Methods, systems, and apparatuses for managing a hard drive security system

US 10,181,041 B2
Filed: 10/29/2015
Issued: 01/15/2019
Est. Priority Date: 03/01/2011
Status: Active Grant

First Claim

Patent Images

1. A system for use with an electronic device, the electronic device comprising a self-encrypting drive (SED), the SED comprising a nominal space and a pre-boot region, wherein the nominal space can be locked to prevent access to the nominal space, the system comprising:

a SED management component configured to be loaded in the pre-boot region of the SED, the SED management component comprising;

a pre-boot operating system (OS); and

an access management functionality,wherein the access management functionality comprises an authentication mapping utility operable to provide mapping between a nominal credential of a user and a SED credential of the user,wherein the SED management component is configured to generate a driver session key (DSK), to encrypt an SED credential with the DSK, and to encrypt the DSK with a hash made of the nominal credentials of a given user,wherein the encrypting of the SED credential with the DSK comprises encrypting a SED credential of an authorized user with the DSK, and storing the encrypted SED credential in the pre-boot region,wherein the encrypting of the DSK with a hash made of the nominal credentials of a given user comprises, for each of one or more additional users, creating a hash of the respective additional user'"'"'s nominal credentials, creating a respective encrypted version of the DSK using the respective hash, and storing the respective one or more encrypted versions of the DSK in the pre-boot region, andwherein the SED management component is further configured to;

with the nominal space locked, upon entry of a nominal credential of a given one of the one or more additional users, hash the entered nominal credential to create a hash, and use the hash to attempt to decrypt the encrypted version of the DSK created for the given one of the one or more additional users;

if the attempt to decrypt is successful, use the decrypted version of the DSK created for the given one of the one or more additional users to decrypt the encrypted SED credential, and use the decrypted SED credential to unlock the nominal space, andif the attempt to decrypt fails a predetermined number of times, lock the electronic device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for use with a computer is provided, the computer including a self-encrypting drive (SED), the SED including a nominal space and a pre-boot region, wherein the nominal space can be locked to prevent access to the nominal space. The system includes SED management software configured to be loaded in the pre-boot region of the SED. The SED management software includes a pre-boot operating system (OS) and an unlocking program. The unlocking program is configured (a) to execute within the pre-boot OS, and (b) upon successful authentication of a user, to unlock the nominal space of the SED. Other embodiments are described and claimed.

Citations

118 Claims

1. A system for use with an electronic device, the electronic device comprising a self-encrypting drive (SED), the SED comprising a nominal space and a pre-boot region, wherein the nominal space can be locked to prevent access to the nominal space, the system comprising:
- a SED management component configured to be loaded in the pre-boot region of the SED, the SED management component comprising;
  
  a pre-boot operating system (OS); and
  
  an access management functionality,wherein the access management functionality comprises an authentication mapping utility operable to provide mapping between a nominal credential of a user and a SED credential of the user,wherein the SED management component is configured to generate a driver session key (DSK), to encrypt an SED credential with the DSK, and to encrypt the DSK with a hash made of the nominal credentials of a given user,wherein the encrypting of the SED credential with the DSK comprises encrypting a SED credential of an authorized user with the DSK, and storing the encrypted SED credential in the pre-boot region,wherein the encrypting of the DSK with a hash made of the nominal credentials of a given user comprises, for each of one or more additional users, creating a hash of the respective additional user'"'"'s nominal credentials, creating a respective encrypted version of the DSK using the respective hash, and storing the respective one or more encrypted versions of the DSK in the pre-boot region, andwherein the SED management component is further configured to;
  
  with the nominal space locked, upon entry of a nominal credential of a given one of the one or more additional users, hash the entered nominal credential to create a hash, and use the hash to attempt to decrypt the encrypted version of the DSK created for the given one of the one or more additional users;
  
