Method, system, and program for encrypting files in a computer system

US 20020166053A1
Filed: 05/02/2001
Published: 11/07/2002
Est. Priority Date: 05/02/2001
Status: Active Grant

First Claim

Patent Images

1. A method for encrypting data in a computer in communication with a volatile memory and non-volatile storage device, comprising:

encrypting pages in the volatile memory to move to a swap file in the non-volatile storage device as part of a virtual addressing system;

moving the encrypted pages from the volatile memory to the swap file;

decrypting pages in the swap file to move back into the volatile memory; and

moving the decrypted pages in the swap file back into the volatile memory.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is a method, system, and program for encrypting files in a computer in communication with a volatile memory and non-volatile storage device. An encryption code is generated to encrypt a file and a decryption code is generated to decrypt one file encrypted with the encryption code. The decryption code is loaded into the volatile memory, wherein the decryption code is erased from the volatile memory when the computer reboots. Files written to the non-volatile storage device are encrypted using the encryption code and the decryption code in the non-volatile memory is used to decrypt files encrypted with the encryption code to transfer from the non-volatile storage device to the volatile memory.

193 Citations

48 Claims

1. A method for encrypting data in a computer in communication with a volatile memory and non-volatile storage device, comprising:
- encrypting pages in the volatile memory to move to a swap file in the non-volatile storage device as part of a virtual addressing system;
  
  moving the encrypted pages from the volatile memory to the swap file;
  
  decrypting pages in the swap file to move back into the volatile memory; and
  
  moving the decrypted pages in the swap file back into the volatile memory.
- View Dependent Claims (2, 3, 4, 5, 12)
- - 2. The method of claim 1, further comprising:
    - generating codes to use to encrypt and decrypt the pages.
  - 3. The method of claim 2, wherein the codes comprise a public/private key pair generated using a public key cryptography algorithm, wherein one key of the pair is used to encrypt the pages moved to the swap file and the other key of the pair is used to decrypt the page when moving the page from the swap file to the volatile memory.
  - 4. The method of claim 2, wherein the codes are permanently lost if the computer performs a boot operation.
  - 5. The method of claim 2, wherein the codes are loaded into a non-swappable region of the volatile memory that is not moved to the swap file.
  - 12. The method of claim 1, wherein the second encryption code is accessed from a removable storage medium.

6. A method for encrypting files in a computer file system in communication with a volatile memory and a non-volatile storage device, wherein files in the file system are associated with groups, comprising:
- providing, for each group, a group identifier, a list of user identifiers of users allowed to access files in the group, and a first encryption code;
  
  receiving a second encryption code for one user identifier;
  
  receiving an input/output (I/O) request from a requesting user identifier with respect to a target file, wherein one second encryption code has been received for the user identifier;
  
  determining the group associated with the target file and the first encryption code for the group;
  
  if the I/O request is a write operation, then using the determined first encryption code to encrypt the target file to write the target file to the non-volatile storage device; and
  
  if the I/O request is a read operation to read the target file from the non-volatile storage device, then performing;
  
  (i) determining whether the requesting user identifier is in the list for the determined group; and
  
  (ii) if the requesting user identifier is in the list, then using the second encryption code for the user identifier to decrypt the target file.
- View Dependent Claims (7, 8, 9, 10, 11, 14, 15, 16, 18, 19, 20, 21)
- - 7. The method of claim 6, further comprising:
    - for each group, generating a public and private encryption key pair using a public key encryption algorithm, wherein the first encryption code for the group is one of the generated public key or private key and the second encryption code is the other one of the public or private key generated for the group.
  - 8. The method of claim 7, further comprising receiving a plurality of keys from the user, wherein each received key is used to decrypt files associated with one group identifier.
  - 9. The method of claim 7, further comprising:
    - generating an index entry in a non-swappable region in the volatile memory; and
      
      adding to the index entry the user identifier of the user that provided the key, the group identifier associated with the received key, and the received key.
  - 10. The method of claim 9, wherein the index entry for the user identifier and group identifier is only generated if the user identifier is included in the list associated with the group identifier, and wherein the user identifier cannot perform a read access for the target file if there is no index entry for the group identifier associated with the target file and the user identifier.
  - 11. The method of claim 9, wherein files read and decrypted from the non-volatile storage device are cached in the volatile memory, and wherein if the requested file is unencrypted in the cache, returning the unencrypted file from the cache to the requesting user identifier if the requesting user identifier is in the list associated with the group identifier and there is one index entry for the user identifier and group identifier in the volatile memory.
  - 14. The method of claim 13, further comprising:
    - generating a new encryption and decryption codes when the computer reboots, wherein the new encryption code is used to transfer files from the volatile memory to the non-volatile storage device and wherein the new decryption code is used to transfer files from the nonvolatile storage device to the volatile memory as part of a read operation.
  - 15. The method of claim 13, wherein the decryption code is loaded into a non-swappable region of the volatile memory.
  - 16. The method of claim 13, wherein the files are transferred between the volatile memory and non-volatile storage as part of a virtual memory paging operation.
  - 18. The system of claim 17, further comprising:
    - means for generating codes to use to encrypt and decrypt the pages.
  - 19. The system of claim 18, wherein the codes comprise a public/private key pair generated using a public key cryptography algorithm, wherein one key of the pair is used to encrypt the pages moved to the swap file and the other key of the pair is used to decrypt the page when moving the page from the swap file to the volatile memory.
  - 20. The system of claim 18, wherein the codes are permanently lost if the computer performs a boot operation.
  - 21. The system of claim 18, further comprising:
    - means for loading the codes into a non-swappable region of the volatile memory that is not moved to the swap file.

