DETAILED ACTION
1. 	This Non-Final Office Action is in response to application filed on 12/04/2020.  	Claims 1-20 are being considered on the merits. 	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Drawings
2. 	The drawings filed on 12/04/2020 are accepted. 
Information Disclosure Statement
3.	The information disclosure statement (IDS) submitted on 04/08/2022 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, an initialed and dated copy of the Applicant’s IDS form 1449 filed on 04/08/2022 is attached to this office action. 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



4.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US Pub No. US 2018/0159684 A1 to Roth, (hereinafter, “Roth”) in view of US Patent No. US 10,015,167 B1 to O’Kennedy, (hereinafter, “Kennedy”).
As per claim 1, Roth teaches a computer-implemented method, comprising: 
obtaining an application programming interface request to generate a data key (Roth, para. [0036] “The cryptography service 212 may receive a request, for example, through an application programming interface, and perform an encryption operation. The cryptography service 212 may include several components, including a managed key 216 that is operable for performing cryptographic operations such as encryption and decryption of data, an encryption module 214 capable of managing and accessing encryption configurations, accessing the managed key, and performing encryption and encryption-related tasks.”), the application programming interface request indicating: 
a set of compute regions; and a set of compute region preferences (Roth, para. [0036] “The cryptography service may include encryption configurations 218 that are accessible via a web server or stored locally within the cryptography service. Within the encryption configurations, a plurality of encryption configurations may be applicable to a plurality of encryption keys. In some embodiments, the managed key is a cryptographic key maintained a secure key store such as a Hardware Security Module (HSM). In some embodiments, the encryption configurations may be stored in a hard drive or database accessible by the encryption module”)
generating the data key; submitting requests to the set of compute regions to encrypt the data key (Roth, para. [0038] “a mapping of key identifiers to a plurality of encryption configurations that may be used with the encryption key or encryption keys that may be associated with the key identifier. Thus, in the embodiment previously described, the cryptography service may receive a request to encrypt data, use the key identifier to obtain an encryption key, retrieve a plurality of encryption configurations associated with the key identifier (e.g., where some or all encryption configurations were installed as a result of API calls to the cryptography service), select an encryption configuration from the plurality of encryption configurations associated with the key identifier, and perform an encryption operation on the data using the retrieved encryption key and the selected encryption configuration as inputs.”); 
obtaining, in response to the requests, a set of encrypted data keys that are encrypted using corresponding managed keys of the set of compute regions (Roth, para. [0041] “the encryption module 214 (or another module executed by the same computer system) is capable of generating cryptographic keys. For example, the encryption module 214 may have access to an entropy source suitable for generation of high quality random numbers. In such an embodiments, the cryptography service may generate a cryptographic key, encrypt the cryptography key using a managed key, and provide to the client as a response to the request the encrypted key 220, the cryptographic key 222 (data key), and the encryption configurations 224.”); and 
Roth teaches all the limitations of claim 1 above, however fails to explicitly teach but Kennedy teaches:
generating a data structure comprising: the set of compute region preferences; the set of encrypted data keys; and a set of bindings that map encrypted data keys of the set of encrypted data keys to corresponding compute regions of the set of compute regions (Kennedy, col. 6 lines 34-64 “The key management services may provide unified developer/application API key management capabilities transparently to a requesting application. The key management services may be provided by the custom service layer 112 to the API gateway platform 110. In general, the key management services may be invoked whenever a third party external API 212 being called requires an API key. At the time a developer adds a new third party API 212 as a capability to the developer's application 136, the key management services may transparently and automatically create an account for the developer with the third party provider service 104 and obtain a sub-key that is associated by the key management service with the developer's application 136 for use in calling the new third party API 212… in response to the service request may generate and transmit API service call message(s) to third party API(s) that require an API key (managed keys). As part of generation and transmission of the API service call message(s) the key management services may be used independently, or with the aggregation services, or with the selection services to expose one or more API products that require respective sub-keys (encrypted data keys).” And col. 14, lines 14-62 “Each of the configuration entities 328 for use by the aggregation services 310 may include a list of third party provider services 104, a protocol and/or format for communicating messages, such as service calls, to the respective third party providers APIs 212, and a mapping to interpret and/or reformat (as appropriate) the responses received…The configuration entities (compute regions) 328 may be stored in a database, a relational database, or some other form of storage where they can be accessed by the aggregation service 310 and the selection service 312 via the configuration lookup service 324. A respective configuration entity 328 may be accessed by the aggregation service 310 or the selection service 312 in response to receipt of an API service call request, and in response to a return of information from the API 212 in a response to the API service call request.”); 
providing a response to the application programming interface request that comprises at least the data structure (Kennedy, col. 16 lines 40-63 “The aggregation service 310 may provide the ability to make multiple parallel requests to multiple targets (third party APIs 212) and to extract a common set of data requirements from the outputs the third parties 104 return. The aggregation service 310 may take as an input the location in the data store 326 of a configuration entity 328, which the aggregation service 310 may retrieve using the configuration lookup service 324. (414) The configuration entity 328 may contain: a list of external third party services that the Aggregation Service should aggregate over; a list of supported inputs that the first context service 320A exposes; a list of the required output fields to return to the application of the user/client; and for each external third party service target: different valid URL protocol variants provided by each of the external service providers that the first core capability service 308A is supporting; mapping information for inputs of the extensible key management system to the external service provider's inputs; and a mechanism to extract each of the required outputs from the external providers service response.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Kennedy’s API key management system into Roth’s management of cryptographic keys, with a motivation to reduce development overhead with API driven propositions and managing associated API keys (Kennedy, col 1 lines 36-43). 
