File system support for rolling keys on file extents
First Claim
1. A method for re-encrypting file extents of files at a computing device, the method comprising, by a processor of the computing device:
- receiving a request to update an encryption scheme applied to a file, wherein;
the file is comprised of a plurality of file extents,the file is included in a plurality of files accessible to the computing device, andeach file of the plurality of files is associated with a respective metadata;
identifying, based on the respective metadata associated with the file, a subset of file extents among the plurality of file extents, wherein each file extent of the subset of file extents is encrypted using a first encryption key that is to be updated; and
for each file extent of the subset of file extents;
reserving a respective portion of a memory of the computing device, wherein the respective portion of the memory is sized in accordance with a size of the file extent,decrypting the file extent using the first encryption key to produce a decrypted file extent,encrypting the decrypted file extent using a second encryption key that is different than the first encryption key to produce a new encrypted file extent,storing the new encrypted file extent into the respective portion of memory, andupdating the respective metadata associated with the file to indicate that the file extent is encrypted with the second encryption key and is stored in the respective portion of memory.
1 Assignment
0 Petitions
Accused Products
Abstract
This application sets forth a key rolling technique for a file system of a computing device. The key rolling technique allows for files to be transparently re-encrypted in a background process while still allowing applications to access the files being re-encrypted. During re-encryption, at least one file extent of a file is decrypted using a current key for the file extent and re-encrypted using a new key for the file extent. Moreover, the file extent can be relocated to another location in memory during re-encryption to enhance accessibility and crash protection features. Metadata associated with the file can be updated to include information pertaining to both the location of the re-encrypted file extent as well as the new key that can be used to decrypt the re-encrypted file extent. In this manner, the metadata can be used to properly construct a complete file when the file needs to be accessed.
-
Citations
20 Claims
-
1. A method for re-encrypting file extents of files at a computing device, the method comprising, by a processor of the computing device:
-
receiving a request to update an encryption scheme applied to a file, wherein; the file is comprised of a plurality of file extents, the file is included in a plurality of files accessible to the computing device, and each file of the plurality of files is associated with a respective metadata; identifying, based on the respective metadata associated with the file, a subset of file extents among the plurality of file extents, wherein each file extent of the subset of file extents is encrypted using a first encryption key that is to be updated; and for each file extent of the subset of file extents; reserving a respective portion of a memory of the computing device, wherein the respective portion of the memory is sized in accordance with a size of the file extent, decrypting the file extent using the first encryption key to produce a decrypted file extent, encrypting the decrypted file extent using a second encryption key that is different than the first encryption key to produce a new encrypted file extent, storing the new encrypted file extent into the respective portion of memory, and updating the respective metadata associated with the file to indicate that the file extent is encrypted with the second encryption key and is stored in the respective portion of memory. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer readable storage medium configured to store instructions that, when executed by a processor included in a computing device, cause the computing device to re-encrypt file extents of files at the computing device, by carrying out steps that include:
-
receiving a request to update an encryption scheme applied to a file, wherein; the file is comprised of a plurality of file extents, the file is included in a plurality of files accessible to the computing device, and each file of the plurality of files is associated with a respective metadata; identifying, based on the respective metadata associated with the file, a subset of file extents among the plurality of file extents, wherein each file extent of the subset of file extents is encrypted using a first encryption key that is to be updated; and for each file extent of the subset of file extents; reserving a respective portion of a memory of the computing device, wherein the respective portion of the memory is sized in accordance with a size of the file extent, decrypting the file extent using the first encryption key to produce a decrypted file extent, encrypting the decrypted file extent using a second encryption key that is different than the first encryption key to produce a new encrypted file extent, storing the new encrypted file extent into the respective portion of memory, and updating the respective metadata associated with the file to indicate that the file extent is encrypted with the second encryption key and is stored in the respective portion of memory. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A computing device configured to re-encrypt file extents of files, the computing device comprising a processor configured to cause the computing device to carry out steps that include:
-
receiving a request to update an encryption scheme applied to a file, wherein; the file is comprised of a plurality of file extents, the file is included in a plurality of files accessible to the computing device, and each file of the plurality of files is associated with a respective metadata; identifying, based on the respective metadata associated with the file, a subset of file extents among the plurality of file extents, wherein each file extent of the subset of file extents is encrypted using a first encryption key that is to be updated; and for each file extent of the subset of file extents; reserving a respective portion of a memory of the computing device, wherein the respective portion of the memory is sized in accordance with a size of the file extent, decrypting the file extent using the first encryption key to produce a decrypted file extent, encrypting the decrypted file extent using a second encryption key that is different than the first encryption key to produce a new encrypted file extent, storing the new encrypted file extent into the respective portion of memory, and updating the respective metadata associated with the file to indicate that the file extent is encrypted with the second encryption key and is stored in the respective portion of memory. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification