Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Terminal Disclaimer
The terminal disclaimer filed on 6-21-2022 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of the patent 10127399 and 10671748 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner’s amendment was given in an interview with Carl Reed (attorney) for filed claims:
(Currently Amended) A method for managing keys for objects stored in a cloud service that stores the objects, the method comprising:
storing keys at a key server in the cloud service, wherein the keys stored at the key server are always encrypted at the cloud service;
associating the keys with a manifest at the key server, wherein the manifest identifies objects associated with the keys stored at the key server;
storing a master key at a client, wherein the master key is generated at the client and is never transmitted to the key server, wherein all decryption of the keys stored at the key server occurs at the client such that the keys are never exposed in an unencrypted form at the cloud service;
accessing the keys and the objects from the cloud service in an encrypted form; and decrypting the keys and the objects at the client, wherein the master key is used decrypt the keys needed to decrypt the encrypted objects accessed from the cloud service; 
initiating generation of a new key, by the key server, by instructing the client to generate the new key; and
storing the master keys in hierarchical form at the client.

(Original) The method of claim 1, further comprising storing the keys in hierarchical form at the cloud service.

(Currently Amended) The method of claim 1, further comprising storing a set of master keys at the client.

(Original) The method of claim 3, wherein the set of master keys are stored on a storage device, a removable device, a smart card protected by a personal identification number, a hardware token, or an electronic key ring.

(Original) The method of claim 1, wherein an object is re-encrypted with associated keys and reuploaded to the cloud service when use of an object is completed.

(Original) The method of claim 1, wherein the objects are stored as de-duplicated blocks and wherein each of the de-duplicated blocks is associated with a key.

(Original) The method of claim 1, further comprising identifying keys needed to decrypt an object once the object is requested by the client.

(Previously Presented) The method of claim 1, wherein the keys are stored on multiple key servers or appliances. 

(Previously Presented) The method of claim 1, wherein the key server provided by the cloud service is a key management server or appliance configured to manage keys. 

(Previously Presented) The method of claim 1, wherein the key server performs a data protection operation to backup the keys to another storage device or service. 

(Previously Presented) The method of claim 1, further comprising generating, by the client, a new key, encrypting an object with the new key, encrypting the new key with the master key, and providing the encrypted object and the encrypted key to the key server. 

(Cancelled) 

(Cancelled) 

(Currently Amended) A non-transitory computer readable medium comprising computer executable instructions for performing operations, the operations including: 
storing keys at a key server in the cloud service, wherein the keys stored at the key server are always encrypted at the cloud service;
associating the keys with a manifest at the key server, wherein the manifest identifies objects associated with the keys stored at the key server;
storing a master key at a client, wherein the master key is generated at the client and is never transmitted to the key server, wherein all decryption of the keys stored at the key server occurs at the client such that the keys are never exposed in an unencrypted form at the cloud service;
accessing the keys and the objects from the cloud service in an encrypted form; and decrypting the keys and the objects at the client, wherein the master key is used decrypt the keys needed to decrypt the encrypted objects accessed from the cloud service;
 initiating generation of a new key, by the key server, by instructing the client to generate the new key; and
storing the master keys in hierarchical form at the client.

(Previously Presented) The non-transitory computer readable medium of claim 14, further comprising storing the keys in hierarchical form at the cloud service.

(Currently Amended) The non-transitory computer readable medium of claim 14, further comprising storing a set of master keys at the client.

(Previously Presented) The non-transitory computer readable medium of claim 16, wherein the set of master keys are stored on a storage device, a removable device, a smart card protected by a personal identification number, a hardware token, or an electronic key ring.

(Previously Presented) The non-transitory computer readable medium of claim 14, wherein an object is re-encrypted with associated keys and reuploaded to the cloud service when use of an object is completed.

(Previously Presented) The non-transitory computer readable medium of claim 14, where the objects are stored as de-duplicated blocks and wherein each of the de-duplicated blocks is associated with a key.

(Previously Presented) The non-transitory computer readable medium of claim 14, further comprising identifying keys needed to decrypt an object once the object is requested by the client.

(New) A method for managing keys for objects stored in a cloud service that stores the objects, the method comprising:
storing keys at a key server in the cloud service, wherein the keys stored at the key server are always encrypted at the cloud service;
associating the keys with a manifest at the key server, wherein the manifest identifies objects associated with the keys stored at the key server;
storing a master key at a client, wherein the master key is generated at the client and is never transmitted to the key server, wherein all decryption of the keys stored at the key server occurs at the client such that the keys are never exposed in an unencrypted form at the cloud service;
accessing the keys and the objects from the cloud service in an encrypted form; and decrypting the keys and the objects at the client, wherein the master key is used decrypt the keys needed to decrypt the encrypted objects accessed from the cloud service; and
generating, by the client, a new key, encrypting an object with the new key, encrypting the new key with the master key, and providing the encrypted object and the encrypted key to the key server.  

Dependent claims 12 and 13 are cancelled.  

Response to Arguments
The amended claims 1 – 11 and 14 – 21 were considered under 35 USC 112, 101 and 102 / 103 for patentability over closest and analogous prior arts of record have been fully considered and are persuasive.  Dependent claims 12 and 13 are cancelled.

Allowable Subject Matter
1.	Amended claims 1 – 11 and 14 – 21 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 
                                                                                                                                                                                  
Reasons for Allowance
None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: Objects are encrypted using keys that are also encrypted after encrypting the objects. In order to access the objects, a master key that is unknown to the service storing the objects and/or managing the keys is used to decrypt the keys so that the objects can be decrypted with the decrypted key. Initiating generation of a new key, by the key server, by instructing the client to generate the new key and storing the master keys in hierarchical form at the client.
Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record.  The same reasoning applies to amended independent claims 14 and 21 their corresponding dependent claims mutatis mutandis. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
                                                                                                                                                                                                            
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see form “PTO-892 Notice of References Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to whose telephone number is 571-2703867.  The examiner can normally be reached on M-F: 7:30am-5pm (EST).  Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.  Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.	


/BADRINARAYANAN /P'Examiner, Art Unit 2496.