SECTOR MAP-BASED RAPID DATA ENCRYPTION POLICY COMPLIANCE

US 20130054979A1
Filed: 08/30/2011
Published: 02/28/2013
Est. Priority Date: 08/30/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a computing device, a request to activate a policy for the computing device, the policy indicating that data written by the computing device to a storage volume after activation of the policy be encrypted;

activating, in response to the request, the policy for the computing device, including encrypting data written to the storage volume after returning an indication of compliance with the policy, and further including using a sector map to identify one or more sectors of the storage volume that are not encrypted; and

returning, in response to the request, the indication of compliance with the policy despite one or more sectors of the storage volume being unencrypted.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To comply with a policy for a computing device indicating that data written by the computing device to the storage volume after activation of the policy be encrypted, a sector map is accessed. The sector map identifies one or more sectors of a storage volume and also identifies, for each of the one or more sectors of the storage volume, a signature of the content of the sector. In response to a request to read the content of a sector, the content of the sector is returned without decrypting the content if the sector is one of the one or more sectors and the signature of the content of the sector matches the signature of the sector identified in the sector map. Otherwise, the content of the sector is decrypted and the decrypted content is returned.

128 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving, at a computing device, a request to activate a policy for the computing device, the policy indicating that data written by the computing device to a storage volume after activation of the policy be encrypted;
  
  activating, in response to the request, the policy for the computing device, including encrypting data written to the storage volume after returning an indication of compliance with the policy, and further including using a sector map to identify one or more sectors of the storage volume that are not encrypted; and
  
  returning, in response to the request, the indication of compliance with the policy despite one or more sectors of the storage volume being unencrypted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A method as recited in claim 1, the returning comprising returning the response without waiting for the storage volume to be encrypted.
  - 3. A method as recited in claim 1, the activating further comprising using, to determine whether to decrypt content of a sector of the storage volume in response to a request to read the content of the sector, the sector map identifying one or more sectors of the storage volume, the sector map further identifying, for each of the one or more sectors, a signature of the content of the sector.
  - 4. A method as recited in claim 3, the activating further comprising returning, in response to the request to read the content, the content without decrypting the content if the sector is one of the one or more sectors and the signature of the content of the sector matches the signature of the sector identified in the sector map, and otherwise decrypting the content of the sector and returning the decrypted content.
  - 5. A method as recited in claim 3, the activating further comprising:
    - checking a bit corresponding to the sector, the bit being one of multiple bits in a bitmap corresponding to the storage volume, each of the multiple bits indicating whether a corresponding sector of the storage volume has been written to after the sector map was locked to prohibit changes to the sector map;
      
      decrypting the content of the sector and returning the decrypted content if the bit corresponding to the sector indicates the sector has been written to after the sector map was locked; and
      
      if the bit corresponding to the sector indicates the sector has not been written to after the sector map was locked, then returning the content without decrypting the content if the sector is one of the one or more sectors and the signature of the content of the sector matches the signature of the sector identified in the sector map, and otherwise decrypting the content of the sector and returning the decrypted content.
  - 6. A method as recited in claim 3, the one or more sectors identified by the sector map comprising one or more sectors of the storage volume written to prior to the sector map being locked to prohibit changes to the sector map, the sector map being locked as part of a process of installing an operating system on the computing device.
  - 7. A method as recited in claim 3, the one or more sectors identified by the sector map comprising one or more sectors of the storage volume written to prior to the sector map being locked to prohibit changes to the sector map, the sector map being locked in response to the request to activate the policy for the computing device.
  - 8. A method as recited in claim 7, further comprising, prior to the sector map being locked:
    - maintaining a first version of the sector map on the storage volume;
      
      maintaining a second version of the sector map in volatile memory;
      
      grouping the sector identifiers and sector signatures into multiple groups, each group including sector signatures for one or more sectors;
      
      updating, in response to data being written to a sector identified in a group, a flag value of the group to indicate that the group is dirty; and
      
      copying the groups that are indicated as dirty from the second version of the sector map to the first version of the sector map in response to a threshold number of the multiple groups being indicated as dirty.
  - 9. A method as recited in claim 3, further comprising maintaining the sector map on the storage volume, and mapping the sector map from the storage volume into a sector map in volatile memory when the computing device starts operation.
  - 10. A method as recited in claim 3, further comprising:
    - encrypting unencrypted data from sectors of the storage volume;
      
      determining when no unencrypted data remains on the storage volume; and
      
      deleting the sector map and ceasing using the sector map in response to no unencrypted data remaining on the storage volume.
  - 11. A method as recited in claim 10, further comprising removing, from the sector map, an identifier and corresponding signature of a sector in response to unencrypted data from the sector being encrypted.
  - 12. A method as recited in claim 3, the signature of the content of the sector comprising a value generated as a function of the content of the sector.
  - 13. A method as recited in claim 1, the storage volume being included as part of the computing device.

