ENCRYPTING OPERATING SYSTEM
First Claim
1. A computer system comprising a memory portion containing an encrypted data file and an operating system comprising a kernel to use a unique system-identifier to verify a user to control access to the encrypted data file, wherein the kernel comprises a virtual node (a) to decrypt an encrypted directory entry to determine a location of the encrypted data file and (b) to decrypt the encrypted data file to access data file contents contained therein.
2 Assignments
0 Petitions
Accused Products
Abstract
A method of and system for encrypting and decrypting data on a computer system is disclosed. In one embodiment, the system comprises an encrypting operating system (EOS), which is a modified UNIX operating system. The EOS is configured to use a symmetric encryption algorithm and an encryption key to encrypt data transferred from physical memory to secondary devices, such as disks, swap devices, network file systems, network buffers, pseudo file systems, or any other structures external to the physical memory and on which can data can be stored. The EOS further uses the symmetric encryption algorithm and the encryption key to decrypt data transferred from the secondary devices back to physical memory. In other embodiments, the EOS adds an extra layer of security by also encrypting the directory structure used to locate the encrypted data. In a further embodiment a user or process is authenticated and its credentials checked before a file can be accessed, using a key management facility that controls access to one or more keys for encrypting and decrypting data.
-
Citations
71 Claims
- 1. A computer system comprising a memory portion containing an encrypted data file and an operating system comprising a kernel to use a unique system-identifier to verify a user to control access to the encrypted data file, wherein the kernel comprises a virtual node (a) to decrypt an encrypted directory entry to determine a location of the encrypted data file and (b) to decrypt the encrypted data file to access data file contents contained therein.
-
16. (canceled)
-
26. A computer system comprising:
-
a. a first device having an operating system kernel, to encrypt clear data using an encryption key to generate cipher data, and to decrypt the cipher data using the encryption key to generate the clear data; b. a key generator to generate one or more encryption keys usable for encrypting and decrypting data only on the computer system; and c. a second device coupled to the first device to exchange cipher data with the first device. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35)
-
-
36. A method of encrypting data, the method comprising:
-
a. receiving a clear data file; and b. executing kernel code in an operating system, the kernel code using a symmetric key to encrypt the clear data file to generate an encrypted data file, the kernel code further using the symmetric key to decrypt the encrypted data file to generate the clear data file, wherein the symmetric key is generated in part by dividing a key into sub-keys each corresponding to a different block of the data file, modifying each of the sub-keys in a manner unique to its corresponding block to produce modified sub-keys, and combining the modified sub-keys. - View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 47)
-
-
46. (canceled)
-
48. A computer system comprising:
-
a. a processor; b. a physical memory storing a data file; c. a secondary device coupled to the physical memory; and d. an operating system comprising a kernel, the kernel to encrypt and decrypt data transferred between the physical memory and the secondary device using one or more keys generated from one or more identifiers of one or more of the data file, a root directory containing the data file, and a file system containing the root directory. - View Dependent Claims (49, 50, 51, 52)
-
-
53-58. -58. (canceled)
-
59. A method of decrypting a data file on a computer system comprising:
-
granting permission to access the data file by determining that the data file was encrypted on the computer system as an encrypted data file; determining a location of the encrypted data file on the computer system by decrypting an encrypted directory entry; and decrypting the encrypted data file. - View Dependent Claims (60, 61, 62, 63, 64, 65, 66)
-
-
67. A method comprising:
decrypting data in a kernel of an operating system with a key that is usable only on a computer system on which the data was originally encrypted. - View Dependent Claims (68, 69, 70, 71)
Specification