Corralling Virtual Machines With Encryption Keys
First Claim
1. At a management service in a computerized environment comprising one or more virtual machines and one or more virtual hard disks corresponding to each of the one or more virtual machines, a method of securely managing the one or more virtual machines on one or more physical hosts using or more encryption keys, comprising the acts of:
- creating one or more virtual machines on one or more physical hosts, wherein each of the one or more virtual machines comprises a unique ID, and is associated with one or more virtual hard disks;
associating an encryption key with one or more of the one or more virtual machine unique IDs;
encrypting one or more of the one or more virtual hard disks for each of the one or more virtual machines associated with the encryption key;
providing the encryption key to one or more hypervisor components that interface between the virtual machines and the associated one or more virtual hard disks, wherein the one or more hypervisor components provide read/write access of the one or more encrypted drives to the corresponding virtual machine using the provided encryption key.
2 Assignments
0 Petitions
Accused Products
Abstract
A virtual machine comprises a unique identifier that is associated with one or more encryption keys. A management server encrypts the virtual machine'"'"'s virtual hard disk(s) using the one or more associated encryption keys. The management server further provides the one or more encryption keys to a limited number of one or more servers in a system. Only those one or more servers that have been provided the one or more encryption keys can be used to load, access, and/or operate the virtual machine. The management server can thus differentiate which virtual machines can be operated on which servers by differentiating which servers can receive which encryption keys. In one implementation, a management server encrypts all virtual machines in the system, but encrypts virtual machines with sensitive data with a limited set of encryption keys, and further provides those encryption keys to a limited set of trusted servers.
134 Citations
20 Claims
-
1. At a management service in a computerized environment comprising one or more virtual machines and one or more virtual hard disks corresponding to each of the one or more virtual machines, a method of securely managing the one or more virtual machines on one or more physical hosts using or more encryption keys, comprising the acts of:
-
creating one or more virtual machines on one or more physical hosts, wherein each of the one or more virtual machines comprises a unique ID, and is associated with one or more virtual hard disks; associating an encryption key with one or more of the one or more virtual machine unique IDs; encrypting one or more of the one or more virtual hard disks for each of the one or more virtual machines associated with the encryption key; providing the encryption key to one or more hypervisor components that interface between the virtual machines and the associated one or more virtual hard disks, wherein the one or more hypervisor components provide read/write access of the one or more encrypted drives to the corresponding virtual machine using the provided encryption key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. At a management service in a computerized environment comprising one or more virtual machines and one or more virtual machine hard disks corresponding to each of the one or more virtual machines, a method of securely migrating the one or more virtual machines between physical hosts, comprising the acts of:
-
providing one or more encryption keys to a plurality of different physical hosts on which are executed one or more virtual machines; associating one or more virtual machines with each of the one or more encryption keys; correlating into one or more groups one or more virtual machines and one or more physical hosts with one or more common encryption keys per each group; and migrating any of the virtual machines to any physical host within the group that comprises an appropriate encryption key, wherein migration of the virtual machine outside of the group renders the virtual machine inaccessible. - View Dependent Claims (16, 17, 18, 19)
-
-
20. At a management service in a computerized environment comprising one or more virtual machines and one or more virtual hard disks corresponding to each of the one or more virtual machines, a computer program storage product having computer-executable instructions stored thereon that, when executed, cause one or more processors in a computer system to perform a method comprising:
-
creating one or more virtual machines on one or more physical hosts, wherein each of the one or more virtual machines comprises a unique ID, and is associated with one or more virtual hard disks; associating an encryption key with one or more of the one or more virtual machine unique IDs; encrypting one or more of the one or more virtual hard disks for each of the one or more virtual machines associated with the encryption key; providing the encryption key to one or more hypervisor components that interface between the virtual machines and the associated one or more virtual hard disks, wherein the one or more hypervisor components provide read/write access of the one or more encrypted drives to the corresponding virtual machine using the provided encryption key.
-
Specification