14. One or more computer storage media having stored thereon multiple instructions that, when executed by one or more processors of a computing device to comply with a policy for the computing device, cause the one or more processors to:
- access a sector map identifying one or more sectors of a storage volume, the sector map further identifying, for each of the one or more sectors, a signature of the content of the sector, the policy indicating that data written by the computing device to the storage volume after activation of the policy be encrypted; and
  
  return content of a sector of the storage volume in response to a request to read the content without decrypting the content if the sector is one of the one or more sectors and the signature of the content of the sector matches the signature of the sector identified in the sector map, and otherwise decrypt the content of the sector and return the decrypted content.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. One or more computer storage media as recited in claim 14, the multiple instructions further causing the one or more processors to encrypt data written by the computing device to at least one sector of the storage volume regardless of whether the sector of the storage volume is one of the one or more sectors.
  - 16. One or more computer storage media as recited in claim 14, the one or more sectors identified by the sector map comprising one or more sectors of the storage volume written to prior to changes to the sector map being locked to prohibit changes to the sector map, the sector map being locked as part of a process of installing an operating system on the computing device.
  - 17. One or more computer storage media as recited in claim 14, the one or more sectors identified by the sector map comprising one or more sectors of the storage volume written to prior to the sector map being locked to prohibit changes to the sector map, the sector map being locked in response to a request to activate the policy for the computing device.
  - 18. One or more computer storage media as recited in claim 14, the storage volume being included as part of the computing device.
  - 19. One or more computer storage media as recited in claim 14, the multiple instructions further causing the one or more processors to:
    - check a bit corresponding to the sector, the bit being one of multiple bits in a bitmap corresponding to the storage volume, each of the multiple bits indicating whether a corresponding sector of the storage volume has been written to after the sector map was locked to prohibit changes to the sector map;
      
      check whether the sector is one of the one or more sectors and the signature of the content of the sector matches the signature of the sector identified in the sector map only if the bit corresponding to the sector indicates the sector has not been written to after the sector map was locked; and
      
      decrypt the content of the sector and return the decrypted content if the bit corresponding to the sector indicates the sector has been written to after the sector map was locked.

20. A method comprising:
- accessing, in a computing device complying with a policy indicating that data written by the computing device to a storage volume after activation of the policy be encrypted, a sector map identifying one or more sectors of the storage volume, the sector map further identifying, for each of the one or more sectors, a signature of the content of the sector;
  
  receiving a request to read the content of a sector of the storage volume;
  
  checking whether the sector is identified in the sector map;
  
  if the sector is not identified in the sector map, then decrypting the content of the sector and returning the decrypted content of the sector;
  
  if the sector is identified in the sector map, then;
  
  checking whether the signature of the content of the sector matches the signature identified for the sector in the sector map,decrypting the content of the sector and returning the decrypted content of the sector if the signature of the content of the sector does not match the signature identified in the sector map of the sector, andreturning the content of the sector without decrypting the content of the sector if the signature of the content of the sector does match the signature identified in the sector map of the sector.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Basmov, Innokentiy, Semenko, Alex M., MacIver, Douglas M., Nystrm, Magnus Bo Gustaf, Li, Donghui

Granted Patent

US 8,874,935 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/193
CPC Class Codes

G06F 12/14   Protection against unauthor...

G06F 12/1408   by using cryptography for d...

G06F 16/2237   Vectors, bitmaps or matrices

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 3/0623   in relation to content

G06F 3/0644   Management of space entitie...

G06F 3/0659   Command handling arrangemen...

G06F 3/0673   Single storage device

SECTOR MAP-BASED RAPID DATA ENCRYPTION POLICY COMPLIANCE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

128 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECTOR MAP-BASED RAPID DATA ENCRYPTION POLICY COMPLIANCE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

128 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links