Preventing persistent storage of cryptographic information using signaling
First Claim
Patent Images
1. A non-transitory computer-readable storage medium having stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
- cause a virtual machine instance to be executed under the control of a hypervisor that manages interaction between the virtual machine instance and hardware of the computer system;
determine a memory location of the virtual machine instance containing a cryptographic key;
determine a serialization event of at least a portion of the virtual machine instance will occur;
generate serialization data associated with the virtual machine instance, the serialization data lacking the cryptographic key based at least in part on the hypervisor not serializing data stored in the memory location; and
transmit, in response to restarting the virtual machine instance, a request to a security module to restore the cryptographic key to the virtual machine instance.
1 Assignment
0 Petitions
Accused Products
Abstract
Organizations maintain and generate large amounts of sensitive information using computer hardware resources and services of a service provider. Furthermore, there is a need to be able to delete large amounts of data securely and quickly by encrypting the data with a key and destroying the key. To ensure that information stored remotely is secured and capable of secure deletion, cryptographic keys used by the organization should be prevented from being persistently stored during serialization operations.
63 Citations
20 Claims
-
1. A non-transitory computer-readable storage medium having stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
-
cause a virtual machine instance to be executed under the control of a hypervisor that manages interaction between the virtual machine instance and hardware of the computer system; determine a memory location of the virtual machine instance containing a cryptographic key; determine a serialization event of at least a portion of the virtual machine instance will occur; generate serialization data associated with the virtual machine instance, the serialization data lacking the cryptographic key based at least in part on the hypervisor not serializing data stored in the memory location; and transmit, in response to restarting the virtual machine instance, a request to a security module to restore the cryptographic key to the virtual machine instance. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system, comprising:
-
one or more processors; and memory that includes instructions that, if executed by the one or more processors, cause the system to at least; cause a hypervisor and a guest virtual machine to be executed; determine a memory location of the guest virtual machine to contain a cryptographic key; cause the cryptographic key to be stored in the memory location such that the cryptographic key is accessible to the guest virtual machine; determine a serialization event will occur; generate serialization data of the guest virtual machine that lacks serialized data associated with the memory location; and transmit, in response to restarting the guest virtual machine, a request to a cryptographic security module to restore the cryptographic key to the guest virtual machine. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computer-implemented method, comprising:
-
causing a hypervisor and a virtual machine instance to be launched; receiving an indication of a memory location of the virtual machine instance not to be persisted in plaintext data during a serialization event; detecting that a serialization will be completed; generating serialization data as part of the serialization event such that the serialization lacks plaintext data associated with the memory location; and transmitting, in response to restarting the virtual machine instance, a request to a security module to restore a cryptographic key to the virtual machine instance. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification