File system support for rolling keys

US 10,032,038 B2
Filed: 04/29/2015
Issued: 07/24/2018
Est. Priority Date: 04/29/2015
Status: Active Grant

First Claim

Patent Images

1. A method for implementing a key rolling program that functions as a background process on a computing device, the method comprising:

by a central processing unit (CPU) of the computing device;

identifying a file stored in a first location of a memory, the file including a first encrypted portion encrypted using a first key and a second encrypted portion encrypted using the first key;

allocating a reserved area of memory in a second location of the memory that is sized to accommodate the file;

decrypting the first encrypted portion of the file using the first key to produce a decrypted first portion of the file;

encrypting the decrypted first portion of the file using a second key that is different than the first key to produce a re-encrypted portion of the file, wherein;

an application is allowed to access the first encrypted portion of the file using the first key while encrypting the decrypted first portion of the file using the second key, andthe re-encrypted portion of the file duplicates information in the first encrypted portion of the file;

storing the re-encrypted portion of the file in the reserved area of memory; and

updating metadata associated with the file to indicate that;

a first portion of the file is encrypted with the second key and stored as the re-encrypted portion of the file in the reserved area of memory, anda second portion of the file is encrypted with the first key and stored as the second encrypted portion in the first location of the memory.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This application relates to a key rolling process for a file system of a computing device. The key rolling process allows for files to be transparently re-encrypted in a background process while still allowing applications to access files being re-encrypted. During re-encryption, a portion of the file is decrypted using a current key for the file and re-encrypted using a new key for the file. During re-encryption, the portion of the file can be relocated to another location in memory. Metadata associated with the file can be updated to include information pertaining to the location of the re-encrypted portion. The metadata can also be updated include information pertaining to how much of the file has been re-encrypted with the new key and how much of the file remains encrypted with the current key.

15 Citations

View as Search Results

23 Claims

1. A method for implementing a key rolling program that functions as a background process on a computing device, the method comprising:
- by a central processing unit (CPU) of the computing device;
  
  identifying a file stored in a first location of a memory, the file including a first encrypted portion encrypted using a first key and a second encrypted portion encrypted using the first key;
  
  allocating a reserved area of memory in a second location of the memory that is sized to accommodate the file;
  
  decrypting the first encrypted portion of the file using the first key to produce a decrypted first portion of the file;
  
  encrypting the decrypted first portion of the file using a second key that is different than the first key to produce a re-encrypted portion of the file, wherein;
  
  an application is allowed to access the first encrypted portion of the file using the first key while encrypting the decrypted first portion of the file using the second key, andthe re-encrypted portion of the file duplicates information in the first encrypted portion of the file;
  
  storing the re-encrypted portion of the file in the reserved area of memory; and
  
  updating metadata associated with the file to indicate that;
  
  a first portion of the file is encrypted with the second key and stored as the re-encrypted portion of the file in the reserved area of memory, anda second portion of the file is encrypted with the first key and stored as the second encrypted portion in the first location of the memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising, prior to allocating the reserved area of memory:
    - accessing state data associated with the computing device; and
      
      determining, based on the state data, that the computing device is operating in a mode under which the key rolling program executes in a transparent manner to a user of the computing device.
  - 3. The method of claim 1, further comprising:
    - permitting, while encrypting the first decrypted portion of the file using the second key, the application of the computing device to access the second portion of the file.
  - 4. The method of claim 1, wherein updating the metadata includes modifying an offset value that indicates a difference between the first portion of the file and the second portion of the file.
  - 5. The method of claim 1, wherein updating the metadata includes modifying a bitmap that indicates a difference between the first portion of the file and the second portion of the file.
  - 6. The method of claim 1, wherein the file is completely relocated to the reserved area of memory when all portions of the file are encrypted using the second key.
  - 7. The method of claim 6, wherein the reserved area of memory reduces an overall fragmentation of different portions of the file that are encrypted using the second key.

8. A computing device configured to implement a key rolling program that functions as a background process, the computing device comprising:
- at least one processor; and
  
  at least one memory configured to store instructions that, when executed by the at least one processor, cause the computing device to;
  
  identify a file stored in a first location of a file system, the file including a first encrypted portion encrypted using a first key and a second encrypted portion encrypted using the first key;
  
  allocate a reserved area of memory in a second location of the file system that is sized to accommodate the file;
  
  decrypt the first encrypted portion of the file using the first key to produce a decrypted first portion of the file;
  
  encrypt the decrypted first portion of the file using a second key that is different than the first key to produce a re-encrypted portion of the file, wherein;
  
  an application is allowed to access the first encrypted portion of the file using the first key while encrypting the decrypted first portion of the file using the second key, andthe re-encrypted portion of the file duplicates information in the first encrypted portion of the file;
  
  write the re-encrypted portion of the file to the reserved area of memory; and
  
  update metadata associated with the file to indicate that;
  