As per claim 2, the combination of Roth and Kennedy teaches the computer-implemented method of claim 1, the application programming interface request is a web service application programming interface request encoding parameters for: 
a set of cryptographic key identifiers for the managed keys of the set of compute regions; the set of compute regions; the set of compute region preferences (Roth, para. [0038] “a mapping of key identifiers to a plurality of encryption configurations that may be used with the encryption key or encryption keys that may be associated with the key identifier. Thus, in the embodiment previously described, the cryptography service may receive a request to encrypt data, use the key identifier to obtain an encryption key, retrieve a plurality of encryption configurations associated with the key identifier (e.g., where some or all encryption configurations were installed as a result of API calls to the cryptography service), select an encryption configuration from the plurality of encryption configurations associated with the key identifier, and perform an encryption operation on the data using the retrieved encryption key and the selected encryption configuration as inputs.”); and 
configuration information for generating the data key (Roth, para. [0040] “Encryption configurations may include metadata useful in selecting a specific encryption configuration from the plurality of encryption configurations. In some embodiments, the encryption configurations in the plurality of encryption configurations are strictly ordered and may be assigned a preference rank relative to other encryption configurations in the plurality. In other embodiments, the plurality of encryption configurations may be assigned a preference rank as described above but are not strictly ordered. These preferences may be assigned a priori, or may be dynamically calculated. In addition, it should be noted that the relative ordering of encryption configurations may be different in different pluralities. For example, the plurality of encryption configurations associated with key identifier #1 may have AES-GCM preferred over AES-CCM, whereas the plurality of encryption configurations associated with key identifier #2 may have AES-CCM preferred over AES-GCM (i.e., the preferences are reversed). These preference ranks are usable to select a specific encryption configuration from a plurality of encryption configurations.”).
As per claim 3, the combination of Roth and Kennedy teaches the computer-implemented method of claim 1, further comprising: 
obtaining a second application programming interface request to decrypt the data key, the second application programming interface request comprising the data structure (Roth, para. [0042] “to decrypt the encrypted data, the client may provide the encrypted key to the cryptography service and request the cryptography service to decrypt the key. In such a decryption request, the managed key may be specified explicitly (e.g., using a key identifier) or implicitly (e.g., as a default associated with a customer or, generally, by including information that is usable to determine the managed key from multiple managed keys but that is not classified as a key identifier). Upon receiving the decrypted key, the client may then use the received decrypted key to perform a decryption operation on the encrypted data to obtain the unencrypted data.”); 
inspecting the data structure to determine a first encrypted data key of the set of encrypted data keys corresponding to a managed key (Roth, para. [0061] “The cryptography service may identify 608 a cryptographic key with the key identifier. The key identifier may be any type of reference value that may be used as an identifier, such as a globally unique identifier (GUID), universally unique identifier (UUID), object identifier id (OD), and so forth. As noted, in alternate embodiments, the cryptographic key may be identified implicitly, such as by a default associated with the requestor (e.g., a particular client application) or an entity associated with the requestor (e.g., a customer of a service provider). In some embodiments, a hashing function may map key identifiers to cryptographic keys, for example, using a hash map, hash table, and/or other associative data structures. In addition to or as an alternative, key identifiers may be associated with cryptographic keys by various other software implementations including indexed databases. In some embodiments, a key identifier may be mapped to another value that provides metadata for identifying a cryptographic key. For example, a key identifier may map to a memory address location, file path, and/or network storage path that may contain the associated cryptographic key. In some embodiments, key identifiers may be associated with a plurality of cryptographic keys and/or no cryptographic keys. In some embodiments, a HSM may require the key identifier in order to retrieve a cryptographic key matching the key identifier.”); 
decrypting the first encrypted data key using the managed key to determine a plaintext of the data key; and providing a second response to the second application programming interface request that comprises the plaintext of the data key (Roth, para. [0042] “to decrypt the encrypted data, the client may provide the encrypted key to the cryptography service and request the cryptography service to decrypt the key. In such a decryption request, the managed key may be specified explicitly (e.g., using a key identifier) or implicitly (e.g., as a default associated with a customer or, generally, by including information that is usable to determine the managed key from multiple managed keys but that is not classified as a key identifier). Upon receiving the decrypted key, the client may then use the received decrypted key to perform a decryption operation on the encrypted data to obtain the unencrypted data.” And para. [0073] “Decryption of the encrypted data key may be performed similar to the manner in which it was decrypted. For example, the client may transmit a request to the cryptography service (specifying the key identifier used by the cryptography service) and the cryptography service may provide the virtual key in response. The client may use the information in the virtual key to cause the HSM 726 to decrypt the encrypted data key and provide the result of the decryption so that the client (or another system) can decrypt the data.”).