  if the attempt to decrypt is successful, use the decrypted version of the DSK created for the given one of the one or more additional users to decrypt the encrypted SED credential, and use the decrypted SED credential to unlock the nominal space, andif the attempt to decrypt fails a predetermined number of times, lock the electronic device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 118)
- - 2. The system of claim 1,wherein the SED management component is configured to activate encryption for the electronic device, andwherein, after activation of encryption, the pre-boot region is read-only.
  - 3. The system of claim 2, wherein the activation of encryption comprises (a) downloading the SED management component, the pre-boot OS and an unlocking program into the pre-boot region, using an administrative pin, or (b) pre-installing the SED management component, the pre-boot OS and the unlocking program into the pre-boot region, prior to purchase of the electronic device.
  - 4. The system of claim 1, wherein the SED management component is configured to permit partitioning of the nominal space into two or more partitions.
  - 5. The system of claim 1, wherein the SED management component is configured to permit assigning to a user rights of access to the nominal space and/or to a partition of the nominal space.
  - 6. The system of claim 1, wherein the access management functionality comprises an additional user utility operable to provide access to the electronic device for a number of users and administrators greater than a number of available SED credentials, for a number of users and administrators greater than a number of users and administrators allowed by an Opal standard, or for more than four users and one administrator.
  - 7. The system of claim 1, wherein the access management functionality comprises a SED management console operable to permit enrolling users on the electronic device.
  - 8. The system of claim 1, wherein the access management functionality comprises a remote enrollment utility operable to permit to remote enrolling of users on the electronic device.
  - 9. The system of claim 1, wherein the SED management component is configured to allow an administrator to set authentication requirements for the electronic device.
  - 10. The system of claim 1, wherein the SED management component is configured to allow an administrator to prohibit at least one user from modifying settings of the electronic device.
  - 11. The system of claim 1, wherein the SED management component is configured to allow an administrator to revoke a user'"'"'s credentials, thereby preventing the user from accessing the electronic device.
  - 12. The system of claim 1, wherein the SED management component is configured to allow an administrator to erase a user'"'"'s drive on the electronic device.
  - 13. The system of claim 1, wherein the SED management component is configured to allow an administrator to add functionality into the pre-boot region.
  - 14. The system of claim 1, wherein the access management functionality comprises a single sign on utility operable to automatically log a user onto a nominal operating system of the electronic device, upon successful authentication of the user during boot up of the electronic device.
  - 15. The system of claim 1, wherein at least one of the nominal credential of the user and the SED credential of the user is a password, a biometric credential, a smart card, a token, or an RFID security device.
  - 16. The system of claim 1, wherein the access management functionality comprises an emergency login functionality operable to permit a user access to the electronic device in the event of a login failure.
  - 17. The system of claim 16, further comprising a server in communication with the electronic device, wherein the emergency login functionality is configured to:
    - in response to a failed login attempt on the electronic device, cause the electronic device to provide a challenge code;
      
      in response to entry of the challenge code on the server, cause the server to provide a response code; and
      
      in response to entry of the response code on the electronic device, unlock the nominal space.
  - 18. The system of claim 16, wherein the emergency login functionality is configured to:
    - receive from a user input indicating (a) a selection of one or more challenge questions and (b) an answer for each selected challenge question; and
      
      upon a subsequent login failure of the user, present at least one of the one or more selected challenge questions to the user; and
      
      upon entry by the user of the answer previously indicated for at least one of the presented challenge questions, unlock the nominal space.
  - 19. The system of claim 1, wherein the access management functionality comprises an authentication synchronizing utility operable to synchronize nominal credentials of a user with SED credentials of the user.
  - 20. The system of claim 19, wherein the authentication synchronization functionality is configured to:
    - receive notification from a credential provider of a change of a nominal password of a user;
      
      hash a nominal username of the user and the nominal password of the user to create a first hash;
      
      decrypt a SED password of the user using the first hash;
      
      hash the nominal username of the user and a new nominal password that has been assigned to the user to create a second hash; and
      
      encrypt the SED password of the user using the second hash.
  - 21. The system of claim 20, wherein the authentication synchronization functionality is further configured to:
    - upon subsequent logon by the user, receive a nominal username and a nominal password entered by the user;
      
      hash the entered nominal username and the entered nominal password to create a third hash; and
      
      attempt to decrypt the SED password of the user using the third hash.
  - 22. The system of claim 1, wherein the access management functionality comprises a pre-boot GUI operable to permit interaction with a user during a pre-boot authentication process of the electronic device, while the nominal space is locked.
  - 23. The system of claim 22, wherein the access management functionality further comprises a pre-boot keyboard functionality operable to provide a virtual keyboard on the pre-boot GUI.
  - 24. The system of claim 1, wherein the access management functionality comprises a supplemental encryption utility operable to permit a user to selectively encrypt items on the electronic device.
  - 25. The system of claim 24, wherein the selectively encryptable items comprise files, folders and/or documents, and wherein the system is further operable to perform at least one of the following:
    - (i) encrypt all files within a given folder if a user selects the given folder for encryption; and
      
