Rapid data protection for storage devices
First Claim
1. A method implemented in a computing device having an inline cryptographic processor implemented at least in part in hardware, the method comprising:
- receiving, at a trusted runtime, a request to generate a key for a portion of a storage device, the request to generate the key being received as part of creation of the portion of the storage device, the trusted runtime being isolated from other programs in the computing device;
in response to the request to generate the key, the trusted runtime;
generating the key,persisting the key across power cycles of the computing device,provisioning the inline cryptographic processor of the computing device with the key to be stored in a register of the inline cryptographic processor, andthe inline cryptographic processor subsequently encrypting writes to the portion of the storage device based on the key independent of a request to encrypt the portion of the storage device from a user, and subsequently decrypting reads from the portion of the storage device based on the key;
the provisioning including;
provisioning the inline cryptographic processor with the key without user authentication credentials being provided to the computing device until the request to encrypt the portion is received, andin response to the request to encrypt the portion, provisioning the inline cryptographic processor with the key only when the user authentication credentials are provided to the computing device; and
returning, by the trusted runtime, in response to the request to encrypt the portion, an indication that data on the portion is encrypted without waiting for data on the portion to be encrypted because data previously written to the portion was already encrypted when the data was stored on the portion.
2 Assignments
0 Petitions
Accused Products
Abstract
A computing device uses a data encryption and decryption system that includes a trusted runtime and an inline cryptographic processor. The trusted runtime provides a trusted execution environment, and the inline cryptographic processor provides decryption and encryption of data in-line with storage device read and write operations. When a portion (e.g., partition) of a storage device is defined, the trusted runtime generates an encryption key and provides the encryption key to the inline cryptographic processor, which uses the encryption key to encrypt data written to the portion and decrypt data read from the portion. Access to the portion can be subsequently protected by associating the key with authentication credentials of a user or other entity. The trusted runtime protects the encryption key based on an authentication key associated with the authentication credentials, allowing subsequent access to the encryption key only in response to the proper authentication credentials being provided.
-
Citations
20 Claims
-
1. A method implemented in a computing device having an inline cryptographic processor implemented at least in part in hardware, the method comprising:
-
receiving, at a trusted runtime, a request to generate a key for a portion of a storage device, the request to generate the key being received as part of creation of the portion of the storage device, the trusted runtime being isolated from other programs in the computing device; in response to the request to generate the key, the trusted runtime; generating the key, persisting the key across power cycles of the computing device, provisioning the inline cryptographic processor of the computing device with the key to be stored in a register of the inline cryptographic processor, and the inline cryptographic processor subsequently encrypting writes to the portion of the storage device based on the key independent of a request to encrypt the portion of the storage device from a user, and subsequently decrypting reads from the portion of the storage device based on the key; the provisioning including; provisioning the inline cryptographic processor with the key without user authentication credentials being provided to the computing device until the request to encrypt the portion is received, and in response to the request to encrypt the portion, provisioning the inline cryptographic processor with the key only when the user authentication credentials are provided to the computing device; and returning, by the trusted runtime, in response to the request to encrypt the portion, an indication that data on the portion is encrypted without waiting for data on the portion to be encrypted because data previously written to the portion was already encrypted when the data was stored on the portion. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computing device comprising:
-
a trusted runtime that is isolated from an operating system of the computing device and that is configured to; receive a request to generate a key for a portion of a storage device, the request to generate the key being received as part of creation of the portion, generate the key for the portion of the storage device, persist the key across power cycles of the computing device, provision an inline cryptographic processor of the computing device with the key to be stored in a register of the inline cryptographic processor, the inline cryptographic processor subsequently encrypting writes to the portion of the storage device based on the key independent of a request to encrypt the portion of the storage device from a user, and subsequently decrypting reads from the portion of the storage device based on the key, and return, in response to a request to encrypt the portion of the storage device, an indication that data on the portion of the storage device is encrypted without waiting for data on the portion to be encrypted because data previously written to the portion was already encrypted when the data was stored on the portion; and the inline cryptographic processor configured to; receive the key from the trusted runtime to provide unrestricted access to data stored on the portion until the request is received, and in response to the request to provide access to the data stored on the portion only when user authentication credentials are provided to the computing device, encrypt, in response to receipt of the key, subsequent writes to the portion of the storage device based on the key, and decrypt, in response to receipt of the key, subsequent reads from the portion of the storage device based on the key. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A computing device comprising:
-
a trusted runtime that is isolated from an operating system of the computing device and that is configured to; receive a request to generate a key for a portion of a storage device, the request to generate the key being received as part of creation of the portion, generate the key for the portion of the storage device, persist the key across power cycles of the computing device, provision an inline cryptographic processor of the computing device with the key to be stored in a register of the inline cryptographic processor, the inline cryptographic processor subsequently encrypting writes to the portion of the storage device based on the key independent of a request to encrypt the portion of the storage device from a user, and subsequently decrypting reads from the portion of the storage device based on the key, and return, in response to a request to encrypt the portion of the storage device, an indication that data on the portion of the storage device is encrypted without waiting for data on the portion to be encrypted because data previously written to the portion was already encrypted when the data was stored on the portion; and the inline cryptographic processor configured to; receive the key from the trusted runtime to provide access to data stored on the portion without user authentication credentials being provided to the computing device until the request to encrypt the portion is received, and in response to the request to encrypt the portion to provide access to the data stored on the portion only when the user authentication credentials are provided to the computing device, protect the key based on a secret key by encrypting the key with the secret key known only to the inline cryptographic processor, return the protected key to the operating system of the computing device, the protected key allowing the operating system to identify to the inline cryptographic processor which key to use without allowing the operating system to obtain the key, encrypt, in response to receipt of the key, subsequent writes to the portion of the storage device based on the key, and decrypt, in response to receipt of the key, subsequent reads from the portion of the storage device based on the key without the user authentication credentials being provided to the computing device.
-
Specification