As per claim 4, the combination of Roth and Kennedy teaches the computer-implemented method of claim 1, wherein: 
the application programming interface request further comprises a set of cryptographic key identifiers that identify the corresponding managed keys; and the requests to the set of compute regions to encrypt the data key comprise at least the set of cryptographic key identifiers (Roth, para. [0029] “The client 202 may make a request to a cryptography service 212 wherein the client requests information from the cryptography service useable to perform an encryption operation. The request may include at least a key identifier 206, an encryption context 208 with metadata about the client and/or data to encrypt, and client capabilities 210 with regard to encryption and decryption. In some embodiments, the key identifier, encryption context, and client capabilities in FIG. 2 are in accordance with the respective components described above in FIG. 1.” And para. [0030] “It should be known that key identifiers 206 may be, but are not necessarily unique identifiers. For instance, a key identifier may identify a family of keys.” And para. [0032] “An encryption context 208 may include metadata about the data being encrypted and/or information about the client. For instance, the encryption context may specify a type of the data (e.g., credit card number, social security number, etc.) or information about the client (e.g., an identifier of an application whose execution caused the request to be submitted). An encryption module 214 may use the encryption context to determine whether to permit the encryption call to succeed and/or how to encrypt the data.”); 
As per claim 5, Roth teaches a system, comprising: 
one or more processors; and memory that stores computer-executable instructions that are executable by the one or more processors (Roth, para. [0084] “Each server typically will include an operating system that provides executable program instructions for the general administration and operation of that server and typically will include a computer-readable storage medium (e.g., a hard disk, random access memory, read only memory, etc.) storing instructions that, when executed by a processor of the server, allow the server to perform its intended functions.”) to cause the system to: 
obtain a request to perform a cryptographic operation, wherein the request comprises an encrypted cryptographic key data structure (Roth, para. [0042] “to decrypt the encrypted data, the client may provide the encrypted key to the cryptography service and request the cryptography service to decrypt the key. In such a decryption request, the managed key may be specified explicitly (e.g., using a key identifier) or implicitly (e.g., as a default associated with a customer or, generally, by including information that is usable to determine the managed key from multiple managed keys but that is not classified as a key identifier). Upon receiving the decrypted key, the client may then use the received decrypted key to perform a decryption operation on the encrypted data to obtain the unencrypted data.”), and further wherein the encrypted cryptographic key data structure comprises: 
a plurality of encrypted cryptographic keys; identifiers for a plurality of compute regions corresponding to the plurality of encrypted cryptographic keys (Roth, para. [0061] “The cryptography service may identify 608 a cryptographic key with the key identifier. The key identifier may be any type of reference value that may be used as an identifier, such as a globally unique identifier (GUID), universally unique identifier (UUID), object identifier id (OD), and so forth. As noted, in alternate embodiments, the cryptographic key may be identified implicitly, such as by a default associated with the requestor (e.g., a particular client application) or an entity associated with the requestor (e.g., a customer of a service provider). In some embodiments, a hashing function may map key identifiers to cryptographic keys, for example, using a hash map, hash table, and/or other associative data structures. In addition to or as an alternative, key identifiers may be associated with cryptographic keys by various other software implementations including indexed databases. In some embodiments, a key identifier may be mapped to another value that provides metadata for identifying a cryptographic key. For example, a key identifier may map to a memory address location, file path, and/or network storage path that may contain the associated cryptographic key. In some embodiments, key identifiers may be associated with a plurality of cryptographic keys and/or no cryptographic keys. In some embodiments, a HSM may require the key identifier in order to retrieve a cryptographic key matching the key identifier.”); and 
preferences indicating how to determine which compute region of the plurality of compute regions to use to perform cryptographic operations (Roth, para. [0038] “a mapping of key identifiers to a plurality of encryption configurations that may be used with the encryption key or encryption keys that may be associated with the key identifier. Thus, in the embodiment previously described, the cryptography service may receive a request to encrypt data, use the key identifier to obtain an encryption key, retrieve a plurality of encryption configurations associated with the key identifier (e.g., where some or all encryption configurations were installed as a result of API calls to the cryptography service), select an encryption configuration from the plurality of encryption configurations associated with the key identifier, and perform an encryption operation on the data using the retrieved encryption key and the selected encryption configuration as inputs.”);
Roth teaches all the limitations of claim 5 above, however fails to explicitly teach but Kennedy teaches:
 select a compute region of the plurality of compute regions based at least in part on the preferences and the selected compute region being available (Kennedy, col. 17 lines 29-56 “From the list of possible third party provider services 104, the selection services 312 may identify a target third party provider service 104. (432) The target third party provider service 104 may be identified as the only API 212 to which an API service call message is directed. The target third party provider service 104 may be chosen by the selection services 312 based on, for example, on input parameters received from the application and a configuration entity 328, which provides the basis on which to make the evaluation. For example, the configuration entity 328 may indicate the specific parameter(s) to use to make the selection of the target third party provider service, and how the selection services 312 should interpret the provided input parameters to make the selection. The parameters provided may include an account number, the name of the target third party provider service, security information of the target third party provider, an identifier of the external API 212 of the target third party provider service 104, or some other item of information that the selection service 312 can use to identify the target third party provider service 104 from among the list of possible third party provider services 104. In another example, the third context service 320C may identify which service provider to select as the target third party provider service from a list of available options. In this example, identification/selection of the target third party provider service 104 by the context service 320 may be based on input parameters received from the application and a configuration entity 328.”); and 
