Cross-regional key synchronization system and method, electronic device, storage medium and product

By generating target device keys and encrypting domain keys in the cross-regional key management service, and using DTS to synchronize encrypted domain keys, the problem of cross-regional key synchronization delay is solved, and efficient and secure cross-regional key management is achieved.

WO2026138304A1PCT designated stage Publication Date: 2026-07-02CLOUD INTELLIGENCE ASSETS HOLDING (SINGAPORE) PTE LTD +1

Patent Information

Authority / Receiving Office
WO · WO
Patent Type
Applications
Current Assignee / Owner
CLOUD INTELLIGENCE ASSETS HOLDING (SINGAPORE) PTE LTD
Filing Date
2025-11-24
Publication Date
2026-07-02

AI Technical Summary

Technical Problem

In cross-regional key management services, the isolation of domain keys in different regions causes a certain delay in data synchronization, which affects the availability and reliability of the key management service.

Method used

By generating a target device key and encrypting the domain key in the first region, and then using DTS to synchronize the encrypted domain key to the second region, cross-regional key synchronization is achieved, and the encryption status is maintained during transmission to prevent key leakage.

Benefits of technology

It enables efficient synchronization of keys across regions, improves system security and reliability, reduces data transmission latency, and ensures high availability of key management services.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN2025137101_02072026_PF_FP_ABST
    Figure CN2025137101_02072026_PF_FP_ABST
Patent Text Reader

Abstract

The present disclosure belongs to the field of cloud security, and provides a cross-regional key synchronization system and method, an electronic device, a storage medium and a product. The system comprises a first key management device and a first cryptographic device which are located in a first region, and a second key management device and a second cryptographic device which are located in a second region; the first key management device controls the first cryptographic device to generate a target device key and device parameter information, and sends the device parameter information to the second key management device; the second key management device controls the second cryptographic device to generate a target device key on the basis of the device parameter information; the first key management device generates a first domain key for encrypting a user key, invokes the first cryptographic device to use the target device key to encrypt the first domain key, stores the first encrypted domain key obtained by encryption, and synchronizes the first encrypted domain key to the second cryptographic device. The present disclosure can achieve cross-regional key synchronization.
Need to check novelty before this filing date? Find Prior Art

Description

Cross-regional key synchronization systems and methods, electronic devices, storage media and products

[0001] This disclosure claims priority to Chinese Patent Application No. 202411958144.8, filed with the China Patent Office on December 26, 2024, entitled "Cross-regional key synchronization system and method, electronic device, storage medium and product", the entire contents of which are incorporated herein by reference. Technical Field

[0002] This disclosure relates to the field of cloud security technology, and in particular to a cross-regional key synchronization system and method, electronic device, storage medium and product. Background Technology

[0003] Key Management Service (KMS) is a security management service that provides simple, reliable, secure, and compliant data encryption protection. To improve the availability and reliability of KMS, reduce data transmission latency, and enhance its disaster recovery capabilities, KMS is typically deployed across geographical regions.

[0004] For key management services deployed across regions, domain keys in different regions are currently isolated from each other, resulting in a certain delay in data synchronization. Therefore, how to achieve key synchronization across regions has become an urgent problem to be solved. Summary of the Invention

[0005] This disclosure provides a cross-regional key synchronization system and method, electronic device, storage medium and product that can achieve key synchronization across regions.

[0006] In a first aspect, a cross-regional key synchronization system is provided, the system comprising a first key management device, a first cryptographic device, a second key management device, and a second cryptographic device, wherein the first key management device and the first cryptographic device are located in a first region, and the second key management device and the second cryptographic device are located in a second region;

[0007] The first key management device is used to control the first cryptographic device to generate a target device key and device parameter information; and to send the device parameter information to the second key management device, wherein the device parameter information reflects the device parameters of the first cryptographic device when generating the target device key;

[0008] The second key management device is used to control the second cryptographic device to generate the target device key based on the device parameter information;

[0009] The first key management device is further configured to generate a first domain key for encrypting a user key, and call the first cryptographic device to encrypt the first domain key using the target device key; store the encrypted first encrypted domain key, and synchronize the first encrypted domain key to the second key management device, wherein the user key corresponds to the user device.

[0010] Secondly, a cross-regional key synchronization method is provided, applied to a first key management device, the method comprising:

[0011] The system controls a first cryptographic device to generate a target device key and device parameter information, wherein the device parameter information reflects the device parameters when the first cryptographic device generates the target device key, and the first key management device and the first cryptographic device are located in a first region.

[0012] The device parameter information is sent to the second key management device, so that the second key management device controls the second cryptographic device to generate the target device key according to the device parameter information. The second key management device and the second cryptographic device are located in the second area.

[0013] Generate a first domain key for encrypting a user key, and invoke the first cryptographic device to encrypt the first domain key using the target device key, wherein the user key corresponds to the user device;

[0014] The first encryption domain key obtained through encryption is stored, and the first encryption domain key is synchronized to the second key management device.

[0015] Thirdly, a cross-regional key synchronization method is provided, applied to a second key management device, the method comprising:

[0016] Receive device parameter information sent by the first key management device, wherein the device parameter information reflects the device parameters when the first cryptographic device generates the target device key;

[0017] The second cryptographic device is controlled to generate the target device key based on the device parameter information;

[0018] The storage includes a first encrypted domain key synchronized by the first key management device, and a corresponding first domain key obtained by decryption based on the target device key. The first encrypted domain key is the result of encrypting the first domain key using the target device key. The first domain key is used to encrypt the user key corresponding to the user equipment.

[0019] The first key management device and the first cryptographic device are located in the first area, and the second key management device and the second cryptographic device are located in the second area.

[0020] Fourthly, a cross-regional key synchronization method is provided, applied to a first cryptographic device, the method comprising:

[0021] In response to a control operation of a first key management device, a target device key and device parameter information are generated, wherein the device parameter information reflects the device parameters of the first cryptographic device when generating the target device key;

[0022] The device parameter information is provided to the first key management device, and the device parameter information is sent by the first key management device to the second key management device to control the second cryptographic device to generate the target device key based on the device parameter information;

[0023] The first key management device and the first cryptographic device are located in the first area, and the second key management device and the second cryptographic device are located in the second area.

[0024] Fifthly, a cross-regional key synchronization device is provided, applied to a first key management device, the device comprising:

[0025] The control module is used to control the first cryptographic device to generate a target device key and device parameter information. The device parameter information reflects the device parameters when the first cryptographic device generates the target device key. The first key management device and the first cryptographic device are located in a first area.

[0026] The sending module is used to send the device parameter information to the second key management device, so that the second key management device controls the second cryptographic device to generate the target device key according to the device parameter information. The second key management device and the second cryptographic device are located in the second area.

