Rapid data protection for storage devices

US 10,615,967 B2
Filed: 03/20/2014
Issued: 04/07/2020
Est. Priority Date: 03/20/2014
Status: Active Grant

First Claim

Patent Images

1. A method implemented in a computing device having an inline cryptographic processor implemented at least in part in hardware, the method comprising:

receiving, at a trusted runtime, a request to generate a key for a portion of a storage device, the request to generate the key being received as part of creation of the portion of the storage device, the trusted runtime being isolated from other programs in the computing device;

in response to the request to generate the key, the trusted runtime;

generating the key,persisting the key across power cycles of the computing device,provisioning the inline cryptographic processor of the computing device with the key to be stored in a register of the inline cryptographic processor, andthe inline cryptographic processor subsequently encrypting writes to the portion of the storage device based on the key independent of a request to encrypt the portion of the storage device from a user, and subsequently decrypting reads from the portion of the storage device based on the key;

the provisioning including;

provisioning the inline cryptographic processor with the key without user authentication credentials being provided to the computing device until the request to encrypt the portion is received, andin response to the request to encrypt the portion, provisioning the inline cryptographic processor with the key only when the user authentication credentials are provided to the computing device; and

returning, by the trusted runtime, in response to the request to encrypt the portion, an indication that data on the portion is encrypted without waiting for data on the portion to be encrypted because data previously written to the portion was already encrypted when the data was stored on the portion.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing device uses a data encryption and decryption system that includes a trusted runtime and an inline cryptographic processor. The trusted runtime provides a trusted execution environment, and the inline cryptographic processor provides decryption and encryption of data in-line with storage device read and write operations. When a portion (e.g., partition) of a storage device is defined, the trusted runtime generates an encryption key and provides the encryption key to the inline cryptographic processor, which uses the encryption key to encrypt data written to the portion and decrypt data read from the portion. Access to the portion can be subsequently protected by associating the key with authentication credentials of a user or other entity. The trusted runtime protects the encryption key based on an authentication key associated with the authentication credentials, allowing subsequent access to the encryption key only in response to the proper authentication credentials being provided.

Citations

20 Claims

1. A method implemented in a computing device having an inline cryptographic processor implemented at least in part in hardware, the method comprising:
- receiving, at a trusted runtime, a request to generate a key for a portion of a storage device, the request to generate the key being received as part of creation of the portion of the storage device, the trusted runtime being isolated from other programs in the computing device;
  
  in response to the request to generate the key, the trusted runtime;
  
  generating the key,persisting the key across power cycles of the computing device,provisioning the inline cryptographic processor of the computing device with the key to be stored in a register of the inline cryptographic processor, andthe inline cryptographic processor subsequently encrypting writes to the portion of the storage device based on the key independent of a request to encrypt the portion of the storage device from a user, and subsequently decrypting reads from the portion of the storage device based on the key;
  
  the provisioning including;
  
  provisioning the inline cryptographic processor with the key without user authentication credentials being provided to the computing device until the request to encrypt the portion is received, andin response to the request to encrypt the portion, provisioning the inline cryptographic processor with the key only when the user authentication credentials are provided to the computing device; and
  
  returning, by the trusted runtime, in response to the request to encrypt the portion, an indication that data on the portion is encrypted without waiting for data on the portion to be encrypted because data previously written to the portion was already encrypted when the data was stored on the portion.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as recited in claim 1, the portion of the storage device comprising a newly defined partition of the storage device.
  - 3. The method as recited in claim 1, further comprising the trusted runtime generating a protected key using a secret key known only to the trusted runtime by encrypting the key with the secret key.
  - 4. The method as recited in claim 1, further comprising the trusted runtime, in response to the request to encrypt the portion:
    - protecting the key based on an authentication key associated with authentication credentials provided to the computing device;
      
      ceasing having the key persisted across power cycles of the computing device; and
      
      having the protected key persisted across power cycles of the computing device.
  - 5. The method as recited in claim 4, the protecting the key based on the authentication key comprising encrypting the key based on the authentication key.
  - 6. The method as recited in claim 4, further comprising:
    - receiving, after receiving the request to encrypt the portion, a request to lock the portion; and
      
      in response to the request to lock the portion, removing the key from both the trusted runtime and the inline cryptographic processor.
  - 7. The method as recited in claim 6, further comprising:
    - receiving, after removing the key from both the trusted runtime and the inline cryptographic processor, a request to unlock the portion; and
      
      in response to the request to unlock the portion;
      
      obtaining, based on the protected key, the key from the protected key, andprovisioning the inline cryptographic processor of the computing device with the obtained key.
  - 8. The method as recited in claim 4, further comprising:
    - receiving, after receiving the request to encrypt the portion, a request to disable protection of the portion; and
      
      in response to the request to disable protection of the portion;
      
      obtaining, based on the protected key, the key from the protected key, andpersisting the obtained key using the trusted runtime.
  - 9. The method as recited in claim 4, further comprising:
    - receiving, after receiving the request to encrypt the portion, a request for migration or recovery of the key; and
      
      in response to the request for migration or recovery of the key, revealing the protected key to a requester that issued the request for migration or recovery of the key.
  - 10. The method as recited in claim 1, further comprising:
    - receiving a request for migration or recovery of the key; and
      
      in response to the request for migration or recovery of the key, revealing the key to a requester that issued the request for migration or recovery of the key.