provide at least an encrypted cryptographic key to the selected compute region to perform the cryptographic operation, wherein the encrypted cryptographic key is from the plurality of encrypted cryptographic keys and is associated with the selected compute region (Kennedy, col. 6 lines 34-64 “The key management services may provide unified developer/application API key management capabilities transparently to a requesting application. The key management services may be provided by the custom service layer 112 to the API gateway platform 110. In general, the key management services may be invoked whenever a third party external API 212 being called requires an API key. At the time a developer adds a new third party API 212 as a capability to the developer's application 136, the key management services may transparently and automatically create an account for the developer with the third party provider service 104 and obtain a sub-key that is associated by the key management service with the developer's application 136 for use in calling the new third party API 212… in response to the service request may generate and transmit API service call message(s) to third party API(s) that require an API key (managed keys). As part of generation and transmission of the API service call message(s) the key management services may be used independently, or with the aggregation services, or with the selection services to expose one or more API products that require respective sub-keys (encrypted data keys).” And col. 14, lines 14-62 “Each of the configuration entities 328 for use by the aggregation services 310 may include a list of third party provider services 104, a protocol and/or format for communicating messages, such as service calls, to the respective third party providers APIs 212, and a mapping to interpret and/or reformat (as appropriate) the responses received…The configuration entities (compute regions) 328 may be stored in a database, a relational database, or some other form of storage where they can be accessed by the aggregation service 310 and the selection service 312 via the configuration lookup service 324. A respective configuration entity 328 may be accessed by the aggregation service 310 or the selection service 312 in response to receipt of an API service call request, and in response to a return of information from the API 212 in a response to the API service call request.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Kennedy’s API key management system into Roth’s management of cryptographic keys, with a motivation to reduce development overhead with API driven propositions and managing associated API keys (Kennedy, col 1 lines 36-43). 
As per claim 6, the combination of Roth and Kennedy teaches the system of claim 5, wherein the preferences indicate an order of compute regions of the plurality of compute regions to use to perform the cryptographic operations (Roth, para. [0040] “Encryption configurations may include metadata useful in selecting a specific encryption configuration from the plurality of encryption configurations. In some embodiments, the encryption configurations in the plurality of encryption configurations are strictly ordered and may be assigned a preference rank relative to other encryption configurations in the plurality. In other embodiments, the plurality of encryption configurations may be assigned a preference rank as described above but are not strictly ordered. These preferences may be assigned a priori, or may be dynamically calculated. In addition, it should be noted that the relative ordering of encryption configurations may be different in different pluralities. For example, the plurality of encryption configurations associated with key identifier #1 may have AES-GCM preferred over AES-CCM, whereas the plurality of encryption configurations associated with key identifier #2 may have AES-CCM preferred over AES-GCM (i.e., the preferences are reversed). These preference ranks are usable to select a specific encryption configuration from a plurality of encryption configurations.”).
As per claim 7, the combination of Roth and Kennedy teaches the system of claim 5, wherein the instructions to provide at least the encrypted cryptographic key to the selected compute region to perform the cryptographic operation further include instructions that, as a result of execution by the one or more processors, cause the system to provide the encrypted cryptographic key data structure to the selected compute region (Kennedy, col. 16 lines 40-63 “The aggregation service 310 may provide the ability to make multiple parallel requests to multiple targets (third party APIs 212) and to extract a common set of data requirements from the outputs the third parties 104 return. The aggregation service 310 may take as an input the location in the data store 326 of a configuration entity 328, which the aggregation service 310 may retrieve using the configuration lookup service 324. (414) The configuration entity 328 may contain: a list of external third party services that the Aggregation Service should aggregate over; a list of supported inputs that the first context service 320A exposes; a list of the required output fields to return to the application of the user/client; and for each external third party service target: different valid URL protocol variants provided by each of the external service providers that the first core capability service 308A is supporting; mapping information for inputs of the extensible key management system to the external service provider's inputs; and a mechanism to extract each of the required outputs from the external providers service response.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Kennedy’s API key management system into Roth’s management of cryptographic keys, with a motivation to reduce development overhead with API driven propositions and managing associated API keys (Kennedy, col 1 lines 36-43). 
