End-to-end encryption of a block storage device with protected key

US 10,491,387 B2
Filed: 11/15/2016
Issued: 11/26/2019
Est. Priority Date: 11/15/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for protecting an encryption key for a block storage device, said method comprisingreading from a superblock of said block storage device:

a secure key, wherein said secure key refers to a clear key that is only accessible by a hardware security module of a plurality of hardware security modules, anda type indicator indicating that said secure key refers to said clear key, wherein said type indicator also indicates that the secure key requires a related secure key algorithm that is executed on a dedicated hardware security module of the plurality of hardware security modules,associating said block storage device with said hardware security module, wherein said associating said block storage device to said hardware security module comprises searching the plurality of hardware security modules to identify the dedicated hardware security module based at least in part on a correspondence to said type indicator, andconverting said secure key into a protected key using said hardware security module, wherein converting said secure key into said protected key comprises sending, by the hardware security module and via a secure channel, the clear key to a central processing unit of a related computer system that generates the protected key by wrapping the clear key with a master key, and wherein said protected key refers to said clear key and is only accessible by the central processing unit of the related computer system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for protecting an encryption key for a block storage device is provided. The includes reading from a superblock of the block storage device a secure key, referring to a clear key only accessible by a hardware security module, and a type indicator indicating that the secure key refers to the clear key which is only accessible by the hardware security module. The method also includes associating the block storage device with the hardware security module and converting the secure key into a protected clear key using the hardware security module, wherein the protected key refers to the clear key accessible by a central processing unit of a related computer system.

29 Citations

18 Claims

1. A computer-implemented method for protecting an encryption key for a block storage device, said method comprisingreading from a superblock of said block storage device:
- a secure key, wherein said secure key refers to a clear key that is only accessible by a hardware security module of a plurality of hardware security modules, anda type indicator indicating that said secure key refers to said clear key, wherein said type indicator also indicates that the secure key requires a related secure key algorithm that is executed on a dedicated hardware security module of the plurality of hardware security modules,associating said block storage device with said hardware security module, wherein said associating said block storage device to said hardware security module comprises searching the plurality of hardware security modules to identify the dedicated hardware security module based at least in part on a correspondence to said type indicator, andconverting said secure key into a protected key using said hardware security module, wherein converting said secure key into said protected key comprises sending, by the hardware security module and via a secure channel, the clear key to a central processing unit of a related computer system that generates the protected key by wrapping the clear key with a master key, and wherein said protected key refers to said clear key and is only accessible by the central processing unit of the related computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method according to claim 1, wherein the clear key is inaccessible by an operating system being executed on said computer system.
  - 3. The method according to claim 1, wherein said central processing unit uses said protected key to encrypt and decrypt data by using said clear key referred to by said protected key in a cipher method.
  - 4. The method according to claim 1, wherein the master key is accessible by said central processing unit and inaccessible by an operating system of said computer system.
  - 5. The method according to claim 4, wherein the master key is stored in the central processing unit or a memory area of said computer system.
  - 6. The method according to claim 1, wherein said protected key is associated with said block storage device.
  - 7. The method according to claim 1, wherein reading data from said block storage device or writing data to said block storage device comprises a protected key read/write method.
  - 8. The method according to claim 7, wherein said protected key read/write method comprises:
    - reading data from said block storage device and decrypting said data by said central processing unit using said protected key, orencrypting said data by said central processing unit using said protected key and writing data to said block storage device.
  - 9. The method according to claim 1, wherein the secure key and the hardware security module are stored in a decrypt/encrypt layer of said block storage device.
  - 10. The method according to claim 1, wherein said hardware security module is a protected key crypto module, and wherein the type indicator indicates that the protected key crypto module is to be selected in lieu of a standard crypto module.
  - 11. The method according to claim 1, wherein said associating said block storage device to said hardware security module comprises searching for said hardware security module based at least in part on a correspondence to said secure key.
  - 12. The method according to claim 11, wherein said secure key comprises a hardware security module indicator of said hardware security module said secure key is usable for.
  - 13. The method according to claim 1, further comprising:
    - receiving an indication from said central processing unit that said protected key is invalid;
      
      converting said secure key into a new protected key; and
      
      using said new protected key in place of said invalid protected key.

14. A system for protecting an encryption key for a block storage device, said system comprising:
- a reading unit adapted for reading from a superblock of said block storage device;
  
  a secure key, wherein said secure key refers to a clear key that is only accessible by a hardware security module of a plurality of hardware security modules, anda type indicator indicating that said secure key refers to said clear key, wherein said type indicator also indicates that the secure key requires a related secure key algorithm that is executed on a dedicated hardware security module of the plurality of hardware security modules;
  
  an associating module adapted for associating said block storage device to said hardware security module, wherein said associating said block storage device to said hardware security module comprises searching the plurality of hardware security modules to identify the dedicated hardware security module based at least in part on a correspondence to said type indicator; and
  
  a conversion module adapted for converting said secure key into a protected key using said hardware security module, wherein converting said secure key into said protected key comprises sending, by the hardware security module and via a secure channel, the clear key to a central processing unit of a related computer system that generates the protected key by wrapping the clear key with a master key, and wherein said protected key refers to said clear key and is only accessible by the central processing unit of the related computer system.
- View Dependent Claims (15, 16, 17)
- - 15. The system according to claim 14, wherein said clear key is inaccessible by an operating system being executed on said computer system.
  - 16. The system according to claim 15, comprising a memory adapted for storing the master key, and wherein said central processing unit or said memory stores the master key.
  - 17. The system according to claim 14, wherein said central processing unit is adapted for using said protected key for an encryption and a decryption of data by using said clear key referred to by said protected key in a cipher method.

18. A computer program product for protecting an encryption key for a block storage device, said computer program product comprising a computer readable storage medium having program instructions embodied therewith, said program instructions being executable by one or more computing systems to cause said one or more computing systems toread from a superblock of said block storage device:
- a secure key, wherein said secure key refers to a clear key that is only accessible by a hardware security module of a plurality of hardware security modules, anda type indicator indicating that said secure key refers to said clear, wherein said type indicator also indicates that the secure key requires a related secure key algorithm that is executed on a dedicated hardware security module of the plurality of hardware security modules;
  
  associate said block storage device to said hardware security module, wherein said associating said block storage device to said hardware security module comprises searching the plurality of hardware security modules to identify the dedicated hardware security module based at least in part on a correspondence to said type indicator, andconvert said secure key into a protected key using said hardware security module, wherein converting said secure key into said protected key comprises sending, by the hardware security module and via a secure channel, the clear key to a central processing unit of a related computer system that generates the protected key by wrapping the clear key with a master key, and, wherein said protected key refers to said clear key and is only accessible by the central processing unit of the related computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Brueckner, Hendrik S., Buendgen, Reinhard T., Freudenberger, Harald
Primary Examiner(s)
Turchen, James R

Application Number

US15/351,546
Publication Number

US 20180139046A1
Time in Patent Office

1,106 Days
Field of Search
US Class Current
CPC Class Codes

G06F 1/14   Time supervision arrangemen...

G06F 21/10   Protecting distributed prog...

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/72   in cryptographic circuits

G06F 21/78   to assure secure storage of...

H04L 2209/603   Digital right managament [DRM]

H04L 2463/101   applying security measures ...

H04L 9/0822   using key encryption key

H04L 9/0877   using additional device, e....

H04L 9/0891   Revocation or update of sec...

H04L 9/0897   involving additional device...

H04L 9/14   using a plurality of keys o...

End-to-end encryption of a block storage device with protected key

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

29 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

End-to-end encryption of a block storage device with protected key

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links