      (ii) encrypt files copied or moved to an encrypted folder.
  - 26. The system of claim 24, wherein the access management functionality comprises a customized supplemental access utility operable to allow a user to grant one or more other users access to one or more selectively encrypted items on the electronic device.
  - 27. The system of claim 1, wherein the pre-boot OS is Linux-based.
  - 74. The system of claim 1, wherein the SED management component is operable to use a roaming profile as a digital certificate for purposes of encrypting items.
  - 75. The system of claim 1, wherein users are enrolled using one or more of a password, a biometric credential, a smart card, a token, and an RFID security device as one or more forms of authentication.
  - 76. The system of claim 75, wherein the biometric credential is a fingerprint, any finger of the user may be used for the fingerprint, and enrollment is performed using a touch sensor or a swipe sensor to capture the fingerprint.
  - 77. The system of claim 1, wherein the SED management component is configured to provide access to the electronic device for at least one of the following:
    - (i) one to four users and one administrator;
      
      (ii) respective numbers of users and administrators allowed by an Opal standard; and
      
      (iii) a number of users and administrators equal to a number of available SED credentials.
  - 78. The system of claim 1,wherein the SED management component is configured to permit an administrator to create one or more profiles, each profile defining respective rights of access to the electronic device, andwherein the SED management component is configured to permit the administrator to assign each of the one or more profiles to a respective set of users, each set of users comprising one or more users.
  - 79. The system of claim 78, wherein the nominal space comprises a plurality of partitions, and each profile defines respective rights of access to each of the partitions, wherein for a given profile the rights of access may differ for different partitions.
  - 80. The system of claim 1, wherein the SED management component is operable to back up a user'"'"'s profile.
  - 81. The system of claim 1, wherein the SED management component is operable to restore a user'"'"'s profile, using a backup user profile.
  - 82. The system of claim 1, wherein the SED management component is operable to permit enabling of a standby mode.
  - 83. The system of claim 1, wherein the SED management component is further configured to allow the administrator to make the authentication requirements subject to an emergency override.
  - 84. The system of claim 1, wherein the SED management component is configured to allow an administrator to set different authentication requirements for different functions of the electronic device, wherein the different functions include at least two of:
    - (i) login, (ii) encryption/decryption, (iii) user management functions, and (iv) other functions.
  - 85. The system of claim 1, wherein the SED management component further comprises:
    - an unlocking program configured (a) to execute within the pre-boot OS, and (b) upon successful authentication of the user, to unlock the nominal space.
  - 86. The system of claim 1,wherein the SED management component further comprises an unlocking program configured (a) to execute within the pre-boot OS, and (b) upon successful authentication of the user, to unlock the nominal space, andwherein the unlocking program is configured to send a credential to unlock the SED, upon entry of an item of authentication by the user.
  - 87. The system of claim 1, wherein the nominal space contains a nominal OS, and wherein the SED management component further comprises:
    - an unlocking program configured (a) to execute within the pre-boot OS, and (b) upon successful authentication of a user, to transfer control to the nominal OS.
  - 88. The system of claim 1, wherein the nominal space includes a nominal OS, and the SED management component is configured to cause the nominal OS to boot the electronic device upon the successful authentication of the user.
  - 89. The system of claim 1,wherein the SED management component further comprises an unlocking program configured (a) to execute within the pre-boot OS, and (b) upon successful authentication of the user, to unlock the nominal space, andwherein at least one of the following sets of conditions holds:
    - (i) wherein the nominal space includes a nominal OS, and wherein, if the electronic device is powered on with encryption on, control is transferred to the unlocking program prior to control being transferred to the nominal OS, and(ii) wherein the electronic device further comprises a memory,wherein the nominal space includes a nominal OS and a plurality of sectors including sector 0,wherein sector 0 of the nominal space contains the nominal OS and,wherein, upon the successful authentication of the user, the unlocking program reads, puts into the memory, and transfers control to sector 0 of the nominal space.
  - 90. The system of claim 1, further comprising:
    - the electronic device including the SED, the SED including the nominal space and the pre-boot region, wherein the nominal space can be locked to prevent access to the nominal space, and wherein the SED management component is loaded in the pre-boot region.
  - 91. The system of claim 90, wherein the nominal space comprises a nominal operating system (OS), the nominal OS comprising a Windows®
    - OS, an Android™
      