[0027] A generation module is used to generate a first domain key for encrypting a user key, the user key corresponding to a user device;

[0028] The encryption module is used to invoke the first cryptographic device to encrypt the first domain key using the target device key;

[0029] The storage module is used to store the first encryption field key obtained through encryption;

[0030] The synchronization module is used to synchronize the first encryption domain key to the second key management device.

[0031] Sixthly, a cross-regional key synchronization device is provided, applied to a second key management device, the device comprising:

[0032] The receiving module is used to receive device parameter information sent by the first key management device, wherein the device parameter information reflects the device parameters when the first cryptographic device generates the target device key;

[0033] The generation module controls the second cryptographic device to generate the target device key based on the device parameter information;

[0034] The storage module is used to store the first encryption domain key synchronized by the first key management device. The first encryption domain key is the result of encrypting the first domain key using the target device key. The first domain key is used to encrypt the user key corresponding to the user equipment.

[0035] The decryption module is used to decrypt the target device key to obtain the corresponding first domain key;

[0036] The first key management device and the first cryptographic device are located in the first area, and the second key management device and the second cryptographic device are located in the second area.

[0037] In a seventh aspect, a cross-regional key synchronization device is provided, applied to a first cryptographic device, the device comprising:

[0038] The generation module is used to generate a target device key and device parameter information in response to the control operation of the first key management device, wherein the device parameter information reflects the device parameters when the first cryptographic device generates the target device key;

[0039] A module is provided to provide the device parameter information to the first key management device, and the device parameter information is sent by the first key management device to the second key management device to control the second cryptographic device to generate the target device key based on the device parameter information;

[0040] The first key management device and the first cryptographic device are located in the first area, and the second key management device and the second cryptographic device are located in the second area.

[0041] Eighthly, an electronic device includes a processor and a memory; the memory stores at least one piece of program code; the at least one piece of program code is invoked and executed by the processor to implement the cross-regional key synchronization method of the second aspect, or the cross-regional key synchronization method of the third aspect, or the cross-regional key synchronization method of the fourth aspect.

[0042] In a ninth aspect, a computer-readable storage medium is provided, wherein at least one computer program is stored therein, and when executed by a processor, the at least one computer program is capable of implementing the cross-regional key synchronization method of the second aspect, or the cross-regional key synchronization method of the third aspect, or the cross-regional key synchronization method of the fourth aspect.

[0043] In a tenth aspect, a computer program product is provided, the computer program product comprising a computer program, which, when executed by a processor, is capable of implementing the cross-regional key synchronization method described in the second aspect, or the cross-regional key synchronization method described in the third aspect, or the cross-regional key synchronization method described in the fourth aspect.

[0044] This disclosure provides a cross-regional key synchronization system capable of synchronizing keys across different regions. The system includes a first key management device, a first cryptographic device, a second key management device, and a second cryptographic device. The first key management device and the first cryptographic device are located in a first region, while the second key management device and the second cryptographic device are located in a second region. The purpose of this disclosure is to synchronize the key generated by the first key management device in the first region to the second key management device in the second region. Specifically, the first key management device in the first region controls the first cryptographic device to generate a target device key and device parameter information. This device parameter information reflects the device parameters used by the first cryptographic device when generating the target device key. The device parameter information is then sent to the second key management device. Upon receiving the device parameter information, the second key management device controls the second cryptographic device to generate the target device key based on the device parameter information. At this point, the device keys of the first cryptographic device in the first region and the second cryptographic device in the second region are synchronized. Based on this, after the first key management device generates a first domain key for encrypting user keys, it calls the first cryptographic device to encrypt the first domain key, obtaining a first encrypted domain key. This first encrypted domain key is then synchronized to the second key management device. Since the second cryptographic device in the second region stores the target device key, when the second key management device needs to obtain the first domain key, it can call the second encryption device to decrypt the first encrypted key using the target device key, thus obtaining the first domain key. This achieves synchronization of domain keys across the first and second regions. Furthermore, because the first domain key synchronized by the first key management device to the second key management device is in encrypted form, leakage of the first domain key during the synchronization process is avoided, ensuring data security. Attached Figure Description

[0045] To more clearly illustrate the technical solutions in the embodiments of this disclosure, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this disclosure. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0046] Figure 1 is an architecture diagram of a cross-regional key synchronization system provided in an embodiment of this disclosure;

[0047] Figure 2 is a flowchart of a cross-regional key synchronization method provided in an embodiment of this disclosure;

[0048] Figure 3 is a flowchart of another cross-regional key synchronization method provided in an embodiment of this disclosure;

[0049] Figure 4 is a flowchart of another cross-regional key synchronization method provided in an embodiment of this disclosure;

[0050] Figure 5 is a flowchart of another cross-regional key synchronization method provided in an embodiment of this disclosure;

[0051] Figure 6 is a flowchart of another cross-regional key synchronization method provided in an embodiment of this disclosure;

[0052] Figure 7 is a schematic diagram of a cross-regional key synchronization device provided in an embodiment of this disclosure;

[0053] Figure 8 is a schematic diagram of another cross-regional key synchronization device provided in an embodiment of this disclosure;

[0054] Figure 9 is a schematic diagram of another cross-regional key synchronization device provided in an embodiment of this disclosure;

[0055] Figure 10 shows a structural block diagram of an electronic device provided by an exemplary embodiment of the present disclosure. Detailed Implementation

[0056] To make the objectives, technical solutions, and advantages of this disclosure clearer, the embodiments of this disclosure will be described in further detail below with reference to the accompanying drawings.

[0057] It is understood that the terms "each," "multiple," and "any," etc., used in the embodiments of this disclosure, include "multiple" (two or more), "each" (each of the corresponding multiples), and "any" (any one of the corresponding multiples). For example, multiple words include 10 words, and "each word" refers to each of the 10 words, while "any word" refers to any one of the 10 words.

[0058] It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, data stored, data displayed, etc.) involved in this disclosure are all information and data authorized by the user or fully authorized by all parties. Furthermore, the collection, use and processing of the relevant data must comply with the relevant laws, regulations and standards of the relevant countries and regions, and corresponding operation portals are provided for users to choose to authorize or refuse.

[0059] Before implementing the embodiments of this disclosure, the terms used in the embodiments of this disclosure will be explained.

[0060] A hardware cryptographic machine, also known as the cryptographic device described in the embodiments of this disclosure, is a device specifically designed for encrypting and decrypting data. Hardware cryptographic machines typically have built-in dedicated encryption algorithms and security modules, enabling them to process digital information efficiently and securely.

[0061] A key is a parameter or data used in cryptography to encrypt and decrypt data. The keys involved in this disclosure include device keys, domain keys, and user keys. Specifically, a device key is a key generated by a cryptographic device for encrypting a domain key. A domain key is a key used to encrypt a user key. A user key is a key used to encrypt user data.

[0062] Credentials are sensitive data stored in the system that are obtained by encrypting user data using a user key.

[0063] Key rotation is the process of periodically changing encryption keys. Key rotation reduces the risk of key leakage or cracking, thus increasing system security.