11. A computing device comprising:
- a trusted runtime that is isolated from an operating system of the computing device and that is configured to;
  
  receive a request to generate a key for a portion of a storage device, the request to generate the key being received as part of creation of the portion,generate the key for the portion of the storage device,persist the key across power cycles of the computing device,provision an inline cryptographic processor of the computing device with the key to be stored in a register of the inline cryptographic processor, the inline cryptographic processor subsequently encrypting writes to the portion of the storage device based on the key independent of a request to encrypt the portion of the storage device from a user, and subsequently decrypting reads from the portion of the storage device based on the key, andreturn, in response to a request to encrypt the portion of the storage device, an indication that data on the portion of the storage device is encrypted without waiting for data on the portion to be encrypted because data previously written to the portion was already encrypted when the data was stored on the portion; and
  
  the inline cryptographic processor configured to;
  
  receive the key from the trusted runtime to provide unrestricted access to data stored on the portion until the request is received, and in response to the request to provide access to the data stored on the portion only when user authentication credentials are provided to the computing device,encrypt, in response to receipt of the key, subsequent writes to the portion of the storage device based on the key, anddecrypt, in response to receipt of the key, subsequent reads from the portion of the storage device based on the key.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The computing device as recited in claim 11, the portion of the storage device comprising a newly defined partition of the storage device.
  - 13. The computing device as recited in claim 11, the trusted runtime being further configured to generate the key in response to a request to generate the key, and to generate a protected key using a secret key known only to the trusted runtime by encrypting the key with the secret key in response to the request to generate the key.
  - 14. The computing device as recited in claim 11, the trusted runtime being further configured to, in response to the request that protection of the portion be enabled:
    - protect the key based on an authentication key associated with authentication credentials provided to the computing device;
      
      cease having the key persisted across power cycles of the computing device; and
      
      have the protected key persisted across power cycles of the computing device.
  - 15. The computing device as recited in claim 14, wherein to protect the key based on the authentication key is to encrypt the key based on the authentication key.
  - 16. The computing device as recited in claim 14, the trusted runtime being further configured to:
    - receive, after receiving the request that protection of the portion be enabled, a request to lock the portion; and
      
      in response to the request to lock the portion, remove the key from both the trusted runtime and the inline cryptographic processor.
  - 17. The computing device as recited in claim 16, the trusted runtime being further configured to:
    - receive, after removing the key from both the trusted runtime and the inline cryptographic processor, a request to unlock the portion; and
      
      in response to the request to unlock the portion;
      
      obtain, based on the protected key, the key from the protected key,provision the inline cryptographic processor of the computing device with the obtained key, andreturn an identifier of the obtained key to allow the operating system of the computing device to identify to the inline cryptographic processor to use the obtained key, the identifier of the obtained key not allowing the operating system to obtain the key.
  - 18. The computing device as recited in claim 14, the trusted runtime being further configured to:
    - receive, after receiving the request that protection of the portion be enabled, a request to disable protection of the portion; and
      
      in response to the request to disable protection of the portion;
      
      obtain, based on the protected key, the key from the protected key,persist the obtained key using the trusted runtime, andremove the protected key from the trusted runtime.
  - 19. The computing device as recited in claim 14, further comprising a storage device protection system configured to manage authentication of credentials and to manage configuration of the trusted runtime based on the authenticated credentials,the trusted runtime being further configured to:
    - receive, after receiving the request that protection of the portion be enabled, a request for migration or recovery of the key,in response to the request for migration or recovery of the key, reveal the protected key to a requester that issued the request for migration or recovery of the key, andpersist an indication that the protected key has been revealed along with the protected key; and
      
      the storage device protection system being further configured to;
      
      retrieve the indication that the protected key has been revealed from the trusted runtime,display a warning that the protected key for the portion has been revealed, andreceive user approval to proceed with using the portion of the storage device before providing the authentication key to the trusted runtime, the authentication key associated with the user authentication credentials provided to the computing device.

20. A computing device comprising:
- a trusted runtime that is isolated from an operating system of the computing device and that is configured to;
  
  receive a request to generate a key for a portion of a storage device, the request to generate the key being received as part of creation of the portion,generate the key for the portion of the storage device,persist the key across power cycles of the computing device,provision an inline cryptographic processor of the computing device with the key to be stored in a register of the inline cryptographic processor, the inline cryptographic processor subsequently encrypting writes to the portion of the storage device based on the key independent of a request to encrypt the portion of the storage device from a user, and subsequently decrypting reads from the portion of the storage device based on the key, andreturn, in response to a request to encrypt the portion of the storage device, an indication that data on the portion of the storage device is encrypted without waiting for data on the portion to be encrypted because data previously written to the portion was already encrypted when the data was stored on the portion; and
  
  the inline cryptographic processor configured to;
  
  receive the key from the trusted runtime to provide access to data stored on the portion without user authentication credentials being provided to the computing device until the request to encrypt the portion is received, and in response to the request to encrypt the portion to provide access to the data stored on the portion only when the user authentication credentials are provided to the computing device,protect the key based on a secret key by encrypting the key with the secret key known only to the inline cryptographic processor,return the protected key to the operating system of the computing device, the protected key allowing the operating system to identify to the inline cryptographic processor which key to use without allowing the operating system to obtain the key,encrypt, in response to receipt of the key, subsequent writes to the portion of the storage device based on the key, anddecrypt, in response to receipt of the key, subsequent reads from the portion of the storage device based on the key without the user authentication credentials being provided to the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Basmov, Innokentiy, Nystrom, Magnus Bo Gustaf, Ferguson, Niels T., Semenko, Alex M.
Primary Examiner(s)
King, John B
Assistant Examiner(s)
Dhruv, Darshan I

Application Number

US14/221,105
Publication Number

US 20150270956A1
Time in Patent Office

2,210 Days
Field of Search

713189
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/74   operating in dual or compar...

G06F 21/78   to assure secure storage of...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 9/0816   Key establishment, i.e. cry...

Rapid data protection for storage devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Rapid data protection for storage devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links