US Patent 11640484 Multi-envelope encryption system

Multi-envelope encryption provides redundancy for highly-available storage of encrypted data. Data, such as a “snapshot” representing values of every block of a block storage volume or device at a specific point in time, may be encrypted before storage to prevent unauthorized access to the data. To further protect the data and prevent unauthorized access to the data, additional security measures may be taken. Multiple copies of the data key that is to be used to decrypt the data may be encrypted and stored separately from the encrypted data as envelopes. The different envelopes may each be encrypted using envelope keys. If one envelope key is later lost or otherwise becomes unavailable, the encrypted data can still be accessed by using a different envelope key to recover the data key and decrypt the data.