[0064] Data Transfer Service (DTS) is a service used to transfer and transform data between different systems or platforms. DTS is commonly used in scenarios such as database management, data integration, data migration, and data backup.

[0065] With the development of cloud computing technology, data security in the cloud has become crucial. Cloud security refers to the collective term for security software, hardware, users, organizations, and secure cloud platforms based on cloud computing business models. Cloud security integrates emerging technologies and concepts such as parallel processing, grid computing, and unknown virus behavior detection. Through a large network of clients, it monitors abnormal software behavior on the network, obtains the latest information on Trojans and malware on the Internet, sends it to the server for automatic analysis and processing, and then distributes solutions for viruses and Trojans to each client.

[0066] The main research directions in cloud security include: 1. Cloud computing security, which mainly studies how to ensure the security of the cloud itself and various applications on the cloud, including cloud computer system security, secure storage and isolation of user data, user access authentication, information transmission security, network attack protection, and compliance auditing; 2. Cloudification of security infrastructure, which mainly studies how to use cloud computing to build and integrate security infrastructure resources and optimize security protection mechanisms, including building a large-scale security event and information collection and processing platform through cloud computing technology to achieve the collection and correlation analysis of massive amounts of information and improve the ability to control network-wide security events and risks; 3. Cloud security services, which mainly studies various security services provided to users based on cloud computing platforms, such as antivirus services.

[0067] To meet the data security needs of the cloud, Key Management Services (KMS) have emerged. KMS is a one-stop key management and data encryption service used to manage, protect, and distribute keys. Its main functions include key generation, key storage, key backup, and key recovery. By providing highly secure key management and protection, KMS ensures that data is adequately protected at every stage of storage, transmission, and use.

[0068] To enhance the reliability and availability of key management services and reduce data transmission latency, these services are typically deployed across geographical regions; for example, key management services could be deployed in a first region and a second region respectively. However, to prevent key leakage during transmission between different regions and to improve system security, keys in different regions are currently isolated from each other, and data synchronization has a certain delay.

[0069] To achieve cross-regional key synchronization, this disclosure provides a cross-regional key synchronization system. This system generates identical target device keys in a first region and a second region. Then, within the first region, based on the target device key, it encrypts the domain key generated within that region, stores the encrypted domain key, and then synchronizes the encrypted domain key to the second region using DTS (Distributed Transmission System). This achieves cross-regional key synchronization. Furthermore, the domain key synchronized from the first region to the second region is encrypted, preventing domain key leakage during transmission, improving system security, and ensuring high availability of cross-regional key management services. In addition, the first and second regions achieve real-time synchronization via DTS, guaranteeing high reliability and low latency for key synchronization between multiple regions.

[0070] Please refer to Figure 1, which illustrates a cross-regional key synchronization system 100 provided in this embodiment of the disclosure. The system 100 includes a first key management device 101, a first cryptographic device 102, a second key management device 103, and a second cryptographic device 104. The first key management device 101 and the first cryptographic device 102 are located in a first region, while the second key management device 103 and the second cryptographic device 104 are located in a second region. The first region and the second region are two different physical regions, physically isolated from each other. In this embodiment, the first key management device 101 can act as the master device for key management services, and the second key management device can act as the slave device for key management services. After the first key management device 101 generates a domain key, a user key, and credentials, the generated domain key, user key, and credentials are synchronized to the second region, so that the second key management device 103, as the slave device, can provide encryption and decryption services. Furthermore, the first key management device 101 can communicate with the first cryptographic device 102 and the second key management device 103 via a network, and the second key management device 103 can communicate with the second cryptographic device 104 via a network. This network can be a wired network or a wireless network, and this embodiment does not specifically limit it.

[0071] It should be noted that although Figure 1 shows a second region, in a real-world scenario, at least one second region may be included to ensure high availability of the key management service. This embodiment of the disclosure uses any one of the at least one second region as an example for illustration. Furthermore, although the first region shown in Figure 1 includes a first key management device and a first cryptographic device, in reality, for considerations such as load balancing and disaster recovery, at least one first key management device and at least one first cryptographic device may be deployed within the first region. This embodiment of the disclosure uses any one of the at least one first key management device and any one of the at least one first cryptographic device as an example for illustration. Similarly, although the second region shown in Figure 1 includes a second key management device and a second cryptographic device, in reality, for considerations such as load balancing and disaster recovery, at least one second key management device and at least one second cryptographic device may be deployed within the second region. This embodiment of the disclosure uses any two of the at least one second key management device and any one of the at least one second cryptographic device as an example for illustration.

[0072] The first key management device 101 and the second key management device 103 integrate multiple functions, including the generation of domain keys and user keys, encryption of user keys, and storage of encrypted domain keys and encrypted user keys. To better implement the storage function, the first key management device 101 may include a first database, and the second key management device 103 may include a second database. The first and second databases can communicate based on DTS (Data Transmission System), thereby reducing data transmission latency and ensuring high reliability of the key management service.

[0073] In this embodiment, the first key management device 101 can control the first cryptographic device 102 to generate a target device key. The target device key generated by the first cryptographic device 102 is used to encrypt and decrypt the domain key generated by the first key management device 101. For security reasons, the target device key generated by the first cryptographic device 102 is not sent to other devices, but is stored in the first cryptographic device 102. When the first key management device 101 needs to encrypt the generated domain key, it can call the first cryptographic device 102 to encrypt the generated domain key; when the first key management device 101 needs to decrypt the encrypted domain key, it can also call the first cryptographic device 102 to decrypt the generated encrypted domain key. When controlling the first cryptographic device 102 to generate the target device key, the first key management device 101 can control the first cryptographic device to perform an initialization operation, thereby generating the target device key during the initialization process. Specifically, the first key management device 101 can generate a first initialization command at the beginning of system deployment, or at any other time when the device key generated by the first cryptographic device 102 needs to be updated, and send the first initialization command to the first cryptographic device 102. In response to the first initialization command, the first cryptographic device 102 performs an initialization operation, and generates the target device key after the initialization operation is completed. Furthermore, the first cryptographic device 102 can also record the device parameters used in the process of generating the target device key, and generate device parameter information based on the recorded device parameters.

[0074] Furthermore, the first key management device 101 can also send the generated device parameter information to the second key management device 103, so that the second key management device 103 can control the second cryptographic device 104 to generate the target device key, thereby providing a basis for cross-region key synchronization between the first region and the second region.

[0075] In this embodiment, upon receiving device parameter information sent by the first key management device 101, the second key management device 103 can control the second cryptographic device 104 to perform a recovery initialization operation, thereby generating a target device key identical to the target device key generated by the first cryptographic device 102. Specifically, the second key management device 103 can send a second initialization instruction to the second cryptographic device 104, which may include device parameter information. In response to the second initialization instruction, the second cryptographic device 104 performs an initialization operation based on the device parameter information to generate the target device key. Similar to the first cryptographic device 102, the target device key generated by the second cryptographic device 104 is not sent to other devices but is stored in the second cryptographic device 104.