As per claim 8, the combination of Roth and Kennedy teaches the system of claim 5, wherein the request to perform the cryptographic operation is a request to obtain a plaintext cryptographic key, further wherein the plurality of encrypted cryptographic keys are different ciphertexts of the plaintext cryptographic key (Roth, para. [0042] “to decrypt the encrypted data, the client may provide the encrypted key to the cryptography service and request the cryptography service to decrypt the key. In such a decryption request, the managed key may be specified explicitly (e.g., using a key identifier) or implicitly (e.g., as a default associated with a customer or, generally, by including information that is usable to determine the managed key from multiple managed keys but that is not classified as a key identifier). Upon receiving the decrypted key, the client may then use the received decrypted key to perform a decryption operation on the encrypted data to obtain the unencrypted data.” And para. [0073] “Decryption of the encrypted data key may be performed similar to the manner in which it was decrypted. For example, the client may transmit a request to the cryptography service (specifying the key identifier used by the cryptography service) and the cryptography service may provide the virtual key in response. The client may use the information in the virtual key to cause the HSM 726 to decrypt the encrypted data key and provide the result of the decryption so that the client (or another system) can decrypt the data.”)
As per claim 9, the combination of Roth and Kennedy teaches the system of claim 5, wherein the instructions to select the compute region of the plurality of compute regions include instructions that, as a result of execution by the one or more processors, cause the system to determine availability of compute regions of the plurality of compute regions by at least: 
transmitting a plurality of messages to the compute regions of the plurality of compute regions; and determining the availability of the compute regions based at least in part on responses to the plurality of messages (Kennedy, col. 17 lines 29-56 “From the list of possible third party provider services 104, the selection services 312 may identify a target third party provider service 104. (432) The target third party provider service 104 may be identified as the only API 212 to which an API service call message is directed. The target third party provider service 104 may be chosen by the selection services 312 based on, for example, on input parameters received from the application and a configuration entity 328, which provides the basis on which to make the evaluation. For example, the configuration entity 328 may indicate the specific parameter(s) to use to make the selection of the target third party provider service, and how the selection services 312 should interpret the provided input parameters to make the selection. The parameters provided may include an account number, the name of the target third party provider service, security information of the target third party provider, an identifier of the external API 212 of the target third party provider service 104, or some other item of information that the selection service 312 can use to identify the target third party provider service 104 from among the list of possible third party provider services 104. In another example, the third context service 320C may identify which service provider to select as the target third party provider service from a list of available options. In this example, identification/selection of the target third party provider service 104 by the context service 320 may be based on input parameters received from the application and a configuration entity 328.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Kennedy’s API key management system into Roth’s management of cryptographic keys, with a motivation to reduce development overhead with API driven propositions and managing associated API keys (Kennedy, col 1 lines 36-43). 
As per claim 10, the combination of Roth and Kennedy teaches the system of claim 5, wherein the instructions further include instructions that, as a result of execution by the one or more processors, cause the system to: 
generate a second request based at least in part on the request, wherein the second request includes an identifier of a managed key from the selected compute region and the encrypted cryptographic key (Roth, para. [0042] “to decrypt the encrypted data, the client may provide the encrypted key to the cryptography service and request the cryptography service to decrypt the key. In such a decryption request, the managed key may be specified explicitly (e.g., using a key identifier) or implicitly (e.g., as a default associated with a customer or, generally, by including information that is usable to determine the managed key from multiple managed keys but that is not classified as a key identifier). Upon receiving the decrypted key, the client may then use the received decrypted key to perform a decryption operation on the encrypted data to obtain the unencrypted data.”); and 
submit the second request to a cryptography service instance of the selected compute region to cause the cryptography service instance to decrypt the encrypted cryptographic key using the managed key from the selected compute region (Roth, para. [0042] “to decrypt the encrypted data, the client may provide the encrypted key to the cryptography service and request the cryptography service to decrypt the key. In such a decryption request, the managed key may be specified explicitly (e.g., using a key identifier) or implicitly (e.g., as a default associated with a customer or, generally, by including information that is usable to determine the managed key from multiple managed keys but that is not classified as a key identifier). Upon receiving the decrypted key, the client may then use the received decrypted key to perform a decryption operation on the encrypted data to obtain the unencrypted data.”).
