VIRTUAL MACHINE IMAGES ENCRYPTION USING TRUSTED COMPUTING GROUP SEALING

US 20130086383A1
Filed: 10/04/2011
Published: 04/04/2013
Est. Priority Date: 10/04/2011
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for encrypting a private key, the method comprising:

configuring host machine to a desired state, wherein the host machine has a trusted platform module;

recording a platform configuration register state based on the desired state;

forming a sealed blob from a private key and a platform configuration register state; and

storing the sealed blob in a data structure.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A host machine provisions a virtual machine from a catalog of stock virtual machines. The host machine instantiates the virtual machine. The host machine configures the virtual machine, based on customer inputs, to form a customer'"'"'s configured virtual machine. The host machine creates an image from the customer'"'"'s configured virtual machine. The host machine unwraps a sealed customer'"'"'s symmetric key to form a customer'"'"'s symmetric key. The host machine encrypts the customer'"'"'s configured virtual machine with the customer'"'"'s symmetric key to form an encrypted configured virtual machine. The host machine stores the encrypted configured virtual machine to non-volatile storage.

65 Citations

View as Search Results

22 Claims

1. A computer implemented method for encrypting a private key, the method comprising:
- configuring host machine to a desired state, wherein the host machine has a trusted platform module;
  
  recording a platform configuration register state based on the desired state;
  
  forming a sealed blob from a private key and a platform configuration register state; and
  
  storing the sealed blob in a data structure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer implemented method of claim 1, wherein the private key is created by a data center operator.
  - 3. The computer implemented method of claim 1, wherein the private key is stored in a hardware security module.
  - 4. The computer implemented method of claim 1, wherein storing the sealed blob further comprises:
    - sending the sealed blob to a second host machine owned by a data center operator.
  - 5. The computer implemented method of claim 1, wherein the host is one host among a plurality of hosts, the computer implemented method further comprising:
    - repeatedly performing the configuring, recording, forming and storing for each host among the plurality of hosts to form a sealed blob per each host among the plurality of hosts, wherein each sealed blob corresponds to a host identifier, and each sealed blob is stored in association with the host identifier.
  - 6. The computer implemented method of claim 1, wherein storing further comprises:
    - obtaining the private key by unsealing the private key from a sealed blob using a trusted platform module platform configuration register (PCR).
  - 7. A computer program product comprising one or more computer-readable tangible storage devices andcomputer-readable program instructions, which are stored on the one or more computer-readable tangible storage devices and, when executed by one or more processors, perform the method of claim 1.
  - 8. A computer system comprising one or more processors, one or more computer-readable memories, one or more computer-readable, tangible storage devices andcomputer-readable program instructions, which are stored on the one or more storage devices for execution by the one or more processors via the one or more memories and when executed by the one or more processors perform the method of claim 1.

9. A computer implemented method for securely storing a customer'"'"'s symmetric key, the method comprising:
- receiving the customer'"'"'s symmetric key at a data center;
  
  encrypting the customer'"'"'s symmetric key with a public key of the data center to form a wrapped customer'"'"'s symmetric key; and
  
  storing the wrapped customer'"'"'s symmetric key.
- View Dependent Claims (10, 11, 12)
- - 10. The computer implemented method of claim 9, wherein the public key corresponds to a private key used to form a sealed blob from the private key and a platform configuration register state corresponding to a host machine.
  - 11. A computer program product comprising one or more computer-readable, tangible storage devices andcomputer-readable program instructions, which are stored on the one or more storage devices and when executed by one or more processors, perform the method of claim 9.
  - 12. A computer system comprising one or more processors, one or more computer-readable memories, one or more computer-readable, tangible storage devices andcomputer-readable program instructions, which are stored on the one or more storage devices for execution by the one or more processors via the one or more memories and when executed by the one or more processors perform the method of claim 9.

13. A computer implemented method for storing a customized virtual machine, the method comprising:
- provisioning a virtual machine on a host machine from a catalog of stock virtual machines;
  
  instantiating the virtual machine on the host machine;
  
  configuring the virtual machine, based on customer inputs, to form a customer'"'"'s configured virtual machine;
  
  creating an image from the customer'"'"'s configured virtual machine;
  
  unwrapping a customer'"'"'s encrypted symmetric key to form a customer'"'"'s symmetric key;
  
  encrypting the customer'"'"'s configured virtual machine with the customer'"'"'s symmetric key to form an encrypted configured virtual machine; and
  
  storing the encrypted configured virtual machine to non-volatile storage.
- View Dependent Claims (14, 15)
- - 14. A computer program product comprising one or more computer-readable, tangible storage devices andcomputer-readable program instructions which are stored on the one or more storage devices and when executed by one or more processors, perform the method of claim 13.
  - 15. A computer system comprising one or more processors, one or more computer-readable memories, one or more computer-readable, tangible storage devices andcomputer-readable program instructions, which are stored on the one or more storage devices for execution by the one or more processors via the one or more memories and when executed by the one or more processors perform the method of claim 13.

16. A computer implemented method for executing a customer'"'"'s configured virtual machine, the method comprising:
- receiving a customer selection of an encrypted configured virtual machine image;
  
  obtaining a sealed blob from a data structure controlled by a data center;
  
  unsealing the sealed blob to form a data center private key;
  
  decrypting a customer'"'"'s symmetric key with the data center private key;
  
  decrypting the customer'"'"'s configured virtual machine from the encrypted configured virtual machine; and
  
  executing the customer'"'"'s configured virtual machine on a host processor of a host machine.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The computer implemented method of claim 16, wherein unsealing further comprises:
    - determining whether the host machine has a current trusted platform state to match a first trusted platform state of the host machine, wherein decrypting the customer'"'"'s configured virtual machine comprises decrypting the customer'"'"'s configured virtual machine, responsive to a determination that the host machine has the current trusted platform state to match the first trusted platform state, and the first trusted platform state of the host machine corresponds to a time during which the sealed blob was created.
  - 18. The computer implemented method of claim 16,wherein the data structure is stored in a lightweight directory access protocol (LDAP) server.
  - 19. The computer implemented method of claim 18, wherein the data structure comprises a database.
  - 20. The computer implemented method of claim 16, wherein the encrypted configured virtual machine image is an image of a virtual machine stored in a form configured according to a customer'"'"'s preferences, which is encrypted prior to storage
  - 21. A computer program product comprising one or more computer-readable, tangible storage devices andcomputer-readable program instructions, which are stored on the one or more storage devices and when executed by one or more processors, perform the method of claim 16.
  - 22. A computer system comprising one or more processors, one or more computer-readable memories, one or more computer-readable, tangible storage devices andcomputer-readable program instructions, which are stored on the one or more storage devices for execution by the one or more processors via the one or more memories and when executed by the one or more processors perform the method of claim 16.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Finjan Blue, Inc. (SoftBank Group Corp.)
Original Assignee
International Business Machines Corporation
Inventors
Bade, Steven A., Linton, Jeb R., Pendarakis, Dimitrios, Wilson, George C., Wilson, Lee H., Galvao de Andrade, Rajiv Augusto Santos

Granted Patent

US 8,694,786 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

G06F 21/57 Certifying or maintaining t...

H04L 9/0897 involving additional device...

VIRTUAL MACHINE IMAGES ENCRYPTION USING TRUSTED COMPUTING GROUP SEALING

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

65 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

VIRTUAL MACHINE IMAGES ENCRYPTION USING TRUSTED COMPUTING GROUP SEALING

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links