[0076] In this embodiment, the domain key is used to encrypt the user key. To encrypt the user key and protect it, the first domain key management device 101 can generate a first domain key for encrypting the user key. Since the first domain key is used to encrypt the user key, if the first domain key is leaked, the user key will also be at risk of being leaked, resulting in a lack of security for the entire system. To avoid this, after generating the first domain key, the first domain key device 101 can call a first cryptographic device to encrypt the first domain key using a target device key, obtaining a first encrypted domain key.

[0077] Furthermore, to facilitate the subsequent use of the first encrypted domain key, the first key management device 101 will also store the encrypted first encrypted domain key. In addition, the first domain key management device 101 can synchronize the first encrypted domain key to the second key management device 103, thereby achieving domain key synchronization across the first and second regions. Since the data in the first key management device 101 is stored in the first database, and the data in the second key management device 103 is stored in the second database, the above storage and synchronization process can specifically be as follows: the first domain key management device 101 stores the first encrypted domain key in the first database, and after receiving the first encrypted domain key, the first database synchronizes the first encrypted domain key to the second database based on DTS. In this embodiment, the first encrypted domain key sent by the first key management device 101 to the second key management device 103 is encrypted data. Although it is transmitted between different regions, due to encryption protection, there is no risk of leakage, and the system security is high.

[0078] In this embodiment, when an upper-layer user equipment requires encryption, it can trigger a user key generation instruction and send the generated user key generation instruction to a first key management device 101. The first key management device 101, in response to the user key generation instruction triggered by the user equipment, generates a user key corresponding to the user equipment. To prevent user key leakage and protect user data security, the first key management device 101 can encrypt the user key using a first domain key to obtain a first encrypted user key. Since the first key management device 101 does not store the first domain key, it needs to obtain it. Specifically, the first key management device 101 can obtain the first encrypted domain key, for example, from a first database, and then call the first cryptographic device 102 to decrypt the first encrypted domain key using a target device key to obtain the first domain key.

[0079] Furthermore, after obtaining the first encrypted user key, the first key management device 101 can store the identifiers of the first encrypted user key and the first domain key, and synchronize the identifiers of the first encrypted user key and the first domain key to the second key management device, thereby realizing cross-regional user key synchronization between the first region and the second region. Specifically, the first key management device 101 can store the identifiers of the first encrypted user key and the first domain key in a first database. After the first database detects the identifiers of the first encrypted user key and the first domain key, it can synchronize the identifiers of the first encrypted user key and the first domain key to the second database based on DTS. Optionally, to facilitate subsequent retrieval of the first encrypted user key, the first key management device 101 can also store the identifier of the user key, and correspondingly, the second key management device 103 will store the identifier of the user key.

[0080] In another embodiment of this disclosure, after generating the user key, the first key management device may also send the identifier of the user key to the user device, so that when the user device needs to encrypt user data, it can encrypt it based on the user key identifier and the user key provided by the system.

[0081] When user data needs to be encrypted, the user equipment can trigger the generation of a data encryption request and then send the data encryption request, which includes the user data and the identifier of the user key. Upon receiving the data encryption request from the user equipment, the first key management device obtains the user key based on the identifier of the user key, and then uses the user key to encrypt the user data to obtain the encrypted user data.

[0082] Specifically, the process by which the first key management device 101 obtains the user key based on the user key identifier includes: the first key management device 101 obtains the first encrypted user key and its corresponding first domain key identifier from the first database based on the user key identifier; then, based on the first domain key identifier, it obtains the first encrypted domain key from the first database. Next, the first key management device 101 calls the first cryptographic device 102 to decrypt the first encrypted domain key using the target device key to obtain the first domain key; and then uses the first domain key to decrypt the first encrypted user key to obtain the user key.

[0083] Furthermore, after obtaining the encrypted user data, the first key management device 101 can store the encrypted user data and synchronize it to the second key management device 103, thereby achieving encrypted user data synchronization across the first and second regions. Specifically, the first key management device 101 can store the encrypted user data in the first database, and the first database detects the encrypted user data and then synchronizes it to the second database based on DTS.

[0084] For the first region, through the aforementioned multiple synchronization steps, the first database stores encrypted data such as the first encryption domain key, the first encryption user key, and encrypted user data, while the first cryptographic device stores the target device key, thus providing encryption and decryption services. For example, when an upper-layer user device wants to obtain unencrypted user data, the first key management device can retrieve the first encryption domain key, the first encryption user key, and the encrypted user data from the first database. Then, it calls the first cryptographic device to decrypt the first encryption domain key using the target device key to obtain the first domain key. Next, it uses the first key to decrypt the first encryption user key to obtain the user key. Finally, it uses the user key to decrypt the encrypted user data to obtain the user data, which is then provided to the upper-layer user device.

[0085] For the second region, through the aforementioned multiple synchronization steps, the second database has already stored the first encryption domain key, the first encryption user key, and encrypted user data, and the second cryptographic device 104 stores the target device key. Therefore, if the first key management device 101, which acts as the primary device, fails, or for load balancing considerations, the second key management device 103 can provide encryption and decryption services based on the various encrypted data stored in the second database and the target device key in the second cryptographic device 104. For example, when an upper-layer user device needs to encrypt user data, the user device can trigger the generation of a data encryption request and then send the data encryption request, which includes the user data and the identifier of the user key. Upon receiving the user device's data encryption request, the second key management device 103, based on the identifier of the user key, retrieves the identifiers of the first encryption user key and the first domain key from the second database, and then, based on the identifier of the first domain key, retrieves the first encryption domain key from the second database. Next, the second key management device 103 calls the second cryptographic device 104 to decrypt the first encryption domain key using the target device key to obtain the first domain key. Then, it uses the first domain key to decrypt the first encrypted user key to obtain the user key. Finally, it uses the user key to encrypt the user data to obtain the encrypted user data.

[0086] In another embodiment of this disclosure, to improve system security, a domain key rotation condition can be set for the first key management device 101. This rotation condition can be that the domain key is regenerated every preset time interval, such as one day or two days; or it can be that the generated domain key is regenerated when it has been used a preset number of times, such as 10 or 20 times. Thus, rotation essentially means updating. When the domain key rotation condition is met, the first key management device 101 can generate a second domain key, then call the first cryptographic device 102 to encrypt the second domain key using the target device key to obtain a second encrypted domain key, which is then stored and synchronized to the second key management device 103. Specifically, the first key management device 101 can store the second encrypted domain key in a first database. After detecting the second encrypted domain key, the first database synchronizes the second encrypted domain key to the second database based on DTS.

