LOG STRUCTURED VOLUME ENCRYPTION FOR VIRTUAL MACHINES
First Claim
1. A method implemented by one or more data processing apparatuses, the method comprising:
- receiving a first request from a first virtual machine to store data in a log structured volume and based on the first request;
obtaining the data and an access control list of one or more users authorized to access the data;
obtaining a data key that has a data key identifier;
encrypting, using the one or more data processing apparatuses, the data key and the access control list using a wrapping key to generate a wrapped blob;
encrypting, using the one or more data processing apparatuses, the data using the data key to generate encrypted data;
storing the wrapped blob and the encrypted data in the log structured volume; and
providing the data key identifier to one or more users on the access control list; and
receiving a second request from a second virtual machine to obtain a snapshot of the data and based on the second request;
obtaining an unwrapped blob containing the data key and the access control list;
obtaining the data key and the access control list from the unwrapped blob; and
authenticating a user associated with the second request and authorizing the user against the access control list and, upon a determination that the user is authenticated and authorized;
decrypting, using the one or more data processing apparatuses, the data using the data key; and
providing a snapshot of the data to the second virtual machine.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including a method for providing data. The method comprises receiving a first request from a first virtual machine (VM) to store data, obtaining the data and an access control list (ACL) of authorized users, obtaining a data key that has a data key identifier, encrypting the data key and the ACL using a wrapping key to generate a wrapped blob, encrypting the data, storing the wrapped blob and the encrypted data, and providing the data key identifier to users on the ACL. The method further comprises receiving a second request from a second VM to obtain a data snapshot, obtaining an unwrapped blob, obtaining the data key and the ACL from the unwrapped blob, authenticating a user associated with the second request, authorizing the user against the ACL, decrypting the data using the data key, and providing a snapshot of the data to the second VM.
-
Citations
30 Claims
-
1. A method implemented by one or more data processing apparatuses, the method comprising:
-
receiving a first request from a first virtual machine to store data in a log structured volume and based on the first request; obtaining the data and an access control list of one or more users authorized to access the data; obtaining a data key that has a data key identifier; encrypting, using the one or more data processing apparatuses, the data key and the access control list using a wrapping key to generate a wrapped blob; encrypting, using the one or more data processing apparatuses, the data using the data key to generate encrypted data; storing the wrapped blob and the encrypted data in the log structured volume; and providing the data key identifier to one or more users on the access control list; and receiving a second request from a second virtual machine to obtain a snapshot of the data and based on the second request; obtaining an unwrapped blob containing the data key and the access control list; obtaining the data key and the access control list from the unwrapped blob; and authenticating a user associated with the second request and authorizing the user against the access control list and, upon a determination that the user is authenticated and authorized; decrypting, using the one or more data processing apparatuses, the data using the data key; and providing a snapshot of the data to the second virtual machine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
one or more data processing apparatuses programmed to perform operations comprising; receiving a first request from a first virtual machine to store data in a log structured volume and based on the first request; obtaining the data and an access control list of one or more users authorized to access the data; obtaining a data key that has a data key identifier; encrypting the data key and the access control list using a wrapping key to generate a wrapped blob; encrypting the data using the data key to generate encrypted data; storing the wrapped blob and the encrypted data in the log structured volume; and providing the data key identifier to one or more users on the access control list; and receiving a second request from a second virtual machine to obtain a snapshot of the data and based on the second request; obtaining an unwrapped blob containing the data key and the access control list; obtaining the data key and the access control list from the unwrapped blob; and authenticating a user associated with the second request and authorizing the user against the access control list and, upon a determination that the user is authenticated and authorized; decrypting the data using the data key; and providing a snapshot of the data to the second virtual machine. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
21. A storage medium having instructions stored thereon that, when executed, cause data processing apparatus to perform operations comprising:
data processing apparatus programmed to perform operations comprising; receiving a first request from a first virtual machine to store data in a log structured volume and based on the first request; obtaining the data and an access control list of one or more users authorized to access the data; obtaining a data key that has a data key identifier; encrypting the data key and the access control list using a wrapping key to generate a wrapped blob; encrypting the data using the data key to generate encrypted data; storing the wrapped blob and the encrypted data in the log structured volume; and providing the data key identifier to one or more users on the access control list; and receiving a second request from a second virtual machine to obtain a snapshot of the data and based on the second request; obtaining an unwrapped blob containing the data key and the access control list; obtaining the data key and the access control list from the unwrapped blob; and authenticating a user associated with the second request and authorizing the user against the access control list and, upon a determination that the user is authenticated and authorized; decrypting the data using the data key; and providing a snapshot of the data to the second virtual machine. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
Specification