As per claim 11, the combination of Roth and Kennedy teaches the system of claim 10, wherein the encrypted cryptographic key is encrypted with the managed key from the selected compute region (Roth, para. [0042] “to decrypt the encrypted data, the client may provide the encrypted key to the cryptography service and request the cryptography service to decrypt the key. In such a decryption request, the managed key may be specified explicitly (e.g., using a key identifier) or implicitly (e.g., as a default associated with a customer or, generally, by including information that is usable to determine the managed key from multiple managed keys but that is not classified as a key identifier). Upon receiving the decrypted key, the client may then use the received decrypted key to perform a decryption operation on the encrypted data to obtain the unencrypted data.”).
As per claim 12, the combination of Roth and Kennedy teaches the system of claim 5, wherein the encrypted cryptographic key is provided to a cryptography service instance of the selected compute region (Roth, para. [0029] “The client 202 may make a request to a cryptography service 212 wherein the client requests information from the cryptography service useable to perform an encryption operation. The request may include at least a key identifier 206, an encryption context 208 with metadata about the client and/or data to encrypt, and client capabilities 210 with regard to encryption and decryption. In some embodiments, the key identifier, encryption context, and client capabilities in FIG. 2 are in accordance with the respective components described above in FIG. 1.” And para. [0030] “It should be known that key identifiers 206 may be, but are not necessarily unique identifiers. For instance, a key identifier may identify a family of keys.” And para. [0032] “An encryption context 208 may include metadata about the data being encrypted and/or information about the client. For instance, the encryption context may specify a type of the data (e.g., credit card number, social security number, etc.) or information about the client (e.g., an identifier of an application whose execution caused the request to be submitted). An encryption module 214 may use the encryption context to determine whether to permit the encryption call to succeed and/or how to encrypt the data.”).
As per claim 13, Roth teaches a non-transitory computer-readable storage medium storing thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to: 
submit an application programming interface request to generate a cryptographic key (Roth, para. [0036] “The cryptography service 212 may receive a request, for example, through an application programming interface, and perform an encryption operation. The cryptography service 212 may include several components, including a managed key 216 that is operable for performing cryptographic operations such as encryption and decryption of data, an encryption module 214 capable of managing and accessing encryption configurations, accessing the managed key, and performing encryption and encryption-related tasks.”), the application programming interface request comprising: 
a set of compute regions; and a set of preferences (Roth, para. [0036] “The cryptography service may include encryption configurations 218 that are accessible via a web server or stored locally within the cryptography service. Within the encryption configurations, a plurality of encryption configurations may be applicable to a plurality of encryption keys. In some embodiments, the managed key is a cryptographic key maintained a secure key store such as a Hardware Security Module (HSM). In some embodiments, the encryption configurations may be stored in a hard drive or database accessible by the encryption module”); 
Roth teaches all the limitations of claim 13 above, however fails to explicitly teach but Kennedy teaches:
obtain a response to the application programming interface request that comprises the cryptographic key and a data structure encoding: the set of preferences; a set of encrypted data keys; and a set of bindings that map encrypted data keys of the set of encrypted data keys to corresponding compute regions of the set of compute regions (Kennedy, col. 6 lines 34-64 “The key management services may provide unified developer/application API key management capabilities transparently to a requesting application. The key management services may be provided by the custom service layer 112 to the API gateway platform 110. In general, the key management services may be invoked whenever a third party external API 212 being called requires an API key. At the time a developer adds a new third party API 212 as a capability to the developer's application 136, the key management services may transparently and automatically create an account for the developer with the third party provider service 104 and obtain a sub-key that is associated by the key management service with the developer's application 136 for use in calling the new third party API 212… in response to the service request may generate and transmit API service call message(s) to third party API(s) that require an API key (managed keys). As part of generation and transmission of the API service call message(s) the key management services may be used independently, or with the aggregation services, or with the selection services to expose one or more API products that require respective sub-keys (encrypted data keys).” And col. 14, lines 14-62 “Each of the configuration entities 328 for use by the aggregation services 310 may include a list of third party provider services 104, a protocol and/or format for communicating messages, such as service calls, to the respective third party providers APIs 212, and a mapping to interpret and/or reformat (as appropriate) the responses received…The configuration entities (compute regions) 328 may be stored in a database, a relational database, or some other form of storage where they can be accessed by the aggregation service 310 and the selection service 312 via the configuration lookup service 324. A respective configuration entity 328 may be accessed by the aggregation service 310 or the selection service 312 in response to receipt of an API service call request, and in response to a return of information from the API 212 in a response to the API service call request.”); and 
wherein the data structure is usable, by the computer system, to submit cryptographic requests that can be fulfilled contingent upon at least one of the set of compute regions being available (Kennedy, col. 17 lines 29-56 “From the list of possible third party provider services 104, the selection services 312 may identify a target third party provider service 104. (432) The target third party provider service 104 may be identified as the only API 212 to which an API service call message is directed. The target third party provider service 104 may be chosen by the selection services 312 based on, for example, on input parameters received from the application and a configuration entity 328, which provides the basis on which to make the evaluation. For example, the configuration entity 328 may indicate the specific parameter(s) to use to make the selection of the target third party provider service, and how the selection services 312 should interpret the provided input parameters to make the selection. The parameters provided may include an account number, the name of the target third party provider service, security information of the target third party provider, an identifier of the external API 212 of the target third party provider service 104, or some other item of information that the selection service 312 can use to identify the target third party provider service 104 from among the list of possible third party provider services 104. In another example, the third context service 320C may identify which service provider to select as the target third party provider service from a list of available options. In this example, identification/selection of the target third party provider service 104 by the context service 320 may be based on input parameters received from the application and a configuration entity 328.”);
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Kennedy’s API key management system into Roth’s management of cryptographic keys, with a motivation to reduce development overhead with API driven propositions and managing associated API keys (Kennedy, col 1 lines 36-43). 