[0087] Furthermore, after the domain key rotation, to ensure that the user key can be obtained based on the second domain key, the first key management device will also acquire the first encrypted domain key and the first encrypted user key, call the first cryptographic device to decrypt the first encrypted domain key using the target device key to obtain the first domain key, and then use the first domain key to decrypt the first encrypted domain key to obtain the user key. Next, the first key device uses the second domain key to encrypt the user key to obtain the second encrypted user key, and then stores the identifiers of the second encrypted user key and the second domain key, and synchronizes the identifiers of the second encrypted user key and the second domain key to the second key management device.

[0088] In this embodiment of the disclosure, after the domain key rotation, the encrypted second domain key, i.e. the second encrypted domain key, is synchronized to the second key management device, and the second encrypted user obtained by re-encrypting the user key using the second domain key is synchronized to the second key management device. This ensures that the keys stored in the first key management device and the second key management device are synchronized, thereby providing a non-discriminatory key management service based on the first region and the second region.

[0089] In this embodiment, the first key management device stores both a first encryption domain key and a second encryption domain key. For subsequent applications, the first key management device can set the second domain key to an active state and the first domain key to an inactive state. The active state indicates that before the first key management device meets the domain key rotation condition again, it should use the second domain key to encrypt a newly generated user key or decrypt the second encrypted user key.

[0090] It should be noted that the above explanation uses domain key rotation as an example. In practical applications, to better protect user data security, user keys can also be rotated. By rotating domain and user keys, user data security can be better managed. Even if domain and user keys are leaked, the key rotation mechanism ensures that user data security is still protected after the rotation, further reducing the risk of user data attacks.

[0091] All of the above-mentioned optional technical solutions can be combined in any way to form optional embodiments of this disclosure, and will not be described in detail here.

[0092] This disclosure provides a cross-regional key synchronization method. Taking the cross-regional key synchronization system shown in Figure 1 as an example, and referring to Figure 2, the method flow provided by this disclosure includes:

[0093] 201. In response to the control operation of the first key management device, the first cryptographic device generates the target device key and device parameter information.

[0094] The device parameter information reflects the device parameters used by the first cryptographic device to generate the target device key. These device parameters may include the parameters and algorithms used in the target device key generation process.

[0095] The first key management device can send a first initialization command to the first cryptographic device. In response to the first initialization command, the first cryptographic device performs an initialization operation to generate a target device key and obtain device parameter information of the device parameters used to generate the target device key.

[0096] 202. The first cryptographic device provides the device parameter information to the first key management device.

[0097] 203. The first key management device sends the device parameter information to the second key management device.

[0098] 204. The second key management device controls the second cryptographic device to generate the target device key based on the device parameter information.

[0099] Upon receiving device parameter information, the second key management device can generate a second initialization instruction including the device parameter information and send the second initialization instruction to the second cryptographic device. In response to the second initialization instruction, the second cryptographic device performs a recovery initialization operation and generates the target device key based on the device parameter information.

[0100] 205. The first key management device generates a first domain key for encrypting user keys, and calls the first cryptographic device to encrypt the first domain key using the target device key.

[0101] 206. The first key management device stores the first encryption domain key obtained through encryption.

[0102] When the first encryption domain key is generated, the first key management device stores the first encryption domain key in the first database.

[0103] 207. The first key management device synchronizes the first encryption domain key to the second key management device.

[0104] After the first database detects the first encryption domain key, it synchronizes the first encryption domain key to the second database based on DTS, thereby achieving cross-regional domain key synchronization.

[0105] 208. The second key management device stores the first encryption domain key synchronized by the first key management device, and the corresponding first domain key obtained by decryption based on the target device key.

[0106] After receiving the first encryption field key synchronized by the first key management device, the second key management device stores the first encryption field key. When the first field key is needed, the second cryptographic device is invoked to decrypt the first encryption field key using the target device key to obtain the first field key.

[0107] This embodiment of the disclosure generates the same target device key by controlling a first cryptographic device in a first region and a second cryptographic device in a second region. Based on this target device key, a first encrypted domain key encrypted with the target device key is synchronized to the second region, thereby achieving cross-regional domain key synchronization. Furthermore, since the synchronized data is encrypted, data leakage is avoided, improving data security.

[0108] This disclosure provides a cross-regional key synchronization method. Taking the cross-regional key synchronization system shown in Figure 1 as an example, and referring to Figure 3, the method flow provided by this disclosure includes:

[0109] 301. The first key management device generates a user key in response to a user key generation command triggered by the user equipment.

[0110] After generating the user key, the first key management device can also send the identifier of the user key to the user device, so that the user device can use the user key in this system to encrypt user data based on the identifier of the user key.

[0111] 302. The first key management device calls the first cryptographic device to decrypt the first encryption field key using the target device key to obtain the first field key.

[0112] The first key management device obtains the first encryption domain key from the first database and calls the first cryptographic device to decrypt the first encryption domain key using the target device key to obtain the first domain key.

[0113] 303. The first key management device uses the first domain key to encrypt the user key to obtain the first encrypted user key.

[0114] 304. The first key management device stores the identifiers of the first encrypted user key and the first domain key.

[0115] Specifically, the first key management device can store the identifiers of the first encrypted user key and the first domain key in the first database. Optionally, the first key management device can also store the identifier of the user key, thereby facilitating the subsequent retrieval of the first encrypted user key.

[0116] 305. The first key management device synchronizes the identifiers of the first encrypted user key and the first domain key to the second key management device.

[0117] Specifically, after the first key management device stores the identifiers of the first encrypted user key and the first domain key in the first database, the first database detects the stored data. When it detects that the identifiers of the first encrypted user key and the first domain key are not synchronized, it synchronizes the identifiers of the first encrypted user key and the first domain key to the second database based on DTS.

[0118] In this embodiment, after generating the user key, the user key is encrypted using the first domain key corresponding to the first region. The encrypted first user key is then synchronized to the second region, thereby achieving cross-regional user key synchronization. Furthermore, since the synchronized data is encrypted, data leakage is avoided, improving data security.

[0119] This disclosure provides a cross-regional key synchronization method. Taking the cross-regional key synchronization system shown in Figure 1 as an example, and referring to Figure 4, the method flow provided by this disclosure includes:

[0120] 401. The first key management device receives a data encryption request from the user equipment.

[0121] The data encryption request includes the user data and the identifier of the user key.

[0122] 402. The first key management device obtains the first encrypted user key and the first encrypted domain key based on the identifier of the user key.

[0123] The first key management device obtains the first encrypted user key and its corresponding first domain key identifier from the first database based on the user key identifier, and then obtains the first encrypted domain key from the first database based on the first domain key identifier.

[0124] 403. The first key management device calls the first cryptographic device to decrypt the first encryption field key using the target device key to obtain the first field key.

[0125] 404. The first key management device uses the first domain key to decrypt the first encrypted user key to obtain the user key.

[0126] 405. The first key management device uses the user key to encrypt user data in order to obtain encrypted user data.

