When electronic data, such as file system data, is sensitive enough to require encryption, one of the fundamental actions required to ensure the encryption of the data provides the desired level of security is to change, or rotate, the encryption key used to encrypt and decrypt the electronic data on a periodic basis. The changing of the encryption key is necessary to prevent the encryption key, and therefore the encrypted data, from being compromised. Consequently, currently, encryption keys are changed on a periodic or scheduled basis and or on an on-demand basis in response to a lost or potentially compromised encryption key.
To some degree, changing the encryption key used to encrypt data is effective in preventing encrypted data from being compromised. However, currently, in order to change the encryption key used to encrypt and decrypt file system data the entirety of the file system data must first be decrypted using the existing encryption key and then re-encrypted using a newly assigned encryption key. This process is complicated and typically involves making the entirety of the encrypted data inaccessible for a significant period of time; thereby interrupting live traffic and consuming significant amounts of processor power and other resources.
As a result of the situation described above, the changing of encryption keys is often performed less frequently than would be optimal for security purposes in order to avoid interruption of live traffic and the consumption of processing resources. However, when the encryption keys are changed less frequently, the vulnerability to compromise of both the encryption key and the encrypted data is often significantly increased.
What is needed is a method and system that allows the changing of encryption keys more frequently but does not require making the entirety of the encrypted data inaccessible for a significant period of time, or interrupting live traffic and consuming significant amounts of processor power and other resources.