO password in a cloud server (CS). Accessing the user account, if SSO password is unavailable, through the CSP transmitting a one time passcode to a user email, the CD setting a temporary password transferred to the CSP. The CSP confirming a match and transmitting the encrypted SSO password to the CD, the CD decrypting the encrypted SSO password and resetting the temporary password to the SSO password.