Migration of full-disk encrypted virtualized storage between blade servers

US 20090169020A1
Filed: 12/30/2008
Published: 07/02/2009
Est. Priority Date: 12/28/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining a key to perform an operation on a first blade server of a plurality of blade servers from a virtual security hardware instance associated with the first blade server;

providing the key via the secure out-of-band communication channel to the first blade server; and

migrating the key from the first blade server to a second blade server of the plurality of blade servers.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and computer-readable storage medium with instructions to migrate full-disk encrypted virtual storage between blade servers. A key is obtained to perform an operation on a first blade server. The key is obtained from a virtual security hardware instance and provided to the first blade server via a secure out-of-band communication channel. The key is migrated from the first blade server to a second blade server. The key is used to perform hardware encryption of data stored on the first blade server. The data are migrated to the second blade server without decrypting the data at the first blade server, and the second blade server uses the key to access the data. Other embodiments are described and claimed.

Citations

19 Claims

1. A method comprising:
- obtaining a key to perform an operation on a first blade server of a plurality of blade servers from a virtual security hardware instance associated with the first blade server;
  
  providing the key via the secure out-of-band communication channel to the first blade server; and
  
  migrating the key from the first blade server to a second blade server of the plurality of blade servers.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising:
    - using the key to perform hardware encryption of data stored on the first blade server;
      
      migrating the data to the second blade server without decrypting the data at the first blade server; and
      
      using the key to access the data at the second blade server.
  - 3. The method of claim 1 whereinthe key is obtained in response to a command directed to first security hardware associated with the first blade server.
  - 4. The method of claim 3 further comprising:
    - intercepting the command directed to the first security hardware associated with the first blade server; and
      
      sending the command via the secure out-of-band communication channel to the virtual security hardware instance.
  - 5. The method of claim 3 whereinthe command is issued by software running on the first blade server;
    - andthe key is provided to the software to perform the operation.
  - 6. The method of claim 1 whereinthe virtual security hardware instance is one of a plurality of virtual security hardware instances managed by a chassis management module;
    - each of the plurality of virtual security hardware instances corresponds to one of the plurality of blade servers; and
      
      the chassis management module provides the key via the secure out-of-band communication channel to the first blade server.
  - 7. The method of claim 1 whereinthe key is a storage root key for the virtual security hardware instance.

8. A system comprising:
- a plurality of blade servers, whereina first blade server of the plurality of blade servers further comprises an interface configured to obtain a key to perform an operation on the first blade server from a first virtual security hardware instance of a plurality of virtual security hardware instances;
  
  a chassis management module configured to provide the plurality of virtual security hardware instances, each of the virtual security hardware instances corresponding to a respective blade server of the plurality of blade servers; and
  
  a secure out-of-band communication channel between the chassis management module and the plurality of blade servers;
  
  wherein the chassis management module is further configured to;
  
  provide the key via the secure out-of-band communication channel to the first blade server; and
  
  migrate the key from the first blade server to a second blade server of the plurality of blade servers.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system of claim 8 whereinthe first blade server is configured to use the key to perform hardware encryption of data stored on the first blade server;
    - the chassis management module is configured to migrate the data to the second blade server without decrypting the data at the first blade server; and
      
      the second blade server is configured to use the key to access the data at the second blade server.
  - 10. The system of claim 8 whereinthe key is obtained in response to a command directed to first security hardware associated with the first blade server.
  - 11. The system of claim 10 further comprising:
    - an interface at the first blade server configured tointercept the command directed to the first security hardware associated with the first blade server; and
      
      send the command via the secure out-of-band communication channel to the first virtual security hardware instance.
  - 12. The system of claim 10 whereinthe command is issued by software running on the first blade server;
    - andthe key is provided to the software to perform the operation.
  - 13. The system of claim 8 whereinthe key is a storage root key for the first virtual security hardware instance.

14. A computer-readable storage medium comprising:
- instructions to obtain a key to perform an operation on a first blade server of a plurality of blade servers from a virtual security hardware instance associated with the first blade server;
  
  instructions to provide the key via the secure out-of-band communication channel to the first blade server; and
  
  instructions to migrate the key from the first blade server to a second blade server of the plurality of blade servers.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computer-readable storage medium of claim 14 further comprising:
    - instructions to use the key to perform hardware encryption of data stored on the first blade server;
      
      instructions to migrate the data to the second blade server without decrypting the data at the first blade server; and
      
      instructions to use the key to access the data at the second blade server.
  - 16. The computer-readable storage medium of claim 14 whereinthe key is obtained in response to a command directed to first security hardware associated with the first blade server.
  - 17. The computer-readable storage medium of claim 16 further comprising:
    - instructions to intercept the command directed to the first security hardware associated with the first blade server; and
      
      instructions to send the command via the secure out-of-band communication channel to the virtual security hardware instance.
  - 18. The computer-readable storage medium of claim 16 whereinthe command is issued by software running on the first blade server;
    - andthe key is provided to the software to perform the operation.
  - 19. The computer-readable storage medium of claim 14 whereinthe key is a storage root key for the first virtual security hardware instance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Zimmer, Vincent J., Sakthikumar, Palsamy

Granted Patent

US 9,047,468 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/278
CPC Class Codes

G06F 11/203   using migration

G06F 21/57   Certifying or maintaining t...

G06F 21/80   in storage media based on m...

G06F 2221/2107   File encryption

H04L 41/00   Arrangements for maintenanc...

H04L 41/28   Restricting access to netwo...

H04L 41/344   Out-of-band transfers

H04L 63/061   for key exchange, e.g. in p...

H04L 9/0827   involving distinctive inter...

H04L 9/0877   using additional device, e....

Migration of full-disk encrypted virtualized storage between blade servers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Migration of full-disk encrypted virtualized storage between blade servers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links