      OS, or another OS.
  - 92. The system of claim 90, wherein the SED comprises at least one of the following:
    - (i) a processor configured to encrypt and decrypt the nominal space; and
      
      (ii) a password key for encryption/decryption.
  - 93. The system of claim 90, wherein the nominal space and the pre-boot region are non-overlapping portions of the SED.
  - 94. The system of claim 90,wherein the SED management component further comprises an unlocking program configured (a) to execute within the pre-boot OS, and (b) upon successful authentication of the user, to unlock the nominal space, andwherein at least one of the following conditions holds:
    - (i) wherein the pre-boot region comprises one or more sectors, and the unlocking program is stored in a first sector of the pre-boot region,(ii) wherein the unlocking program is stored in an area that is rendered read-only after the unlocking program is written to the area, and(iii) wherein the SED management component is configured to temporarily grant write access to the pre-boot region, store the unlocking program in the pre-boot region, and revert the pre-boot region to read-only.
  - 95. The system of claim 90, wherein at least one of the following conditions holds:
    - (i) the pre-boot region is hidden from users when the nominal space is unlocked; and
      
      (ii) the pre-boot region is hidden from users after the successful authentication of the user.
  - 96. The system of claim 90, wherein at least one of the following conditions holds:
    - (i) the nominal space is hidden from users when the pre-boot region is unlocked, and (ii) the nominal space is hidden from users prior to the successful authentication of the user.
  - 97. The system of claim 90, wherein at least one of the following conditions holds:
    - (i) if the electronic device is powered on with encryption on, the nominal space is encrypted and locked, and (ii) if the electronic device is powered on with encryption on, the pre-boot region is accessible to a user.
  - 98. The system of claim 90, wherein, if the electronic device is powered on with encryption on and a first sector of the nominal space is requested, a first sector of the pre-boot region is returned.
  - 99. The system of claim 90, further comprising a server operable to communicate with the electronic device, wherein the electronic device serves as a client.
  - 100. The system of claim 99, wherein the SED management console resides on the server.
  - 101. The system of claim 90, wherein the electronic device is configured as a server operable to communicate with one or more client devices.
  - 102. The system of claim 7, wherein a first user enrolled by the SED management console is designated an administrator, the administrator having rights of control over user access to the electronic device.
  - 103. The system of claim 1, wherein at least one of the following conditions holds:
    - (i) at least one of the user'"'"'s nominal credential and the user'"'"'s SED credential comprises multiple authentication credentials, and(ii) at least one of the user'"'"'s nominal credential and the user'"'"'s SED credential comprises a username and/or a domain name.
  - 104. The system of claim 1, wherein the SED management component is configured to hash the nominal credentials of the given user when the given user attempts to log on, yielding a hash, to use the hash to decrypt the encrypted DSK, and to use the decrypted DSK to decrypt the encrypted SED credential.
  - 105. The system of claim 104, wherein the SED management component is further operable to:
    - (i) upon successful decryption of the SED credential, unlock the nominal space; and
      
      (ii) upon an unsuccessful attempt to decrypt the SED credential, permit the given user a pre-determined number of additional attempts to re-enter the nominal credentials of the given user and, if a number of unsuccessful attempts to decrypt the SED credential equals the pre-determined number, lock the computer.
  - 106. The system of claim 20, wherein the authentication synchronization functionality is further configured to:
    - provide a hook for the credential provider to send the notification of the change of the nominal password of the user.
  - 107. The system of claim 21, wherein the authentication synchronization functionality is further configured to:
    - (i) upon a successful attempt to decrypt the SED password of the user, unlock the nominal space; and
      
      (ii) upon an unsuccessful attempt to decrypt the SED password of the user, permit the user a pre-determined number of additional attempts to re-enter a nominal username and a nominal password and, if a number of unsuccessful attempts to decrypt the SED password of the user equals the pre-determined number, lock the electronic device.
  - 108. The system of claim 24, wherein the supplemental encryption utility is further operable to permit a user to selectively decrypt encrypted items on the electronic device, subject to authentication of the user.
  - 109. The system of claim 108, wherein the supplemental encryption utility is further operable, upon selection, for decryption, of an encrypted item located in a given location, to retain the selected item in encrypted form in the given location and to save a copy of the selected item in decrypted form in another location.
  - 110. The system of claim 24,wherein the selectively encryptable items comprise files, folders and/or documents, andwherein the SED management component is operable (a) to permit a user to open, edit, and close an encrypted file, and (b) to automatically encrypt the encrypted file upon closing thereof.
  - 111. The system of claim 26, wherein the access granted comprises the ability to view, modify and delete the one or more selectively encrypted items.
  - 112. The system of claim 26, wherein the customized supplemental access utility is further operable to allow the user to revoke the access to the one or more selectively encrypted items granted to any of the one or more users.
  - 118. The system of claim 1, wherein the SED management component further comprises one or more pre-boot libraries configured to support the pre-boot OS, wherein the pre-boot libraries include at least one of:
    - key entry functionality, graphics functionality, and drivers for authentication devices.

