Patent attributes
A method of operating a distributed storage system includes receiving, at data processing hardware of the distributed storage system, a customer-supplied encryption key from a customer device (i.e., a client). The customer-supplied encryption key is associated with wrapped persistent encryption keys for encrypted resources of the distributed storage system. The wrapped persistent encryption keys are stored on one or more non-volatile memory hosts of the distributed storage system. The method also includes unwrapping, by the data processing hardware, a wrapped persistent encryption key that corresponds to a requested encrypted resource using the customer-supplied encryption key. The unwrapped persistent encryption key is configured to decrypt the requested encrypted resource. The method further includes decrypting, by the data processing hardware, the requested encrypted resource using the corresponding unwrapped persistent encryption key. After ceasing access of the decrypted resource, the method includes destroying, by the data processing hardware, the customer-supplied encryption key.