KEY MANAGEMENT TO PROTECT ENCRYPTED DATA OF AN ENDPOINT COMPUTING DEVICE
First Claim
1. In a computing system environment, a method of protecting encrypted data of an endpoint computing device, the encrypted data able to be decrypted with a key located at the endpoint computing device, comprising:
- determining whether the encrypted data has been compromised;
upon a subsequent booting of the endpoint, launching a pre-boot phase of operation during which time a pre-boot operating system prevents a user of the endpoint from accessing the encrypted data and the key, the pre-boot phase of operation further including,determining whether the key requires disassociation from the encrypted data; and
if so, disassociating the key.
16 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus involve protecting encrypted data of endpoint computing assets by managing decryption keys. The endpoint has both a traditional operating system for applications, and the like, and another operating system during a pre-boot phase of operation. During use, the pre-boot operating system prevents users of the endpoint from accessing the encrypted data and the key. Upon determining the encrypted data has been compromised, the key is disassociated from the encrypted data. Disassociation can occur in a variety of ways including deleting or scrambling the key and/or data or re-encrypting the encrypted data with a new key. Key escrowing and updating through the pre-boot is further contemplated. The pre-boot phase also contemplates a limited computing connection between the endpoint and a specified authentication server and approved networking ports, USB devices and biometric equipment. Security policies and enforcement modules are also disclosed as are computer program products, computing arrangements, etc.
-
Citations
20 Claims
-
1. In a computing system environment, a method of protecting encrypted data of an endpoint computing device, the encrypted data able to be decrypted with a key located at the endpoint computing device, comprising:
-
determining whether the encrypted data has been compromised; upon a subsequent booting of the endpoint, launching a pre-boot phase of operation during which time a pre-boot operating system prevents a user of the endpoint from accessing the encrypted data and the key, the pre-boot phase of operation further including, determining whether the key requires disassociation from the encrypted data; and if so, disassociating the key. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. In a computing system environment, a method of protecting encrypted data of an endpoint computing device, the encrypted data saved in memory and or disk of the endpoint and able to be decrypted with a key located in a trusted platform module at the endpoint computing device, comprising:
upon a booting of the endpoint, launching a pre-boot phase of operation during which time a pre-boot operating system prevents a user of the endpoint from accessing the encrypted data and the key, the pre-boot phase of operation further including, determining whether the encrypted data has been compromised; if so, locating the key in the trusted platform module; and deleting an existence of the key from the trusted platform module. - View Dependent Claims (8, 9)
-
10. In a computing system environment, a method of protecting encrypted data of an endpoint computing device, the encrypted data saved in memory and or disk of the endpoint and able to be decrypted with a key located at the endpoint computing device, comprising:
upon a booting of the endpoint, launching a pre-boot phase of operation during which time a pre-boot operating system prevents a user of the endpoint from accessing the encrypted data and the key and enforces a limited computing connection between the endpoint and one of a specified authentication server networked to the endpoint in the computing system environment, approved networking ports of the endpoint, approved USB devices connected to the endpoint, and approved biometric devices, the pre-boot phase of operation further including, determining whether the encrypted data has been compromised; and if so, disassociating the key from the encrypted data. - View Dependent Claims (11, 12, 13)
-
14. An endpoint computing device, comprising:
-
a hardware platform including a processor, memory and disk; encrypted data configured for storage in the memory and or disk; a key stored on the hardware platform to decrypt the encrypted data; a policy enforcement module on the hardware platform to carry out predefined security policies between the key and the encrypted data; and a computing operating system and a pre-boot operating system configured to act on the processor such that upon launching a pre-boot phase of operation the policy enforcement module requires the pre-boot operating system to prevent a user of the endpoint from accessing the encrypted data and the key and requires the disassociation of the key from the encrypted data upon a determination that the encrypted data has been compromised. - View Dependent Claims (15, 16, 17)
-
- 18. A computer program product for loading on a endpoint computing device to protect encrypted data thereof, the encrypted data configured to be saved in memory and or disk of the endpoint and able to be decrypted with a key located at the endpoint computing device, the computer program product having executable instructions that launch a pre-boot phase of operation during which time a pre-boot operating system of the endpoint prevents a user of the endpoint from accessing the encrypted data and the key, the executable instructions further configured to disassociate the key from the encrypted data upon a determination that the encrypted data has been compromised.
Specification