28. A method for use with an electronic device, the electronic device comprising a self-encrypting drive (SED), the SED comprising a nominal space and a pre-boot region, wherein the nominal space can be locked to prevent access to the nominal space, the method comprising:
- providing an access management functionality;
  
  providing mapping between a nominal credential of a user and a SED credential of the user;
  
  generating a driver session key (DSK);
  
  encrypting a SED credential with the DSK; and
  
  encrypting the DSK with a hash made of the nominal credentials of a given user,wherein the encrypting of the SED credential with the DSK comprises encrypting a SED credential of an authorized user with the DSK, and storing the encrypted SED credential in the pre-boot region,wherein the encrypting of the DSK with a hash made of the nominal credentials of a given user comprises, for each of one or more additional users, creating a hash of the respective additional user'"'"'s nominal credentials, creating a respective encrypted version of the DSK using the respective hash, and storing the respective one or more encrypted versions of the DSK in the pre-boot region, andwherein the method further comprises;
  
  with the nominal space locked, upon entry of a nominal credential of a given one of the one or more additional users, hashing the entered nominal credential to create a hash, and using the hash to attempt to decrypt the encrypted version of the DSK created for the given one of the one or more additional users;
  
  if the attempt to decrypt is successful, using the decrypted version of the DSK created for the given one of the one or more additional users to decrypt the encrypted SED credential, and using the decrypted SED credential to unlock the nominal space; and
  
  if the attempt to decrypt fails a predetermined number of times, locking the electronic device.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 113, 114, 115, 116, 117)
- - 29. The method of claim 28, further comprising permitting a user access to the electronic device in the event of a login failure.
  - 30. The method of claim 28, further comprising synchronizing nominal credentials of a user with SED credentials of the user.
  - 31. The method of claim 28, further comprising:
    - performing the following for one or more users;
      
      after receipt of a respective user'"'"'s nominal credentials, generating a respective driver session key (DSK);
      
      encrypting an available SED credential with the respective DSK to create a respective encrypted SED credential;
      
      hashing the respective user'"'"'s nominal credentials to obtain a first hash; and
      
      encrypting the respective DSK with the first hash of the respective user'"'"'s nominal credentials to obtain a respective encrypted the DSK.
  - 32. The method of claim 31, further comprising:
    - after receipt of nominal credentials of a given one of the one or more users, entered during a subsequent logon, hashing the received nominal credentials to obtain a second hash;
      
      using the second hash to attempt to decrypt the DSK encrypted with the first hash of the nominal credentials of the given one of the one or more users; and
      
      using the DSK, whose decryption was attempted using the second hash, to attempt to decrypt the SED credential encrypted with the DSK.
  - 33. The method of claim 32, further comprising:
    - upon an unsuccessful attempt to decrypt the SED credential, permitting the given one of the one or more users a pre-determined number of additional attempts to re-enter the nominal credentials of the given one of the one or more users and, if a number of unsuccessful attempts to decrypt the SED credential equals the pre-determined number, locking the electronic device; and
      
      upon successful decryption of the SED credential, unlocking the nominal space.
  - 34. The method of claim 29, further comprising:
    - in response to a failed login attempt by a user of an electronic device, providing the user with a challenge code;
      
      in response to entry of the challenge code by an administrator for the electronic device, providing the administrator with a response code; and
      
      in response to entry of the response code by the user, unlocking the nominal space,wherein the electronic device is a client in a client-server arrangement, and wherein the entry of the challenge code by the administrator occurs via a server for the electronic device and the entry of the response code by the user occurs via the electronic device.
  - 35. The method of claim 29, further comprising:
    - receiving from a user input indicating (a) a selection of one or more challenge questions and (b) an answer for each selected challenge question; and
      
