Techniques for secure data extraction in a virtual or cloud environment

US 10,454,902 B2
Filed: 12/05/2016
Issued: 10/22/2019
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

securely maintaining an encrypted delta between a running instance of a virtual environment on a first machine and a base image for the virtual environment;

transferring the base image to a second machine;

separately providing the encrypted delta to the second machine;

decrypting the encrypted delta into a delta using at least one second machine key located on the second machine; and

inserting the delta into the base image on the second machine by the second machine before initiation of the base image at the second machine, and thereafter initiating, by the second machine, the base image with the integrated delta already inserted into the base image as a second running instance of the virtual environment on the second machine.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for secure data extraction in a virtual or cloud environment are presented. Desired data from a Virtual Machine (VM) or an entire VM is extracted and encrypted with a key. This key is sealed to a machine or a group of machines. The encrypted data is then migrated and successfully used on startup for instances of the VM by having the ability to access the sealed key (and unsealing it) to decrypt the encrypted data.

24 Citations

View as Search Results

20 Claims

1. A method, comprising:
- securely maintaining an encrypted delta between a running instance of a virtual environment on a first machine and a base image for the virtual environment;
  
  transferring the base image to a second machine;
  
  separately providing the encrypted delta to the second machine;
  
  decrypting the encrypted delta into a delta using at least one second machine key located on the second machine; and
  
  inserting the delta into the base image on the second machine by the second machine before initiation of the base image at the second machine, and thereafter initiating, by the second machine, the base image with the integrated delta already inserted into the base image as a second running instance of the virtual environment on the second machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein securely maintaining further includes sealing a second key for accessing the delta based on identifiers for the first machine and the second machine.
  - 3. The method of claim 1, wherein securely maintaining further includes maintaining the encrypted delta and the base image on a third machine.
  - 4. The method of claim 1, wherein securely maintaining further includes obtaining the encrypted delta as a confidential file accessible from the running instance.
  - 5. The method of claim 1, wherein securely maintaining further includes obtaining the encrypted delta as a change in a state while the running instance processes on the first machine.
  - 6. The method of claim 1, wherein securely maintaining further includes obtaining the encrypted delta as selective data custom defined for the base image.
  - 7. The method of claim 1, wherein separately providing further includes providing the encrypted delta in response to a request made from the second machine for the encrypted delta after the second machine receives the base image.
  - 8. The method of claim 1, wherein providing further includes providing the encrypted delta to the second machine in an encrypted format that is specific to the second machine and that can only be decrypted for use by the second machine through the at least one second machine key located on the second machine.

9. A method, comprising:
- establishing secure keys between a group of machines;
  
  identifying delta data in a base image of a virtual environment, wherein the delta data is maintained separately from the base image in an encrypted format using the secure keys;
  
  transferring the base image to a first machine of the group of machines;
  
  providing the delta data in the encrypted format to the first machine; and
  
  initiating, by the first machine, a first running instance of the virtual environment by decrypting the delta data in the encrypted format with one of the keys located on the first machine as decrypted delta data, integrating and inserting the decrypted delta data into the base image, and thereafter initiating, by the first machine, the first running instance having the decrypted delta data already integrated into the base image on the first machine.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method of claim 9 further comprising:
    - receiving changes made to the delta data in the encrypted format from the first running instance during processing of the first running instance on the first machine.
  - 11. The method of claim 10 further comprising:
    - transferring the base image to a second machine of the group of machines;
      
      providing the changed delta data in the encrypted format to the second machine; and
      
      initiating, by the second machine, a second running instance of the virtual environment by decrypting the changed delta data in the encrypted format with another one of the keys available from the second machine, integrating the decrypted changed delta into the base image, and initiating the second running instance.
  - 12. The method of claim 9 further comprising:
    - receiving changes made to the delta data in the encrypted format from a second machine of the group of machines.
  - 13. The method of claim 12 further comprising:
    - providing the changed delta data in the encrypted format to the first machine; and
      
      decrypting, by the first machine, the changed delta data in the encrypted format using the one key available from the first machine; and
      
      updating, by the first machine, the first running instance of the virtual environment with the decrypted changed delta data.
  - 14. The method of claim 9, wherein identifying further includes maintaining the delta data as executable instructions.
  - 15. The method of claim 9, wherein identifying further includes maintaining the delta data as file data.
  - 16. The method of claim 9, wherein identifying further includes maintaining the delta data based on evaluation of a policy that selectively defines the delta data within the base image.
  - 17. The method of claim 9, wherein identifying further includes maintaining the delta data as state changes made to selective data included within the base image during processing of the first running instance on the first machine.

18. A system, comprising:
- first machine;
  
  a processor;
  
  a non-transitory computer-readable storage medium having executable instructions;
  
  the executable instructions when executed by the processor from the non-transitory computer-readable storage medium configured to perform processing to;
  
  extract selective data from a base image of a virtual environment;
  
  maintain the selective data separately from the base image in an encrypted format for which access requires keys and each key specific to a particular machine defined in a group of machines; and
  
  provide the base image separate from the selective data to machines in the group of machines;
  
  wherein each machine in the group of machines;
  
  decrypts the selective data using that machine'"'"'s specific key from the keys located on that machine as decrypted selective data, integrates and inserts the decrypted selective data into the base image, and thereafter, each machine initiates a running instance of the virtual environment from the base image having that machine'"'"'s decrypted selective data already the integrated into the base image on that machine.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein the selective data is defined by a policy.
  - 20. The system of claim 18, wherein the selective data is one of:
    - executable code and one or more data files.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetIQ Corporation (Open Text Corporation)
Original Assignee
NetIQ Corporation (Open Text Corporation)
Inventors
Angelo, Michael F., Burch, Lloyd Leon
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US15/368,904
Publication Number

US 20170180331A1
Time in Patent Office

1,051 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 21/57   Certifying or maintaining t...

G06F 21/602   Providing cryptographic fac...

G06F 2221/2107   File encryption

G06F 9/45558   Hypervisor-specific managem...

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 9/08   Key distribution or managem...

H04L 9/3234   involving additional secure...

Techniques for secure data extraction in a virtual or cloud environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for secure data extraction in a virtual or cloud environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links