[0127] 406. The first key management device stores encrypted user data.

[0128] Specifically, the first key management device stores encrypted user data in the first database. For ease of subsequent retrieval, the identifier of the user key can be stored accordingly.

[0129] 407. The first key management device synchronizes the encrypted user data to the second key management device.

[0130] Specifically, the first database detects the stored data, and when it detects unsynchronized encrypted user data, it synchronizes the encrypted user data to the second database based on DTS.

[0131] This embodiment of the disclosure achieves cross-regional user data synchronization by encrypting user data using a user key and then synchronizing the encrypted user data to a second region. Furthermore, since the synchronized data is encrypted, data leakage is avoided, thus improving data security.

[0132] This disclosure provides a cross-regional key synchronization method. Taking the cross-regional key synchronization system shown in Figure 1 as an example, and referring to Figure 5, the method flow provided by this disclosure includes:

[0133] 501. When the first key management device determines that the domain key rotation conditions are met, it generates the second domain key.

[0134] 502. The first key management device calls the first cryptographic device to encrypt the second domain key using the target device key to obtain the second encrypted domain key.

[0135] 503. The first key management device stores the key for the second encryption domain.

[0136] Specifically, the first key management device stores the second encryption domain key in the first database.

[0137] 504. The first key management device synchronizes the second encryption domain key to the second key management device.

[0138] After the first key management device stores the second encryption domain key in the first database, the first database detects the stored data. When it detects an unsynchronized second encryption domain key, it synchronizes the second encryption domain key to the second database based on DTS.

[0139] Furthermore, after the domain key rotation, to ensure that the user key can be obtained based on the second domain key, the first key management device will also acquire the first encrypted domain key and the first encrypted user key, call the first cryptographic device to decrypt the first encrypted domain key using the target device key to obtain the first domain key, and then use the first domain key to decrypt the first encrypted domain key to obtain the user key. Next, the first key management device uses the second domain key to encrypt the user key to obtain the second encrypted user key, and then stores the identifiers of the second encrypted user key and the second domain key, and synchronizes the identifiers of the second encrypted user key and the second domain key to the second key management device.

[0140] In this embodiment of the disclosure, after the domain key rotation, the encrypted second domain key, i.e. the second encrypted domain key, is synchronized to the second key management device, and the second encrypted user obtained by re-encrypting the user key using the second domain key is synchronized to the second key management device. This ensures that the keys stored in the first key management device and the second key management device are synchronized, thereby providing a non-discriminatory key management service based on the first region and the second region.

[0141] Furthermore, in this embodiment of the disclosure, the first key management device simultaneously stores a first encryption domain key and a second encryption domain key. For subsequent applications, the first key management device can set the second domain key to an active state and the first domain key to an inactive state. The active state indicates that before the first key management device again meets the domain key rotation condition, it should use the second domain key to encrypt a newly generated user key or decrypt the second encrypted user key.

[0142] The cross-regional key synchronization methods provided in the various embodiments of this disclosure will be described in detail below with reference to Figure 6.

[0143] Referring to Figure 6, the first area is area A, which includes a first key management device (not shown in the figure) and a first cryptographic device. The second area is area B, which includes a second key management device (also not shown in the figure) and a second cryptographic device. The entire process can be divided into two stages:

[0144] Phase 1: System Initialization

[0145] During this phase, the first key management device controls the initialization of the first cryptographic device to generate the target device key HsmKey. After initialization, the first cryptographic device generates a backup file and provides the backup file to the first key management device. The first key management device then sends the backup file to the second key management device to control the first cryptographic device to perform a recovery initialization operation and generate the target device key HsmKey. At this point, the first cryptographic device and the second cryptographic device have the same HsmKey.

[0146] The first key management device generates a first domain key, DomainKey1, in region A. It then calls the first cryptographic device to encrypt this first domain key, DomainKey1, using the target device key, HsmKey, to obtain a first encrypted domain key. This first encrypted domain key is then stored in the first database. The first database synchronizes the first encrypted domain key to the second database in real time using DTS.

[0147] The first key management device generates a user key in region A and retrieves the first encryption domain key from the first database. It then calls the first cryptographic device to decrypt the first encryption domain key using the target device key HsmKey, obtaining the first domain key DomainKey1. DomainKey1 is then used to encrypt the user key, resulting in the first encrypted user key. The identifiers of the first encrypted user key and the first domain key DomainKey1 are then stored in the first database. The first data system synchronizes the identifiers of the first encrypted user key and the first domain key DomainKey1 to the second database using DTS.

[0148] Phase Two: Automatic Rotation of Domain Keys

[0149] When the domain key rotation conditions are met, the first key management device generates a second domain key, DomainKey2, and calls the first encryption device to encrypt the second domain key, DomainKey2, to obtain a second encrypted domain key. This second encrypted domain key is then stored in the first database. The first database uses DTS to synchronize the second encrypted domain key to the second database.

[0150] The first key management device retrieves the first encryption domain key and the encrypted user key from the first database, and calls the first encryption device to decrypt the first encryption domain key using HsmKey to obtain the first domain key DomainKey. Then, it uses the first domain key DomainKey to decrypt the encrypted user key to obtain the user key. Next, the first key management device uses the second domain key DomainKey2 to encrypt the user key to obtain the encrypted user key. Finally, it stores the identifiers of the second encrypted user key and the second domain key DomainKey2 in the first database. The first data synchronizes the identifiers of the second encrypted user key and the second domain key DomainKey2 to the second database based on DTS.

[0151] The disclosed solution transmits data in encrypted form when transmitting data across regions, reducing the risk of data leakage. Furthermore, compared to traditional data synchronization implemented at the application layer, this disclosure uses DTS transmission, which has extremely low latency and can synchronize data to multiple regions in real time. Moreover, the underlying layer is based on a highly efficient DTS data synchronization task, which can support real-time synchronization of massive amounts of data.

[0152] Please refer to Figure 7, which shows a schematic diagram of a cross-regional key synchronization device provided in an embodiment of this disclosure. The device is applied to a first key management device and can be implemented through software, hardware, or a combination of both, becoming all or part of an electronic device. The device includes:

[0153] The control module 701 is used to control the first cryptographic device to generate a target device key and device parameter information. The device parameter information reflects the device parameters when the first cryptographic device generates the target device key. The first key management device and the first cryptographic device are located in a first area.

[0154] The sending module 702 is used to send the device parameter information to the second key management device, so that the second key management device controls the second cryptographic device to generate the target device key according to the device parameter information. The second key management device and the second cryptographic device are located in the second area.

[0155] The generation module 703 is used to generate a first domain key for encrypting user keys.

[0156] The encryption module 704 is used to invoke the first cryptographic device to encrypt the first domain key using the target device key.

[0157] Storage module 705 is used to store the first encryption domain key obtained through encryption.

[0158] Synchronization module 706 is used to synchronize an encryption domain key to a second key management device.

[0159] In another embodiment of this disclosure, the generation module 703 is further configured to generate a user key in response to a user key generation instruction triggered by a user equipment.

[0160] The encryption module 704 is further configured to encrypt the user key using the first domain key to obtain a first encrypted user key.

[0161] The storage module 705 is used to store the identifiers of the first encrypted user key and the first domain key, and to synchronize the identifiers of the first encrypted user key and the first domain key to the second key management device.

[0162] In another embodiment of this disclosure, the apparatus further includes: a decryption module, configured to invoke the first cryptographic device to decrypt the first encryption domain key using the target device key to obtain the first domain key.

[0163] In another embodiment of this disclosure, the apparatus further includes a sending module for sending an identifier of the user key to the user equipment.

[0164] In another embodiment of this disclosure, the apparatus further includes: a receiving module for receiving a data encryption request from the user equipment, the data encryption request including the user data and an identifier of the user key; and an obtaining module for obtaining the user key based on the identifier of the user key. Therefore, the encryption module 704 is further configured to encrypt the user data using the user key to obtain encrypted user data. The storage module 705 is further configured to store the encrypted user data and synchronize the encrypted user data to the second key management device.

[0165] In another embodiment of this disclosure, the acquisition module is configured to acquire the first encrypted user key and the first encrypted domain key from the first database; to invoke the first cryptographic device to decrypt the first encrypted domain key using the target device key to obtain the first domain key; and to decrypt the first encrypted user key using the first domain key to obtain the user key.

[0166] In another embodiment of this disclosure, the apparatus further includes: a generation module, configured to generate a second domain key when it is determined that the domain key rotation condition is met. Thus, an encryption module 704 is configured to invoke the first cryptographic device to encrypt the second domain key using the target device key to obtain the second encrypted domain key. A storage module 705 is configured to store the second encrypted domain key and synchronize the second encrypted domain key to a second key management device.

[0167] In another embodiment of this disclosure, the apparatus further includes:

[0168] The acquisition module is further configured to acquire a first encryption domain key and a first encryption user key; the decryption module is configured to invoke the first cryptographic device to decrypt the first encryption domain key using the target device key to obtain the first domain key; and to decrypt the first encryption domain key using the first domain key to obtain the user key. Therefore, the encryption module 704 is further configured to encrypt the user key using the second domain key to obtain a second encryption user key. The storage module 705 is further configured to store the identifiers of the second encryption user key and the second domain key. The synchronization module 706 is further configured to synchronize the identifiers of the second encryption user key and the second domain key to the second key management device.

[0169] In another embodiment of this disclosure, the apparatus further includes: a setting module, configured to set the second domain key to an active state and the first domain key to an inactive state; wherein the active state is used to instruct the first key management device to encrypt a newly generated user key or decrypt a second encrypted user key using the second domain key before the domain key rotation condition is met again.

[0170] Please refer to Figure 8, which shows a schematic diagram of a cross-regional key synchronization device provided in an embodiment of this disclosure. This device is applied to a second key management device and can be implemented through software, hardware, or a combination of both, becoming all or part of an electronic device. The device includes:

[0171] The receiving module 801 is used to receive device parameter information sent by the first key management device, wherein the device parameter information reflects the device parameters when the first cryptographic device generates the target device key.

[0172] The generation module 802 controls the second cryptographic device to generate the target device key based on the device parameter information.

[0173] Storage module 803 is used to store the first domain key synchronized by the first key management device. The first domain key is used to encrypt the user key, and the user key corresponds to the user device.

[0174] The decryption module 804 is used to decrypt the target device key to obtain the corresponding first domain key.

[0175] The first key management device and the first cryptographic device are located in the first area, and the second key management device and the second cryptographic device are located in the second area.

[0176] Please refer to Figure 9, which shows a schematic diagram of a cross-regional key synchronization device provided in an embodiment of this disclosure. This device is applied to a first cryptographic device and can be implemented through software, hardware, or a combination of both, becoming all or part of an electronic device. The device includes:

[0177] The generation module 901 is used to generate a target device key and device parameter information in response to the control operation of the first key management device, wherein the device parameter information reflects the device parameters when the first cryptographic device generates the target device key.

[0178] A module 902 is provided to provide the device parameter information to the first key management device. The device parameter information is sent by the first key management device to the second key management device to control the second cryptographic device to generate the target device key based on the backup file. The first key management device and the first cryptographic device are located in a first area, and the second key management device and the second cryptographic device are located in a second area.

[0179] Figure 10 shows a structural block diagram of an electronic device 1000 provided in an exemplary embodiment of the present disclosure. Typically, the electronic device 1000 includes a processor 1001 and a memory 1002.

[0180] The processor 1001 can be implemented using at least one hardware form selected from DSP (Digital Signal Processing), FPGA (Field-Programmable Gate Array), and PLA (Programmable Logic Array). The processor 1001 may also include a main processor and a coprocessor; the main processor is a processor for processing data in the wake-up state, and the coprocessor is a low-power processor for processing data in the standby state. In some embodiments, the processor 1001 may integrate a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content to be displayed on the screen. In some embodiments, the processor 1001 may also include an artificial intelligence processor for handling computational operations related to machine learning.

[0181] The memory 1002 may include one or more computer-readable storage media, which may be non-transitory computer-readable storage media, such as CD-ROM (Compact Disc Read-Only Memory), ROM, RAM (Random Access Memory), magnetic tape, floppy disk, and optical data storage devices. The computer-readable storage medium stores at least one computer program, which, when executed, enables the aforementioned cross-regional key synchronization method.

[0182] Of course, the aforementioned electronic device may also include other components, such as input / output interfaces and communication components. Input / output interfaces provide an interface between the processor and peripheral interface modules, which can be output devices, input devices, etc. Communication components are configured to facilitate wired or wireless communication between the electronic device and other devices.

[0183] Those skilled in the art will understand that the structure shown in FIG10 does not constitute a limitation on the electronic device 1000, and may include more or fewer components than shown, or combine certain components, or employ different component arrangements.

[0184] This disclosure provides a computer-readable storage medium storing at least one computer program, which, when executed by a processor, can implement the above-described cross-regional key synchronization method.

[0185] This disclosure provides a computer program product, which includes a computer program that, when executed by a processor, can implement the above-described cross-regional key synchronization method.

[0186] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.

[0187] The above embodiments are only used to illustrate the technical solutions of this disclosure, and are not intended to limit it. Although this disclosure has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of this disclosure.

