Techniques for secure data extraction in a virtual or cloud environment
First Claim
Patent Images
1. A method, comprising:
- securely maintaining an encrypted delta between a running instance of a virtual environment on a first machine and a base image for the virtual environment;
transferring the base image to a second machine;
separately providing the encrypted delta to the second machine;
decrypting the encrypted delta into a delta using at least one second machine key located on the second machine; and
inserting the delta into the base image on the second machine by the second machine before initiation of the base image at the second machine, and thereafter initiating, by the second machine, the base image with the integrated delta already inserted into the base image as a second running instance of the virtual environment on the second machine.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques for secure data extraction in a virtual or cloud environment are presented. Desired data from a Virtual Machine (VM) or an entire VM is extracted and encrypted with a key. This key is sealed to a machine or a group of machines. The encrypted data is then migrated and successfully used on startup for instances of the VM by having the ability to access the sealed key (and unsealing it) to decrypt the encrypted data.
-
Citations
20 Claims
-
1. A method, comprising:
-
securely maintaining an encrypted delta between a running instance of a virtual environment on a first machine and a base image for the virtual environment; transferring the base image to a second machine; separately providing the encrypted delta to the second machine; decrypting the encrypted delta into a delta using at least one second machine key located on the second machine; and inserting the delta into the base image on the second machine by the second machine before initiation of the base image at the second machine, and thereafter initiating, by the second machine, the base image with the integrated delta already inserted into the base image as a second running instance of the virtual environment on the second machine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method, comprising:
-
establishing secure keys between a group of machines; identifying delta data in a base image of a virtual environment, wherein the delta data is maintained separately from the base image in an encrypted format using the secure keys; transferring the base image to a first machine of the group of machines; providing the delta data in the encrypted format to the first machine; and initiating, by the first machine, a first running instance of the virtual environment by decrypting the delta data in the encrypted format with one of the keys located on the first machine as decrypted delta data, integrating and inserting the decrypted delta data into the base image, and thereafter initiating, by the first machine, the first running instance having the decrypted delta data already integrated into the base image on the first machine. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system, comprising:
-
first machine; a processor; a non-transitory computer-readable storage medium having executable instructions; the executable instructions when executed by the processor from the non-transitory computer-readable storage medium configured to perform processing to; extract selective data from a base image of a virtual environment; maintain the selective data separately from the base image in an encrypted format for which access requires keys and each key specific to a particular machine defined in a group of machines; and provide the base image separate from the selective data to machines in the group of machines; wherein each machine in the group of machines;
decrypts the selective data using that machine'"'"'s specific key from the keys located on that machine as decrypted selective data, integrates and inserts the decrypted selective data into the base image, and thereafter, each machine initiates a running instance of the virtual environment from the base image having that machine'"'"'s decrypted selective data already the integrated into the base image on that machine. - View Dependent Claims (19, 20)
-
Specification