1. Field of the Invention
The present invention pertains to data storage mechanisms. More particularly, this invention relates to secure data storage using distributed databases.
2. Background
As technology has advanced and the xe2x80x9cinformation agexe2x80x9d has grown, the need for data storage has become increasingly important. It is also increasingly becoming a requirement that such data storage be secure so that data confidentiality is maintained. Additionally, it is also becoming a requirement that storage of such data be fault-tolerant in order to insure against accidental loss of the data due to, for example, equipment failures.
Current mechanisms for providing secure data storage typically encrypt the data using an encryption key. Encryption typically requires that a user trying to access the data have an encryption key in order to decrypt the data. Thus, if the encryption key is compromised (e.g., stolen or xe2x80x9cbrokenxe2x80x9d), an unauthorized individual can access the data. While such systems can provide a significant amount of security, they are still vulnerable because compromising a single key provides an unauthorized individual with the protected data.
One solution to this problem is to separate a document into multiple pieces and encrypt each piece separately using the same or different encryption keys. This solution provides an additional level of security because possibly multiple keys must be compromised in order to access the entire data. However, this solution can still be problematic because compromising of a single key allows an entire piece of data to be accessible to the unauthorized user. For example, one piece of a document may be the most important (e.g., the body of a letter), so that having that one piece compromised and accessible to an unauthorized individual circumvents this additional level of security.
Thus, a need exists for an improved way to securely store data.
A method and apparatus for secure data storage using distributed databases is described herein. According to a method of the present invention, a first plurality of shares are generated, using a first threshold scheme, based on a block of data, with at least a subset of the first plurality of shares being needed to re-create the block of data. The first plurality of shares are then distributed to a plurality of distributed databases.
According to one embodiment, the block of data and/or the generated shares are encrypted using an encryption key. A second plurality of shares is also generated, using the same or a different threshold scheme, based on the encryption key, with at least a subset of the second plurality of shares being needed to re-create the encryption key. The second plurality of shares is then also distributed to the plurality of distributed databases.