As per claim 14, the combination of Roth and Kennedy teaches the non-transitory computer-readable storage medium of claim 13, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to:
submit a second application programming interface request comprising the data structure; and obtain, from a region of the set of compute regions, a second response to the second application programming interface request comprising a plaintext data key (Roth, para. [0042] “to decrypt the encrypted data, the client may provide the encrypted key to the cryptography service and request the cryptography service to decrypt the key. In such a decryption request, the managed key may be specified explicitly (e.g., using a key identifier) or implicitly (e.g., as a default associated with a customer or, generally, by including information that is usable to determine the managed key from multiple managed keys but that is not classified as a key identifier). Upon receiving the decrypted key, the client may then use the received decrypted key to perform a decryption operation on the encrypted data to obtain the unencrypted data.” And para. [0073] “Decryption of the encrypted data key may be performed similar to the manner in which it was decrypted. For example, the client may transmit a request to the cryptography service (specifying the key identifier used by the cryptography service) and the cryptography service may provide the virtual key in response. The client may use the information in the virtual key to cause the HSM 726 to decrypt the encrypted data key and provide the result of the decryption so that the client (or another system) can decrypt the data.”).
As per claim 15, the combination of Roth and Kennedy teaches the non-transitory computer-readable storage medium of claim 13, wherein the set of preferences comprise one or more criteria that determine which compute region of the set of compute regions to use to perform cryptographic operations (Roth, para. [0033] “the encryption context 208 may include information about the client useful for encrypting the data. In an embodiment, the client may make available to the cryptography service 212, as part of the encryption context, characteristics of the client that includes or precludes the use of an encryption configuration to fulfill the request. For example, a client may provide information on its physical geography (e.g., global positioning system (GPS) coordinates, a country identifier and/or other information that indicates a geographic location), and as a result, may impose additional restrictions on which encryption configurations may be used in compliance with local government regulations and/or export of cryptography regulations.”).
As per claim 16, the combination of Roth and Kennedy teaches the non-transitory computer-readable storage medium of claim 15, wherein the one or more criteria comprise at least one of: 
geographical requirements; latency requirements; or security requirements (Roth, para. [0033] “the encryption context 208 may include information about the client useful for encrypting the data. In an embodiment, the client may make available to the cryptography service 212, as part of the encryption context, characteristics of the client that includes or precludes the use of an encryption configuration to fulfill the request. For example, a client may provide information on its physical geography (e.g., global positioning system (GPS) coordinates, a country identifier and/or other information that indicates a geographic location), and as a result, may impose additional restrictions on which encryption configurations may be used in compliance with local government regulations and/or export of cryptography regulations.”).
As per claim 17, the combination of Roth and Kennedy teaches the non-transitory computer-readable storage medium of claim 13, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors of the computer system, cause the computer system to: 
submit a second application programming interface request to update the cryptographic key, the second application programming interface request comprising: an updated set of preferences; an updated set of compute regions; and the data structure (Roth, para. [0029] “FIG. 2 shows an illustrative environment 200 for encrypting data 204 in a client 202. The client 202 may make a request to a cryptography service 212 wherein the client requests information from the cryptography service useable to perform an encryption operation. The request may include at least a key identifier 206, an encryption context 208 with metadata about the client and/or data to encrypt, and client capabilities 210 with regard to encryption and decryption. In some embodiments, the key identifier, encryption context, and client capabilities in FIG. 2 are in accordance with the respective components described above in FIG. 1.” And para. [0030] “It should be known that key identifiers 206 may be, but are not necessarily unique identifiers. For instance, a key identifier may identify a family of keys. For example, in some embodiments, key rotation is performed. Key rotation may involve replacing keys with other keys to prevent collection of enough decrypted data to allow practical cracking of a cipher used.”); and 
obtain a second response to the second application programming interface request comprising an updated data structure, the updated data structure comprising: the updated set of preferences; an updated set of encrypted data keys; and an updated set of bindings that map encrypted data keys of the updated set of encrypted data keys to corresponding compute regions of the updated set of compute regions (Roth, para. [0083] “The data store 1010 can include several separate data tables, databases, data documents, dynamic data storage schemes and/or other data storage mechanisms and media for storing data relating to a particular aspect of the present disclosure. For example, the data store illustrated may include mechanisms for storing production data 1012 and user information 1016, which can be used to serve content for the production side. The data store also is shown to include a mechanism for storing log data 1014, which can be used for reporting, analysis or other such purposes. It should be understood that there can be many other aspects that may need to be stored in the data store, such as page image information and access rights information, which can be stored in any of the above listed mechanisms as appropriate or in additional mechanisms in the data store 1010. The data store 1010 is operable, through logic associated therewith, to receive instructions from the application server 1008 and obtain, update or otherwise process data in response thereto.”).