Claims

1. A cross-domain key synchronization system, wherein, The system includes a first key management device, a first cryptographic device, a second key management device, and a second cryptographic device. The first key management device and the first cryptographic device are located in a first area, and the second key management device and the second cryptographic device are located in a second area. The first key management device is used to: control the first cryptographic device to generate a target device key and device parameter information; and send the device parameter information to the second key management device, wherein the device parameter information reflects the device parameters of the first cryptographic device when generating the target device key; The second key management device is used to: control the second cryptographic device to generate the target device key based on the device parameter information; The first key management device is further configured to: generate a first domain key for encrypting a user key, and call the first cryptographic device to encrypt the first domain key using the target device key; store the encrypted first encrypted domain key, and synchronize the first encrypted domain key to the second key management device, wherein the user key corresponds to a user device.

2. The system of claim 1, wherein, The first key management device is further configured to: generate the user key in response to a user key generation instruction triggered by the user equipment; encrypt the user key using the first domain key to obtain a first encrypted user key; store the identifiers of the first encrypted user key and the first domain key, and synchronize the identifiers of the first encrypted user key and the first domain key to the second key management device.

3. The system of claim 2, wherein, The first key management device is further configured to: invoke the first cryptographic device to decrypt the first encryption domain key using the target device key to obtain the first domain key.

4. The system of claim 2, wherein, The first key management device is further configured to: send the identifier of the user key to the user device.

5. The system of claim 4, wherein, The first key management device is further configured to: receive a data encryption request from the user equipment, the data encryption request including user data and an identifier of the user key; obtain the user key based on the identifier of the user key; encrypt the user data using the user key to obtain encrypted user data; store the encrypted user data and synchronize the encrypted user data to the second key management device.

6. The system of claim 5, wherein, The first key management device is further configured to: obtain the first encrypted user key and the first encrypted domain key based on the identifier of the user key; invoke the first cryptographic device to decrypt the first encrypted domain key using the target device key to obtain the first domain key; and use the first domain key to decrypt the first encrypted user key to obtain the user key.

7. The system according to any one of claims 1 to 6, wherein, The first key management device is further configured to: generate a second domain key when it is determined that the domain key rotation conditions are met; The first cryptographic device is invoked to encrypt the second domain key using the target device key, thereby obtaining the second encrypted domain key; Store the second encryption domain key and synchronize the second encryption domain key to the second key management device.

8. The system according to claim 7, wherein, The first key management device is further configured to: obtain a first encryption domain key and a first encryption user key; call the first cryptographic device to decrypt the first encryption domain key using the target device key to obtain the first domain key; and use the first domain key to decrypt the first encryption domain key to obtain the user key. The first key device is further configured to: encrypt the user key using the second domain key to obtain a second encrypted user key; store the identifiers of the second encrypted user key and the second domain key, and synchronize the identifiers of the second encrypted user key and the second domain key to the second key management device.

9. The system according to claim 8, wherein, The first key management device is further configured to: set the second domain key to an active state and set the first domain key to an inactive state; The active state is used to indicate that before the first key management device meets the domain key rotation condition again, it should use the second domain key to encrypt the newly generated user key or decrypt the second encrypted user key.

10. The system according to any one of claims 1 to 9, wherein, The first key management device includes a first database, and the second key management device includes a second database; the first database and the second database establish a communication connection based on a data transmission service to realize cross-regional synchronization of the first encryption domain key, the first encryption user key, and the encryption user data.

11. The system according to any one of claims 1 to 10, wherein, The number of the second region is at least one, and each second region is equipped with a corresponding second key management device and a second cryptographic device; the first key management device is used to synchronize the device parameter information and the first encryption domain key to the second key management devices of all the second regions, so as to realize unified synchronization of keys in multiple regions.

12. The system according to any one of claims 1 to 11, wherein, The target device key generated by the first cryptographic device is stored locally on the first cryptographic device, and the target device key generated by the second cryptographic device is stored locally on the second cryptographic device, and the target device key is not transmitted to other devices over the network.

13. The system of any one of claims 1 to 12, wherein, When the first key management device controls the first cryptographic device to generate the target device key, it is specifically used to send a first initialization command; the first cryptographic device responds to the first initialization command by performing an initialization operation to generate the target device key and the corresponding device parameter information, wherein the device parameter information includes the key generation algorithm and initialization process parameters.

14. The system according to any one of claims 5 to 13, wherein, The first key management device is also used to return an encryption completion response to the user device after synchronizing the encrypted user data to the second key management device; the response includes a storage identifier of the encrypted user data for subsequent query or decryption operations by the user device.

15. A method of cross-domain key synchronization, wherein, Applied to a first key management device, the method includes: The system controls a first cryptographic device to generate a target device key and device parameter information, wherein the device parameter information reflects the device parameters when the first cryptographic device generates the target device key, and the first key management device and the first cryptographic device are located in a first region. The device parameter information is sent to the second key management device, so that the second key management device controls the second cryptographic device to generate the target device key according to the device parameter information. The second key management device and the second cryptographic device are located in the second area. Generate a first domain key for encrypting a user key, and invoke the first cryptographic device to encrypt the first domain key using the target device key, wherein the user key corresponds to the user device; The first encryption domain key obtained through encryption is stored, and the first encryption domain key is synchronized to the second key management device.

16. A cross-regional key synchronization method, wherein, Applied to a second key management device, the method includes: Receive device parameter information sent by the first key management device, wherein the device parameter information reflects the device parameters when the first cryptographic device generates the target device key; The second cryptographic device is controlled to generate the target device key based on the device parameter information; The storage includes a first encrypted domain key synchronized by the first key management device, and a corresponding first domain key obtained by decryption based on the target device key. The first encrypted domain key is the result of encrypting the first domain key using the target device key. The first domain key is used to encrypt the user key corresponding to the user equipment. The first key management device and the first cryptographic device are located in the first area, and the second key management device and the second cryptographic device are located in the second area.

17. A cross-regional key synchronization method, wherein, Applied to a first cryptographic device, the method includes: In response to a control operation of a first key management device, a target device key and device parameter information are generated, wherein the device parameter information reflects the device parameters of the first cryptographic device when generating the target device key; The device parameter information is provided to the first key management device, which then sends it to the second key management device to control the second cryptographic device to generate the target device key based on the device parameter information. The first key management device and the first cryptographic device are located in the first area, and the second key management device and the second cryptographic device are located in the second area.

18. An electronic device, comprising: It includes a processor and a memory; the memory stores at least one piece of program code; the at least one piece of program code is called and executed by the processor to implement the cross-regional key synchronization method as described in claim 10, or the cross-regional key synchronization method as described in claim 11, or the cross-regional key synchronization method as described in claim 12.

19. A computer-readable storage medium, wherein, The computer-readable storage medium stores at least one computer program, which, when executed by a processor, is capable of implementing the cross-regional key synchronization method as described in claim 10, or the cross-regional key synchronization method as described in claim 11, or the cross-regional key synchronization method as described in claim 12.

20. A computer program product, wherein, The computer program product includes a computer program that, when executed by a processor, can implement the cross-regional key synchronization method as described in claim 10, or the cross-regional key synchronization method as described in claim 11, or the cross-regional key synchronization method as described in claim 12.