Patent attributes
The present document describes a data storage system that includes a sandboxed execution environment. The execution environment is made available to clients of the data storage system. Clients are able to upload executable instructions to the execution environment, which can be used to manipulate data stored on the data storage system. In various examples, clients use the execution environment to perform key rotation operations on encrypted data stored on the data storage system. Clients transfer executable instructions and cryptographic keys to the execution environment, where the encrypted data stored on the data storage system can be read into the execution environment, decrypted with an old key, re-encrypted with a new key, and returned to the data storage system.