13. A method for encrypting files in a computer in communication with a volatile memory and non-volatile storage device, comprising:
- generating an encryption code to encrypt a file and a decryption code to decrypt one file encrypted with the encryption code;
  
  loading the decryption code into the volatile memory, wherein the decryption code is erased from the volatile memory when the computer reboots;
  
  encrypting files with the encryption code to transfer from the volatile memory to the non-volatile storage device; and
  
  decrypting files with the decryption code maintained in the volatile memory to transfer from the non-volatile storage device to the volatile memory.

17. A system for encrypting data, comprising:
- a volatile memory;
  
  a non-volatile storage device, wherein data is capable of being transferred between the volatile memory and non-volatile storage device;
  
  means for encrypting pages in the volatile memory to move to a swap file in the nonvolatile storage device as part of a virtual addressing system;
  
  means for moving the encrypted pages from the volatile memory to the swap file;
  
  means for decrypting pages in the swap file to move back into the volatile memory; and
  
  means for moving the decrypted pages in the swap file back into the volatile memory.

22. A system for encrypting files, comprising:
- a non-volatile storage device, wherein the non-volatile storage device includes a computer file system, wherein files in the file system are associated with groups;
  
  means for providing, for each group, a group identifier, a list of user identifiers of users allowed to access files in the group, and a first encryption code;
  
  means for receiving a second encryption code for one user identifier;
  
  means for receiving an input/output (I/O) request from a requesting user identifier with respect to a target file, wherein one second encryption code has been received for the user identifier;
  
  means for determining the group associated with the target file and the first encryption code for the group;
  
  means for using the determined first encryption code to encrypt the target file to write the target file to the non-volatile storage device if the I/0 request is a write operation; and
  
  means for performing if the I/O request is a read operation to read the target file from the non-volatile storage device;
  
  (i) determining whether the requesting user identifier is in the list for the determined group; and
  
  (ii) if the requesting user identifier is in the list, then using the second encryption code for the user identifier to decrypt the target file.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 30, 31, 32)
- - 23. The system of claim 22, further comprising:
    - means for generating, for each group, a public and private encryption key pair using a public key encryption algorithm, wherein the first encryption code for the group is one of the generated public key or private key and the second encryption code is the other one of the public or private key generated for the group.
  - 24. The system of claim 23, further comprising:
    - means for receiving a plurality of keys from the user, wherein each received key is used to decrypt files associated with one group identifier.
  - 25. The system of claim 23, further comprising:
    - means for generating an index entry in a non-swappable region in the volatile memory; and
      
      means for adding to the index entry the user identifier of the user that provided the key, the group identifier associated with the received key, and the received key.
  - 26. The system of claim 25, wherein the index entry for the user identifier and group identifier is only generated if the user identifier is included in the list associated with the group identifier, and wherein the user identifier cannot perform a read access for the target file if there is no index entry for the group identifier associated with the target file and the user identifier.
  - 27. The system of claim 25, wherein files read and decrypted from the non-volatile storage device are cached in the volatile memory, further comprising:
    - returning the unencrypted file from the cache to the requesting user identifier if the requested file is unencrypted in the cache and if the requesting user identifier is in the list associated with the group identifier and if there is one index entry for the user identifier and group identifier in the volatile memory.
  - 28. The system of claim 22, wherein the second encryption code is accessed from a removable storage medium.
  - 30. The system of claim 29, further comprising:
    - means for generating a new encryption and decryption codes when the computer reboots, wherein the new encryption code is used to transfer files from the volatile memory to the non-volatile storage device and wherein the new decryption code is used to transfer files from the non-volatile storage device to the volatile memory as part of a read operation.
  - 31. The system of claim 29, wherein the decryption code is loaded into a non-swappable region of the volatile memory.
  - 32. The system of claim 29, wherein the files are transferred between the volatile memory and non-volatile storage as part of a virtual memory paging operation.

29. A system for encrypting files, comprising:
- a volatile memory;
  
  a non-volatile storage device, wherein data is capable of being transferred between the volatile memory and non-volatile storage device;
  
  means for generating an encryption code to encrypt a file and a decryption code to decrypt one file encrypted with the encryption code;
  
  means for loading the decryption code into the volatile memory, wherein the decryption code is erased from the volatile memory when the computer reboots;
  
  means for encrypting files with the encryption code to transfer from the volatile memory to the non-volatile storage device; and
  
  means for decrypting files with the decryption code maintained in the volatile memory to transfer from the non-volatile storage device to the volatile memory.