      upon a subsequent login failure of the user, presenting at least one of the one or more selected challenge questions to the user; and
      
      upon entry by the user of the answer previously indicated for at least one of the presented challenge questions, unlocking the nominal space.
  - 36. The method of claim 28, further comprising:
    - creating one or more profiles, each profile for one or more users of the electronic device;
      
      assigning to each profile a respective permitted level of access to the nominal space of the electronic device.
  - 37. The method of claim 30, further comprising:
    - receiving notification from a credential provider of a change of a nominal password of a user;
      
      hashing a nominal username of the user and the nominal password of the user to create a first hash;
      
      decrypting a SED password of the user using the first hash;
      
      hashing the nominal username of the user and a new nominal password that has been assigned to the user to create a second hash; and
      
      encrypting the SED password of the user using the second hash.
  - 38. The method of claim 37, further comprising:
    - providing a hook for the credential provider to send the notification of the change of the nominal password of the user.
  - 39. The method of claim 37, further comprising:
    - upon subsequent logon by the user, receiving a nominal username and a nominal password entered by the user;
      
      hashing the entered nominal username and the entered nominal password to create a third hash; and
      
      attempting to decrypt the SED password of the user using the third hash.
  - 40. The method of claim 39, further comprising:
    - upon an unsuccessful attempt to decrypt the SED password of the user, permitting the user a pre-determined number of additional attempts to re-enter a nominal username and a nominal password and, if a number of unsuccessful attempts to decrypt the SED password of the user equals the pre-determined number, locking the electronic device; and
      
      upon a successful attempt to decrypt the SED password of the user, unlocking the nominal space of the SED.
  - 41. The method of claim 28, further comprising providing at least one of the following while the nominal space is locked:
    - (i) key entry functionality, operable to display a virtual keyboard on a pre-boot GUI and receive input from the virtual keyboard;
      
      (ii) graphics functionality, operable to interact with a user via a pre-boot GUI during a pre-boot authentication process of the electronic device, while the nominal space is locked; and
      
      (iii) drivers for authentication devices.
  - 42. The method of claim 28, wherein the SED further comprises a nominal operating system (OS), the method further comprising:
    - creating a backup copy of the nominal OS and an image of the nominal space; and
      
      saving the backup copy of the nominal OS and the image of the nominal space to non-volatile storage.
  - 43. The method of claim 42, further comprising:
    - restoring the nominal OS and the nominal space, using the backup copy of the nominal OS and the nominal space.
  - 44. The method of claim 28, further comprising enrolling one or more users on the electronic device.
  - 45. The method of claim 28, further comprising:
    - enrolling a user on the electronic device using one or more of a password, a biometric credential, a smart card, a token, and an RFID security device as one or more forms of authentication.
  - 46. The method of claim 45, wherein the biometric credential is a fingerprint, any finger of the user may be used for the fingerprint, and enrollment is performed using a touch sensor or a swipe sensor to capture the fingerprint.
  - 47. The method of claim 28, further comprising:
    - enrolling a first user as an administrator, the administrator having rights of control over user access to the electronic device.
  - 48. The method of claim 28, further comprising remotely enrolling one or more users on the electronic device.
  - 49. The method of claim 28, further comprising automatically logging a user onto a nominal operating system of the electronic device, upon successful authentication of the user during boot up of the electronic device.
  - 50. The method of claim 28, further comprising:
    - hashing the nominal credentials of the given user when the given user attempts to log on, yielding a hash;
      
      using the hash to decrypt the encrypted DSK; and
      
      using the decrypted DSK to decrypt the encrypted SED credential.
  - 51. The method of claim 28, further comprising selectively encrypting items on the electronic device, wherein the selectively encrypting items on the electronic device is performed at the instruction of a user.
  - 52. The method of claim 51, wherein the selectively encryptable items comprise files, folders and/or documents, and wherein the method further comprises at least one of:
    - (i) encrypting all files within a given folder if a user selects the given folder for encryption; and
      
