File system support for rolling keys
First Claim
1. A method for implementing a key rolling program that functions as a background process on a computing device, the method comprising:
- by a central processing unit (CPU) of the computing device;
identifying a file stored in a first location of a memory, the file including a first encrypted portion encrypted using a first key and a second encrypted portion encrypted using the first key;
allocating a reserved area of memory in a second location of the memory that is sized to accommodate the file;
decrypting the first encrypted portion of the file using the first key to produce a decrypted first portion of the file;
encrypting the decrypted first portion of the file using a second key that is different than the first key to produce a re-encrypted portion of the file, wherein;
an application is allowed to access the first encrypted portion of the file using the first key while encrypting the decrypted first portion of the file using the second key, andthe re-encrypted portion of the file duplicates information in the first encrypted portion of the file;
storing the re-encrypted portion of the file in the reserved area of memory; and
updating metadata associated with the file to indicate that;
a first portion of the file is encrypted with the second key and stored as the re-encrypted portion of the file in the reserved area of memory, anda second portion of the file is encrypted with the first key and stored as the second encrypted portion in the first location of the memory.
1 Assignment
0 Petitions
Accused Products
Abstract
This application relates to a key rolling process for a file system of a computing device. The key rolling process allows for files to be transparently re-encrypted in a background process while still allowing applications to access files being re-encrypted. During re-encryption, a portion of the file is decrypted using a current key for the file and re-encrypted using a new key for the file. During re-encryption, the portion of the file can be relocated to another location in memory. Metadata associated with the file can be updated to include information pertaining to the location of the re-encrypted portion. The metadata can also be updated include information pertaining to how much of the file has been re-encrypted with the new key and how much of the file remains encrypted with the current key.
-
Citations
23 Claims
-
1. A method for implementing a key rolling program that functions as a background process on a computing device, the method comprising:
by a central processing unit (CPU) of the computing device; identifying a file stored in a first location of a memory, the file including a first encrypted portion encrypted using a first key and a second encrypted portion encrypted using the first key; allocating a reserved area of memory in a second location of the memory that is sized to accommodate the file; decrypting the first encrypted portion of the file using the first key to produce a decrypted first portion of the file; encrypting the decrypted first portion of the file using a second key that is different than the first key to produce a re-encrypted portion of the file, wherein; an application is allowed to access the first encrypted portion of the file using the first key while encrypting the decrypted first portion of the file using the second key, and the re-encrypted portion of the file duplicates information in the first encrypted portion of the file; storing the re-encrypted portion of the file in the reserved area of memory; and updating metadata associated with the file to indicate that; a first portion of the file is encrypted with the second key and stored as the re-encrypted portion of the file in the reserved area of memory, and a second portion of the file is encrypted with the first key and stored as the second encrypted portion in the first location of the memory. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A computing device configured to implement a key rolling program that functions as a background process, the computing device comprising:
-
at least one processor; and at least one memory configured to store instructions that, when executed by the at least one processor, cause the computing device to; identify a file stored in a first location of a file system, the file including a first encrypted portion encrypted using a first key and a second encrypted portion encrypted using the first key; allocate a reserved area of memory in a second location of the file system that is sized to accommodate the file; decrypt the first encrypted portion of the file using the first key to produce a decrypted first portion of the file; encrypt the decrypted first portion of the file using a second key that is different than the first key to produce a re-encrypted portion of the file, wherein; an application is allowed to access the first encrypted portion of the file using the first key while encrypting the decrypted first portion of the file using the second key, and the re-encrypted portion of the file duplicates information in the first encrypted portion of the file; write the re-encrypted portion of the file to the reserved area of memory; and update metadata associated with the file to indicate that; a first portion of the file is encrypted with the second key and stored as the re-encrypted portion of the file in the reserved area of memory in the file system, and a second portion of the file is encrypted with the first key and stored as the second encrypted portion in the file system. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A machine-readable non-transitory storage medium configured to store instructions that, when executed by a central processing unit (CPU) included in a computing device, cause the computing device to implement a key rolling program that functions as a background process on the computing device, by carrying out steps that include:
-
identifying a file stored in a first location of a memory, the file including a first encrypted portion encrypted using a first key and a second encrypted portion encrypted using the first key; allocating a reserved area of memory in a second location of the memory that is sized to accommodate the second encrypted portion of the file; decrypting the first encrypted portion of the file using the first key to produce a decrypted first portion of the file; encrypting the decrypted first portion of the file using a second key that is different than the first key to produce a re-encrypted portion of the file, wherein; an application is allowed to access the first encrypted portion of the file using the first key while encrypting the decrypted first portion of the file using the second key, and the re-encrypted portion of the file duplicates information in the first encrypted portion of the file; storing the re-encrypted portion of the file in the reserved area of memory; and updating metadata associated with the file to indicate that; a first portion of the file is encrypted with the second key and stored as the re-encrypted portion of the file in the reserved area of memory, and a second portion of the file is encrypted with the first key and stored as the second encrypted portion in the first location of the memory. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A method for implementing a key rolling program that functions as background process on a computing device, the method comprising:
by a central processing unit (CPU) of the computing device; identifying a file, including a first encrypted portion encrypted using a first key and a second encrypted portion encrypted using the first key, stored in a first location of a file system; allocating a reserved area of memory in a second location of the file system; decrypting the first encrypted portion of the file using the first key to produce a decrypted first portion of the file; encrypting the decrypted first portion of the file using a second key that is different than the first key to produce a re-encrypted portion of the file, wherein the re-encrypted portion of the file duplicates information in the first encrypted portion of the file; storing the re-encrypted portion of the file in the reserved area of memory; and permitting, while encrypting the decrypted first portion of the file using the second key, an application of the computing device to access the first encrypted portion of the file and the second encrypted portion of the file at the first location of the file system using the first key. - View Dependent Claims (21, 22, 23)
Specification