End-to-end encryption of a block storage device with protected key
First Claim
1. A computer-implemented method for protecting an encryption key for a block storage device, said method comprisingreading from a superblock of said block storage device:
- a secure key, wherein said secure key refers to a clear key that is only accessible by a hardware security module of a plurality of hardware security modules, anda type indicator indicating that said secure key refers to said clear key, wherein said type indicator also indicates that the secure key requires a related secure key algorithm that is executed on a dedicated hardware security module of the plurality of hardware security modules,associating said block storage device with said hardware security module, wherein said associating said block storage device to said hardware security module comprises searching the plurality of hardware security modules to identify the dedicated hardware security module based at least in part on a correspondence to said type indicator, andconverting said secure key into a protected key using said hardware security module, wherein converting said secure key into said protected key comprises sending, by the hardware security module and via a secure channel, the clear key to a central processing unit of a related computer system that generates the protected key by wrapping the clear key with a master key, and wherein said protected key refers to said clear key and is only accessible by the central processing unit of the related computer system.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for protecting an encryption key for a block storage device is provided. The includes reading from a superblock of the block storage device a secure key, referring to a clear key only accessible by a hardware security module, and a type indicator indicating that the secure key refers to the clear key which is only accessible by the hardware security module. The method also includes associating the block storage device with the hardware security module and converting the secure key into a protected clear key using the hardware security module, wherein the protected key refers to the clear key accessible by a central processing unit of a related computer system.
29 Citations
18 Claims
-
1. A computer-implemented method for protecting an encryption key for a block storage device, said method comprising
reading from a superblock of said block storage device: -
a secure key, wherein said secure key refers to a clear key that is only accessible by a hardware security module of a plurality of hardware security modules, and a type indicator indicating that said secure key refers to said clear key, wherein said type indicator also indicates that the secure key requires a related secure key algorithm that is executed on a dedicated hardware security module of the plurality of hardware security modules, associating said block storage device with said hardware security module, wherein said associating said block storage device to said hardware security module comprises searching the plurality of hardware security modules to identify the dedicated hardware security module based at least in part on a correspondence to said type indicator, and converting said secure key into a protected key using said hardware security module, wherein converting said secure key into said protected key comprises sending, by the hardware security module and via a secure channel, the clear key to a central processing unit of a related computer system that generates the protected key by wrapping the clear key with a master key, and wherein said protected key refers to said clear key and is only accessible by the central processing unit of the related computer system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for protecting an encryption key for a block storage device, said system comprising:
-
a reading unit adapted for reading from a superblock of said block storage device; a secure key, wherein said secure key refers to a clear key that is only accessible by a hardware security module of a plurality of hardware security modules, and a type indicator indicating that said secure key refers to said clear key, wherein said type indicator also indicates that the secure key requires a related secure key algorithm that is executed on a dedicated hardware security module of the plurality of hardware security modules; an associating module adapted for associating said block storage device to said hardware security module, wherein said associating said block storage device to said hardware security module comprises searching the plurality of hardware security modules to identify the dedicated hardware security module based at least in part on a correspondence to said type indicator; and a conversion module adapted for converting said secure key into a protected key using said hardware security module, wherein converting said secure key into said protected key comprises sending, by the hardware security module and via a secure channel, the clear key to a central processing unit of a related computer system that generates the protected key by wrapping the clear key with a master key, and wherein said protected key refers to said clear key and is only accessible by the central processing unit of the related computer system. - View Dependent Claims (15, 16, 17)
-
-
18. A computer program product for protecting an encryption key for a block storage device, said computer program product comprising a computer readable storage medium having program instructions embodied therewith, said program instructions being executable by one or more computing systems to cause said one or more computing systems to
read from a superblock of said block storage device: -
a secure key, wherein said secure key refers to a clear key that is only accessible by a hardware security module of a plurality of hardware security modules, and a type indicator indicating that said secure key refers to said clear, wherein said type indicator also indicates that the secure key requires a related secure key algorithm that is executed on a dedicated hardware security module of the plurality of hardware security modules; associate said block storage device to said hardware security module, wherein said associating said block storage device to said hardware security module comprises searching the plurality of hardware security modules to identify the dedicated hardware security module based at least in part on a correspondence to said type indicator, and convert said secure key into a protected key using said hardware security module, wherein converting said secure key into said protected key comprises sending, by the hardware security module and via a secure channel, the clear key to a central processing unit of a related computer system that generates the protected key by wrapping the clear key with a master key, and, wherein said protected key refers to said clear key and is only accessible by the central processing unit of the related computer system.
-
Specification