33. An article of manufacture including program logic for encrypting data in a computer in communication with a volatile memory and non-volatile storage device, by:
- encrypting pages in the volatile memory to move to a swap file in the non-volatile storage device as part of a virtual addressing system;
  
  moving the encrypted pages from the volatile memory to the swap file;
  
  decrypting pages in the swap file to move back into the volatile memory; and
  
  moving the decrypted pages in the swap file back into the volatile memory.
- View Dependent Claims (34, 35, 36, 37, 39, 40, 41, 42, 43, 44, 46, 47, 48)
- - 34. The article of manufacture of claim 33, further comprising:
    - generating codes to use to encrypt and decrypt the pages.
  - 35. The article of manufacture of claim 34, wherein the codes comprise a public/private key pair generated using a public key cryptography algorithm, wherein one key of the pair is used to encrypt the pages moved to the swap file and the other key of the pair is used to decrypt the page when moving the page from the swap file to the volatile memory.
  - 36. The article of manufacture of claim 34, wherein the codes are permanently lost if the computer performs a boot operation.
  - 37. The article of manufacture of claim 34, wherein the codes are loaded into a non-swappable region of the volatile memory that is not moved to the swap file.
  - 39. The article of manufacture of claim 38, further comprising:
    - for each group, generating a public and private encryption key pair using a public key encryption algorithm, wherein the first encryption code for the group is one of the generated public key or private key and the second encryption code is the other one of the public or private key generated for the group.
  - 40. The article of manufacture of claim 39, further comprising receiving a plurality of keys from the user, wherein each received key is used to decrypt files associated with one group identifier.
  - 41. The article of manufacture of claim 39, further comprising:
    - generating an index entry in a non-swappable region in the volatile memory; and
      
      adding to the index entry the user identifier of the user that provided the key, the group identifier associated with the received key, and the received key.
  - 42. The article of manufacture of claim 41, wherein the index entry for the user identifier and group identifier is only generated if the user identifier is included in the list associated with the group identifier, and wherein the user identifier cannot perform a read access for the target file if there is no index entry for the group identifier associated with the target file and the user identifier.
  - 43. The article of manufacture of claim 41, wherein files read and decrypted from the non-volatile storage device are cached in the volatile memory, and wherein if the requested file is unencrypted in the cache, returning the unencrypted file from the cache to the requesting user identifier if the requesting user identifier is in the list associated with the group identifier and there is one index entry for the user identifier and group identifier in the volatile memory.
  - 44. The article of manufacture of claim 38, wherein the second encryption code is accessed from a removable storage medium.
  - 46. The article of manufacture of claim 45, further comprising:
    - generating a new encryption and decryption codes when the computer reboots, wherein the new encryption code is used to transfer files from the volatile memory to the non-volatile storage device and wherein the new decryption code is used to transfer files from the nonvolatile storage device to the volatile memory as part of a read operation.
  - 47. The article of manufacture of claim 45, wherein the decryption code is loaded into a non-swappable region of the volatile memory.
  - 48. The article of manufacture of claim 45, wherein the files are transferred between the volatile memory and non-volatile storage as part of a virtual memory paging operation.

38. An article of manufacture including program logic for encrypting files in a computer file system in communication with a volatile memory and a non-volatile storage device, wherein files in the file system are associated with groups by:
- providing, for each group, a group identifier, a list of user identifiers of users allowed to access files in the group, and a first encryption code;
  
  receiving a second encryption code for one user identifier, receiving an input/output (I/O) request from a requesting user identifier with respect to a target file, wherein one second encryption code has been received for the user identifier;
  
  determining the group associated with the target file and the first encryption code for the group;
  
  if the I/O request is a write operation, then using the determined first encryption code to encrypt the target file to write the target file to the non-volatile storage device; and
  
  if the I/O request is a read operation to read the target file from the non-volatile storage device, then performing;
  
  (i) determining whether the requesting user identifier is in the list for the determined group; and
  
  (ii) if the requesting user identifier is in the list, then using the second encryption code for the user identifier to decrypt the target file.

45. An article of manufacture including program logic for encrypting files in a computer in communication with a volatile memory and non-volatile storage device by:
- generating an encryption code to encrypt a file and a decryption code to decrypt one file encrypted with the encryption code;
  
  loading the decryption code into the volatile memory, wherein the decryption code is erased from the volatile memory when the computer reboots;
  
  encrypting files with the encryption code to transfer from the volatile memory to the non-volatile storage device; and
  
  decrypting files with the decryption code maintained in the volatile memory to transfer from the non-volatile storage device to the volatile memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Wilson, Rodger P.

Granted Patent

US 6,941,456 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 21/78   to assure secure storage of...

G06F 2221/2107   File encryption

Method, system, and program for encrypting files in a computer system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

193 Citations

48 Claims

Specification

Solutions

Use Cases

Quick Links

Method, system, and program for encrypting files in a computer system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

193 Citations

48 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links