Abstract: Aspects include encrypting data based at least in part on a session key to generate encrypted data. The session key is encrypted based at least in part on a sender key to generate an encrypted session key. A request for an encrypted sender key index is transmitted to the key management system (KMS), the request includes an index of the sender key and an index of each of one or more additional keys. The encrypted sender key index is received from the KMS. An object that includes the encrypted data, the encrypted session key, the index of each of the one or more additional keys, and the encrypted sender key index is generated. Access to the data via the object is controlled based at least in part on whether a receiver has access to the sender key and to the one or more additional keys.

Abstract: Aspects include receiving a notification that a value of a data element stored in a source storage location in a source format has been changed to an updated value. The change is replicated to a plurality of target storage locations. The replicating includes, for each of the plurality of target storage locations, determining a target format of the data element in the target storage location. The target format is one of a plurality of different formats, including the source format. Each of the different formats provide a different level of data protection for the data element. In response to determining that the target format is not the same as the source format, the updated value of the data element is converted into the target format, and the updated value of the data element is stored in the target format at the target storage location.

Abstract: Aspects include receiving an outbound payload for output to a requestor as part of a response to a call by the requestor to an application programming interface (API). Clear data in the outbound payload is selected for encryption based on policy information. The clear data is encrypted to generate encrypted data, and the encrypted data is inserted into the outbound payload in place of the clear data to generate an updated outbound payload. The response, including the updated outbound payload, is sent to the requestor.

Abstract: A computer-implemented method for replicating data changes through distributed invalidation includes receiving, by a distributed database system, an instruction to change a data element in a table. The distributed database system includes at least a first server and a second server. A first copy of the table is stored on the first server, and a second copy of the table is stored on the second server. The method further includes in response to the instruction, determining that the data element is secured by a replication key that is stored on a shared key management system that is accessible by the first server and by the second server, wherein the replication key is unique to the data element. The method further includes invalidating the replication key and modifying the first copy of the table on the first server according to the instruction that is received.

Abstract: Aspects of the invention include protecting data objects in a computing environment based on physical location. Aspects include receiving, by a computing system, a request to access an encrypted data from an authenticated user, wherein the encrypted data includes information about a data encryption key used to encrypt the encrypted data. Aspects also include providing, by the computing system, the encrypted data to the computer system where the user was authenticated, the computer system including a set of decryption keys protected by a master key stored within a hardware security module associated with the location of the hardware security module. Aspects further include decrypting, by the hardware security module, the encrypted data based on a determination that the data encryption key corresponds to one of the set of decryption keys, wherein the set of decryption keys are determined based on the location of the hardware security module.

Abstract: A described method includes receiving, by a database system, an instruction to change a first data element in a table in a database, which includes a first copy and a second copy of the table. A first entry is created in a first change-table. The first entry includes an updated value for a first data element. A second entry is created in a second change-table. Creating the second entry includes, changing the updated value into a ciphertext if the first data element is secured, and storing the ciphertext into the second entry. If the first data element is non-secured, the updated value is stored into the second entry as is. The second copy of the table is modified using the second change-table. The second copy of the table is used to respond to subsequent queries.

Abstract: Techniques for container-based cryptography hardware security module (HSM) management in a computer system are described herein. An aspect includes providing a cryptography work daemon container in a computer system, wherein the cryptography work daemon container in the computer system has privileged access to a cryptography HSM of the computer system. Another aspect includes receiving, by the cryptography work daemon container, a request for a cryptography function of the cryptography HSM from an application container in the computer system. Another aspect includes causing, by the cryptography work daemon container, the cryptography HSM to perform the cryptography function based on receiving the request.

Abstract: A method is provided that includes receiving, by a firmware from an originating software, an asynchronous request for an instruction of an algorithm for compression of data. The firmware operates on a first processor and the originating software operates on a second processor. The firmware issues a synchronous request to the first processor to cause the processor to execute the instruction synchronously. It is determined, by the firmware, whether an interrupt is received from the first processor with respect to the first processor executing the instruction. The firmware retries the issuance of the synchronous request each time the interrupt is received until a retry threshold is reached.

Abstract: Embodiments are described for ordering records. Aspects include blocking one or more records and storing the one or more blocked records as a set of records. Aspects also include reserving space for a metadata record for each of the one or more blocked records that meet one or more selection criteria and generating the metadata record for each of the one or more blocked records that meet the one or more selection criteria. Aspects further include adding the metadata records to the set of blocked records and storing the set of records including the metadata records.

Abstract: Embodiments include encrypting an object such that the creator of the encrypted object can be identified. Aspects include receiving, by a processor, an unencrypted object that includes plaintext and metadata that describes the plaintext and obtaining, by the processor in response to a request from a user, a data encryption key (DEK) and a nonce key for the unencrypted object, the nonce key being unique to the user. Aspects also include encrypting, by the processor, the unencrypted object. The encrypting includes generating a nonce based at least in part of the plaintext and the nonce key and generating ciphertext and a metadata authentication tag comprising a signature of the metadata, the generating based at least in part on the plaintext, the metadata, the DEK, and the nonce. Aspects further include creating an encrypted object that includes the ciphertext, the metadata, and the metadata authentication tag.

