Abstract: A process includes communicating by a first device, with a second device. The communicating includes the first device receiving data from the second device that represents a certificate. The certificate binds a hierarchy of logical identifiers to a cryptographic key. The hierarchy of identifiers includes a first logical identifier that corresponds to a group membership. The process includes authenticating, by the first device, the second device based on the certificate. The process includes allowing, by the first device, a secure connection to be set up between the first device and the second device based on whether the first logical identifier represents that the second device is a member of a first group of devices of which the first device is a member.

Abstract: Examples for identification and authentication of hardware. Techniques may include receiving a node identifier during an initial phase of the node. The node identifier may include an initial unique identifier of the node. The node may receive a latest change identifier during a phase change of the node, wherein the phase change may cause a hierarchical change of the node. The latest change identifier is configured to incorporate a latest unique identifier corresponding to a latest system and one or more unique identifiers corresponding to one or more earlier systems of the node. Further, responsive to the reception of the latest change identifier, delete an earlier change identifier, and the node may send the second change identifier to a management service, in response to a request for authentication of the node by the management service.

Abstract: Example implementations relate to encrypting data objects. In an example, data objects of a file system instance contained by a security domain are encrypted using a Data Encryption Key that is specific to the security domain and is wrapped by a Key Encryption Key shared exclusively within a cluster. A backup of the file system instance is created on a backup node. The backup includes at least some of the encrypted data objects. The DEK is sent to the backup node. The backup node cannot decrypt the backup unless the backup node is a member of the cluster and has access to the KEK to unwrap the DEK.

Abstract: A method for use in managing a secure object store in a computing system includes: securing the secure object store including creating, maintaining, and using a hierarchical key system and accessing an encrypted data object using the Node Key Encryption Key and a selected one of the Data Encryption Keys. The securing includes: generating a Node Key Encryption Key; generating a plurality of Data Encryption Keys that are encrypted using the Node Key Encryption Key; and encrypting a plurality of data objects using the Data Encryption Keys, each data object being encrypted by a respective Data Encryption Key.

Abstract: Example implementations relate to encrypting data objects. In an example, data objects of a file system instance contained by a security domain are encrypted using a Data Encryption Key that is specific to the security domain and is wrapped by a Key Encryption Key shared exclusively within a cluster. A root object of the file system instance is encrypted using a Metadata Encryption Key. A backup of the file system instance is created on a backup node. The Data Encryption Key and the Metadata Encryption Key are sent to the backup node.

Abstract: Example implementations relate to encrypting data objects. In an example, data objects of a file system instance contained by a security domain are encrypted using a Data Encryption Key that is specific to the security domain and is wrapped by a Key Encryption Key shared exclusively within a cluster. A backup of the file system instance is created on a backup node. The backup includes at least some of the encrypted data objects. The DEK is sent to the backup node. The backup node cannot decrypt the backup unless the backup node is a member of the cluster and has access to the KEK to unwrap the DEK.

Abstract: Example implementations relate to encrypting data objects. In an example, data objects of a file system instance contained by a security domain are encrypted using a Data Encryption Key that is specific to the security domain and is wrapped by a Key Encryption Key shared exclusively within a cluster. A root object of the file system instance is encrypted using a Metadata Encryption Key. A backup of the file system instance is created on a backup node. The Data Encryption Key and the Metadata Encryption Key are sent to the backup node.

Abstract: A method for use in managing a secure object store in a computing system includes: securing the secure object store including creating, maintaining, and using a hierarchical key system and accessing an encrypted data object using the Node Key Encryption Key and a selected one of the Data Encryption Keys. The securing includes: generating a Node Key Encryption Key; generating a plurality of Data Encryption Keys that are encrypted using the Node Key Encryption Key; and encrypting a plurality of data objects using the Data Encryption Keys, each data object being encrypted by a respective Data Encryption Key.