  a first portion of the file is encrypted with the second key and stored as the re-encrypted portion of the file in the reserved area of memory in the file system, anda second portion of the file is encrypted with the first key and stored as the second encrypted portion in the file system.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computing device of claim 8, wherein the decrypted first portion of the file is encrypted with the second key simultaneous to the application accessing the second portion of the file.
  - 10. The computing device of claim 9, wherein the decrypted first portion of the file is encrypted with the second key in response to the computing device being connected to an external power supply.
  - 11. The computing device of claim 8, wherein the metadata is updated to identify a size of each of the first portion of the file and the second portion of the file.
  - 12. The computing device of claim 8, wherein the at least one processor further causes the computing device to, prior to allocating the reserved area of memory:
    - access state data associated with the computing device; and
      
      determine, based on the state data, that the computing device is operating in a mode under which the key rolling program executes in a transparent manner to a user of the computing device.
  - 13. The computing device of claim 8, wherein the file is encrypted using more than two keys.
  - 14. The computing device of claim 8, wherein the first key and the second key each have different times of origination.

15. A machine-readable non-transitory storage medium configured to store instructions that, when executed by a central processing unit (CPU) included in a computing device, cause the computing device to implement a key rolling program that functions as a background process on the computing device, by carrying out steps that include:
- identifying a file stored in a first location of a memory, the file including a first encrypted portion encrypted using a first key and a second encrypted portion encrypted using the first key;
  
  allocating a reserved area of memory in a second location of the memory that is sized to accommodate the second encrypted portion of the file;
  
  decrypting the first encrypted portion of the file using the first key to produce a decrypted first portion of the file;
  
  encrypting the decrypted first portion of the file using a second key that is different than the first key to produce a re-encrypted portion of the file, wherein;
  
  an application is allowed to access the first encrypted portion of the file using the first key while encrypting the decrypted first portion of the file using the second key, andthe re-encrypted portion of the file duplicates information in the first encrypted portion of the file;
  
  storing the re-encrypted portion of the file in the reserved area of memory; and
  
  updating metadata associated with the file to indicate that;
  
  a first portion of the file is encrypted with the second key and stored as the re-encrypted portion of the file in the reserved area of memory, anda second portion of the file is encrypted with the first key and stored as the second encrypted portion in the first location of the memory.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The machine-readable non-transitory storage medium of claim 15, wherein the steps further include:
    - accessing state data associated with the computing device; and
      
      determining, based on the state data, that the computing device is operating in a mode under which the key rolling program executes in a transparent manner to a user of the computing device.
  - 17. The machine-readable non-transitory storage medium of claim 15, wherein updating the metadata comprises generating an offset value corresponding to a progress of re-encrypting the file using the second key.
  - 18. The machine-readable non-transitory storage medium of claim 15, wherein the steps further include:
    - permitting the second encrypted portion of the file to be accessed by the application on the computing device during the encrypting the decrypted first portion of the file using the second key.
  - 19. The machine-readable non-transitory storage medium of claim 18, wherein the steps further include:
    - designating, as free space, a portion of the memory previously occupied by the first encrypted portion of the file.

20. A method for implementing a key rolling program that functions as background process on a computing device, the method comprising:
- by a central processing unit (CPU) of the computing device;
  
  identifying a file, including a first encrypted portion encrypted using a first key and a second encrypted portion encrypted using the first key, stored in a first location of a file system;
  
  allocating a reserved area of memory in a second location of the file system;
  
  decrypting the first encrypted portion of the file using the first key to produce a decrypted first portion of the file;
  
  encrypting the decrypted first portion of the file using a second key that is different than the first key to produce a re-encrypted portion of the file, wherein the re-encrypted portion of the file duplicates information in the first encrypted portion of the file;
  
  storing the re-encrypted portion of the file in the reserved area of memory; and
  
  permitting, while encrypting the decrypted first portion of the file using the second key, an application of the computing device to access the first encrypted portion of the file and the second encrypted portion of the file at the first location of the file system using the first key.
- View Dependent Claims (21, 22, 23)
- - 21. The method of claim 20, further comprising:
    - updating metadata associated with the file to indicate that;
      
      a first portion of the file is encrypted with the second key and stored as the re-encrypted portion of the file in the reserved area of memory, anda second portion of the file is encrypted with the first key and stored as the second encrypted portion in the first location of the file system.
  - 22. The method of claim 20, wherein the file is associated with a group of users and encrypting the decrypted first portion of the file using the second key is in response to a user leaving the group.
  - 23. The method of claim 20, wherein the first key and the second key each have different times of origination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Suter, Christopher J., Tamura, Eric B., Colley, George K., Day, Mark S.
Primary Examiner(s)
Shaifer Harriman, Dant B

Application Number

US14/700,070
Publication Number

US 20160321460A1
Time in Patent Office

1,182 Days
Field of Search

713189, 713193
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6209   to a single file or object,...

H04L 9/14   using a plurality of keys o...

File system support for rolling keys

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

File system support for rolling keys

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links