As per claim 18, the combination of Roth and Kennedy teaches the non-transitory computer-readable storage medium of claim 13, wherein the application programming interface request further comprises an indication of a length of the cryptographic key (Roth, para. [0019] “The cryptography service may include encryption configurations specifying how the cryptographic key should be used by a client of the cryptography service or another system operating in conjunction with the client of the cryptography service. An encryption configuration may specify preferred encryption algorithms, block sizes, and/or virtual keys. The encryption configuration may be applicable globally to the use of all cryptographic keys and all cryptographic operations, or may be applied to a subset of cryptographic keys and/or cryptographic operations. Multiple encryption configurations may exist for a cryptographic key or a subset of cryptographic keys, in which case a relative ordering of preferences may be defined, either statically (e.g., by defining a numerical rank for each policy that exist for a subset of cryptographic keys) or dynamically (e.g., by a computer algorithm whose relative ranking of the subset of policies may change over time and/or logical conditions)”).
As per claim 19, the combination of Roth and Kennedy teaches the non-transitory computer-readable storage medium of claim 13, wherein the cryptographic requests include requests to obtain the cryptographic key, in plaintext form, from the data structure (Roth, para. [0042] “to decrypt the encrypted data, the client may provide the encrypted key to the cryptography service and request the cryptography service to decrypt the key. In such a decryption request, the managed key may be specified explicitly (e.g., using a key identifier) or implicitly (e.g., as a default associated with a customer or, generally, by including information that is usable to determine the managed key from multiple managed keys but that is not classified as a key identifier). Upon receiving the decrypted key, the client may then use the received decrypted key to perform a decryption operation on the encrypted data to obtain the unencrypted data.” And para. [0073] “Decryption of the encrypted data key may be performed similar to the manner in which it was decrypted. For example, the client may transmit a request to the cryptography service (specifying the key identifier used by the cryptography service) and the cryptography service may provide the virtual key in response. The client may use the information in the virtual key to cause the HSM 726 to decrypt the encrypted data key and provide the result of the decryption so that the client (or another system) can decrypt the data.”).

As per claim 20, the combination of Roth and Kennedy teaches the non-transitory computer-readable storage medium of claim 13, wherein the data structure is an opaque data structure (Roth, para. [0032] “An encryption context 208 may include metadata about the data being encrypted and/or information about the client. For instance, the encryption context may specify a type of the data (e.g., credit card number, social security number, etc.) or information about the client (e.g., an identifier of an application whose execution caused the request to be submitted). An encryption module 214 may use the encryption context to determine whether to permit the encryption call to succeed and/or how to encrypt the data. The encryption module may be any component (e.g., a program module) operable to perform cryptographic operations such as encryption and decryption. The encryption module may be implemented as hardware, software, or a combination thereof. In some embodiments, the encryption module is a program module executing inside of a security module, such as an HSM. The encryption module is not accessible directly by the cryptography service (e.g., the encryption module is not stored on, or accessible strictly by the hardware and software components that comprise the cryptography service), but accessible via another component. For example, the cryptography service may have a secure connection (e.g., a Secure Socket Layer (SSL) connection and/or a virtual private network (VPN) connection) to access an encryption module located on a remote server. In some embodiments, the encryption context includes a key-value map of strings to strings of labeled arbitrary metadata that may be used to determine how to encrypt data. For example, in an embodiment, the encryption context may include a key describing data classifications and values describing the type of data to encrypt, a hypothetical key-value map being “DataClassification” to “CreditCard” that may be useful for determining which encryption configurations 218 are suitable and/or not suitable for encrypting “CreditCard” data.”).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 20200099519 A1 – Enhanced key availability for data services.
US 20170262638 A1 – Encrypted storage engines.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZOHA P TAFAGHODI whose telephone number is (571)272-5199.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199  or 571-272-1000.
/ZOHA PIYADEHGHIBI TAFAGHODI/Examiner, Art Unit 2437           

/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434