Abstract: Techniques for container-based cryptography hardware security module (HSM) management in a computer system are described herein. An aspect includes providing a cryptography work daemon container in a computer system, wherein the cryptography work daemon container in the computer system has privileged access to a cryptography HSM of the computer system. Another aspect includes receiving, by the cryptography work daemon container, a request for a cryptography function of the cryptography HSM from an application container in the computer system.

Abstract: Aspects of the invention include protecting data objects in a computing environment based on physical location. Aspects include receiving, by a computing system, a request to access an encrypted data from an authenticated user, wherein the encrypted data includes information about a data encryption key used to encrypt the encrypted data. Aspects also include providing, by the computing system, the encrypted data to the computer system where the user was authenticated, the computer system including a set of decryption keys protected by a master key stored within a hardware security module associated with the location of the hardware security module. Aspects further include decrypting, by the hardware security module, the encrypted data based on a determination that the data encryption key corresponds to one of the set of decryption keys, wherein the set of decryption keys are determined based on the location of the hardware security module.

Abstract: Aspects include receiving a request from a user to access data that was acquired by a third-party from a data owner, the data in an encrypted format unreadable by the user. In response to receiving the request from the user to access the data, a third-party key from the third-party is requested and a data owner key from the data owner is requested. The third-party key and the data owner key are applied to the data in the encrypted format to generate the data in an unencrypted format readable by the user. The user is provided with access to the data in the unencrypted format.

Abstract: Embodiments are described for generating, by the processor, a first event record in response to an event being performed by the computer and generating, by the processor, a first tamper resistance record in response to the first event record being generated. The first tamper resistance record includes a first signature is created based at least in part on the first event record and a second signature is created based at least in part on the first event record. Aspects also includes validating the first event record based on the first signature and the second signature in the first tamper resistance record in response to a request to detect tampering of the first event record.

Abstract: Aspects of the invention include receiving, by a processor, an unencrypted object that includes plaintext and metadata that describes the plaintext. A data encryption key (DEK) and a nonce key for the unencrypted object are obtained by the processor. The nonce key is different than the DEK. The unencrypted object is encrypted by the processor. The encrypting includes generating a nonce based at least in part of the plaintext and the nonce key. The encrypting also includes generating ciphertext and a metadata authentication tag that includes a signature of the metadata. The generating is based at least in part on the plaintext, the metadata, the DEK, and the nonce. An encrypted object that includes the ciphertext, the metadata, and the metadata authentication tag is created.

Abstract: Aspects include receiving a query at a data engine. The data engine includes data in a protected format stored in a secured database and a copy of the data in a clear format stored in a secured database replica. The query is received from a requestor. The query is processed at the secured database replica to generate a query response in the clear format. The query response is converted into the protected format. The converted query response in the protected format is provided to the requestor.

Abstract: A system is provided and includes a plurality of machines. The plurality of machines includes a first generation machine and a second generation machine. Each of the plurality of machines includes a machine version. The first generation machine executes a first virtual machine and a virtual architecture level. The second generation machine executes a second virtual machine and the virtual architecture level. The virtual architecture level provides a compatibility level for a complex interruptible instruction to the first and second virtual machines. The compatibility level is architected for a lowest common denominator machine version across the plurality of machines. The compatibility level includes a lowest common denominator indicator identifying the lowest common denominator machine version.

Abstract: Aspects include encrypting data based at least in part on a session key to generate encrypted data. The session key is encrypted based at least in part on a sender key to generate an encrypted session key. A request for an encrypted sender key index is transmitted to the KMS, the request includes an index of the sender key and an index of each of one or more additional keys. The encrypted sender key index is received from the KMS. An object that includes the encrypted data, the encrypted session key, the index of each of the one or more additional keys, and the encrypted sender key index is generated. Access to the data via the object is controlled based at least in part on whether a receiver has access to the sender key and to the one or more additional keys.

Abstract: Aspects include receiving a notification that a value of a data element stored in a source storage location in a source format has been changed to an updated value. The change is replicated to a plurality of target storage locations. The replicating includes, for each of the plurality of target storage locations, determining a target format of the data element in the target storage location. The target format is one of a plurality of different formats, including the source format. Each of the different formats provide a different level of data protection for the data element. In response to determining that the target format is not the same as the source format, the updated value of the data element is converted into the target format, and the updated value of the data element is stored in the target format at the target storage location.

Abstract: Aspects include receiving a request from a user to access data that was acquired by a third-party from a data owner, the data in an encrypted format unreadable by the user. In response to receiving the request from the user to access the data, a third-party key from the third-party is requested and a data owner key from the data owner is requested. The third-party key and the data owner key are applied to the data in the encrypted format to generate the data in an unencrypted format readable by the user. The user is provided with access to the data in the unencrypted format.