US Patent 10931651 Key management

A data encryption device obtains at least one piece of data to be encrypted. The data encryption device calculates, for each particular piece of data of the at least one piece of data, a data-specific key corresponding to the particular piece of data, the data-specific key being calculated based on a prestored root key and a data identifier of the particular piece of data using a one-way function, where the one-way function is such that the root key is not uniquely derivable from the data-specific key using the one-way function. The data encryption device generates encrypted data corresponding to the particular piece of data by encrypting the particular piece of data using the data-specific key corresponding to the piece of data.