      (ii) encrypting files copied or moved to an encrypted folder.
  - 53. The method of claim 52, wherein the selectively encryptable items comprise files, folders and/or documents, and wherein the method further comprises:
    - permitting a user to open, edit and close an encrypted file; and
      
      automatically encrypting the encrypted file upon the closing thereof.
  - 54. The method of claim 51, further comprising:
    - at an instruction of a user, selectively decrypting encrypted items on the electronic device, subject to authentication of the user.
  - 55. The method of claim 54, further comprising:
    - upon selection, for decryption, of an encrypted item located in a given location, retaining the selected item in encrypted form in the given location and saving a copy of the selected item in decrypted form in another location.
  - 56. The method of claim 28, further comprising granting one or more other users access to one or more selectively encrypted items on the electronic device.
  - 57. The method of claim 56, wherein the access granted comprises the ability to view, modify and delete the one or more selectively encrypted items.
  - 58. The method of claim 56, further comprising revoking the access to the one or more selectively encrypted items granted to any of the one or more users.
  - 59. The method of claim 28, further comprising using a roaming profile as a digital certificate for purposes of encrypting items on the electronic device.
  - 60. The method of claim 28, further comprising activating encryption for the electronic device, wherein, after the activating of encryption, the pre-boot region is read-only.
  - 61. The method of claim 60, wherein the activating of encryption for the electronic device comprises:
    - (a) downloading a SED management component, a pre-boot OS and an unlocking program into the pre-boot region, using an administrative pin, or(b) pre-installing the SED management component, the pre-boot OS and the unlocking program into the pre-boot region, prior to purchase of the electronic device.
  - 62. The method of claim 28, further comprising:
    - at an instruction of an administrator, setting authentication requirements for the electronic device.
  - 63. The method of claim 28, further comprising:
    - at an instruction of an administrator, making authentication requirements subject to an emergency override.
  - 64. The method of claim 28, further comprising:
    - at an instruction of an administrator, setting different authentication requirements for different functions of the electronic device, wherein the different functions include at least two of;
      
      (i) login, (ii) encryption/decryption, (iii) user management functions, and (iv) other functions.
  - 65. The method of claim 28, further comprising:
    - at an instruction of an administrator, prohibiting at least one user from modifying settings of the electronic device.
  - 66. The method of claim 28, further comprising:
    - at an instruction of an administrator, revoking a user'"'"'s credentials, thereby preventing the user from accessing the electronic device.
  - 67. The method of claim 28, further comprising:
    - at an instruction of an administrator, erasing a user'"'"'s drive on the electronic device.
  - 68. The method of claim 28, wherein at least one of the nominal credential of the user and the SED credential of the user is a password, a biometric credential, a smart card, a token, or an RFID security device.
  - 69. The method of claim 28, further comprising:
    - partitioning the nominal space into two or more partitions.
  - 70. The method of claim 28, further comprising:
    - assigning to a user rights of access to the nominal space and/or to a partition of the nominal space.
  - 71. The method of claim 28, further comprising:
    - backing up a user'"'"'s profile.
  - 72. The method of claim 28, further comprising:
    - restoring a user'"'"'s profile, using a backup user profile.
  - 73. The method of claim 28, further comprising:
    - enabling a standby mode.
  - 113. The method of claim 36, further comprising:
    - dividing the nominal space of electronic device into two or more partitions,wherein the assigning to each profile a respective permitted level of access to the nominal space of the electronic device comprises assigning to each profile a respective permitted level of access for each partition, wherein for a given profile the permitted level of access may differ for different partitions.
  - 114. The method of claim 37, wherein at least one of the nominal credential of the user and the SED credential of the user is a password, a biometric credential, a smart card, a token, or an RFID security device as one or more forms of authentication.
  - 115. The method of claim 42, further comprising:
    - creating a partition on the SED,wherein the backup copy of the nominal OS and the image of the nominal space are saved on the partition.
  - 116. The method of claim 42, wherein the non-volatile storage is external to the SED.
  - 117. The method of claim 42, further comprising:
    - updating the backup copy of the nominal OS and the image of the nominal space.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Softex LLC (FIG LLC (d/b/a Fortress Investment Group LLC))
Original Assignee
Softex Incorporated
Inventors
Bhansali, Apurva M., Patel, Mehul R., Dhanani, Kamal M., Chauhan, Rajnish S., Cheung, David
Primary Examiner(s)
Okeke, Izunna

Application Number

US14/926,884
Publication Number

US 20160063259A1
Time in Patent Office

1,174 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/575   Secure boot

G06F 21/602   Providing cryptographic fac...

G06F 2221/033   Test or assess software

G06F 9/4406   Loading of operating system

Methods, systems, and apparatuses for managing a hard drive security system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

118 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, systems, and apparatuses for managing a hard drive security system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

118 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links