LOG STRUCTURED VOLUME ENCRYPTION FOR VIRTUAL MACHINES

US 20130227303A1
Filed: 02/24/2012
Published: 08/29/2013
Est. Priority Date: 02/24/2012
Status: Active Grant

First Claim

Patent Images

1. A method implemented by one or more data processing apparatuses, the method comprising:

receiving a first request from a first virtual machine to store data in a log structured volume and based on the first request;

obtaining the data and an access control list of one or more users authorized to access the data;

obtaining a data key that has a data key identifier;

encrypting, using the one or more data processing apparatuses, the data key and the access control list using a wrapping key to generate a wrapped blob;

encrypting, using the one or more data processing apparatuses, the data using the data key to generate encrypted data;

storing the wrapped blob and the encrypted data in the log structured volume; and

providing the data key identifier to one or more users on the access control list; and

receiving a second request from a second virtual machine to obtain a snapshot of the data and based on the second request;

obtaining an unwrapped blob containing the data key and the access control list;

obtaining the data key and the access control list from the unwrapped blob; and

authenticating a user associated with the second request and authorizing the user against the access control list and, upon a determination that the user is authenticated and authorized;

decrypting, using the one or more data processing apparatuses, the data using the data key; and

providing a snapshot of the data to the second virtual machine.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including a method for providing data. The method comprises receiving a first request from a first virtual machine (VM) to store data, obtaining the data and an access control list (ACL) of authorized users, obtaining a data key that has a data key identifier, encrypting the data key and the ACL using a wrapping key to generate a wrapped blob, encrypting the data, storing the wrapped blob and the encrypted data, and providing the data key identifier to users on the ACL. The method further comprises receiving a second request from a second VM to obtain a data snapshot, obtaining an unwrapped blob, obtaining the data key and the ACL from the unwrapped blob, authenticating a user associated with the second request, authorizing the user against the ACL, decrypting the data using the data key, and providing a snapshot of the data to the second VM.

Citations

30 Claims

1. A method implemented by one or more data processing apparatuses, the method comprising:
- receiving a first request from a first virtual machine to store data in a log structured volume and based on the first request;
  
  obtaining the data and an access control list of one or more users authorized to access the data;
  
  obtaining a data key that has a data key identifier;
  
  encrypting, using the one or more data processing apparatuses, the data key and the access control list using a wrapping key to generate a wrapped blob;
  
  encrypting, using the one or more data processing apparatuses, the data using the data key to generate encrypted data;
  
  storing the wrapped blob and the encrypted data in the log structured volume; and
  
  providing the data key identifier to one or more users on the access control list; and
  
  receiving a second request from a second virtual machine to obtain a snapshot of the data and based on the second request;
  
  obtaining an unwrapped blob containing the data key and the access control list;
  
  obtaining the data key and the access control list from the unwrapped blob; and
  
  authenticating a user associated with the second request and authorizing the user against the access control list and, upon a determination that the user is authenticated and authorized;
  
  decrypting, using the one or more data processing apparatuses, the data using the data key; and
  
  providing a snapshot of the data to the second virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising determining that a threshold condition associated with storage of the data on the log structured volume has occurred.
  - 3. The method of claim 2, further comprising:
    - obtaining a new data key identified by a new data key identifier;
      
      decrypting the data using the data key;
      
      encrypting the new data key and the access control list using the wrapping key to generate a new wrapped blob;
      
      encrypting the data using the new data key to generate encrypted data;
      
      storing the new wrapped blob and the encrypted data in the log structured volume;
      
      providing the new data key identifier to the one or more users on the access control list; and
      
      preventing subsequent use of the data key.
  - 4. The method of claim 2 wherein the threshold condition includes an amount of data protected by the data key.
  - 5. The method of claim 4 wherein the amount of data protected by the data key is a cumulative amount.
  - 6. The method of claim 4 wherein the amount of data protected by the data key is a current amount.
  - 7. The method of claim 2 wherein the threshold condition includes a time duration that the data key has been in use.
  - 8. The method of claim 1, further comprising:
    - auditing access of the data; and
      
      determining that the data has been accessed by a user that is not on the access control list and that the data key has been compromised.
  - 9. The method of claim 8, further comprising:
    - obtaining a new data key identified by a new data key identifier;
      
      decrypting the data using the data key;
      
      encrypting the new data key and the access control list using the wrapping key to generate a new wrapped blob;
      
      encrypting the data using the new data key to generate encrypted data;
      
      storing the new wrapped blob and the encrypted data in the log structured volume;
      
      providing the new data key identifier to the one or more users on the access control list; and
      
      preventing subsequent use of the data key.
  - 10. The method of claim 1 wherein storing the encrypted data includes compacting the encrypted data.

11. A system comprising:
- one or more data processing apparatuses programmed to perform operations comprising;
  
  receiving a first request from a first virtual machine to store data in a log structured volume and based on the first request;
  
  obtaining the data and an access control list of one or more users authorized to access the data;
  
  obtaining a data key that has a data key identifier;
  
  encrypting the data key and the access control list using a wrapping key to generate a wrapped blob;
  
  encrypting the data using the data key to generate encrypted data;
  
  storing the wrapped blob and the encrypted data in the log structured volume; and
  
  providing the data key identifier to one or more users on the access control list; and
  
  receiving a second request from a second virtual machine to obtain a snapshot of the data and based on the second request;
  
  obtaining an unwrapped blob containing the data key and the access control list;
  
  obtaining the data key and the access control list from the unwrapped blob; and
  
  authenticating a user associated with the second request and authorizing the user against the access control list and, upon a determination that the user is authenticated and authorized;
  
  decrypting the data using the data key; and
  
  providing a snapshot of the data to the second virtual machine.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11 wherein the operations further comprise determining that a threshold condition associated with storage of the data on the log structured volume has occurred.
  - 13. The system of claim 12 wherein the operations further comprise:
    - obtaining a new data key identified by a new data key identifier;
      
      decrypting the data using the data key;
      
      encrypting the new data key and the access control list using the wrapping key to generate a new wrapped blob;
      
      encrypting the data using the new data key to generate encrypted data;
      
      storing the new wrapped blob and the encrypted data in the log structured volume;
      
      providing the new data key identifier to the one or more users on the access control list; and
      
      preventing subsequent use of the data key.
  - 14. The system of claim 12 wherein the threshold condition includes an amount of data protected by the data key.
  - 15. The system of claim 14 wherein the amount of data protected by the data key is a cumulative amount.
  - 16. The system of claim 14 wherein the amount of data protected by the data key is a current amount.
  - 17. The system of claim 12 wherein the threshold condition includes a time duration that the data key has been in use.
  - 18. The system of claim 11 wherein the operations further comprise:
    - auditing access of the data; and
      
      determining that the data has been accessed by a user that is not on the access control list and that the data key has been compromised.
  - 19. The system of claim 18 wherein the operations further comprise:
    - obtaining a new data key identified by a new data key identifier;
      
      decrypting the data using the data key;
      
      encrypting the new data key and the access control list using the wrapping key to generate a new wrapped blob;
      
      encrypting the data using the new data key to generate encrypted data;
      
      storing the new wrapped blob and the encrypted data in the log structured volume;
      
      providing the new data key identifier to the one or more users on the access control list; and
      
      preventing subsequent use of the data key.
  - 20. The system of claim 11 wherein storing the encrypted data includes compacting the encrypted data.

21. A storage medium having instructions stored thereon that, when executed, cause data processing apparatus to perform operations comprising:
- data processing apparatus programmed to perform operations comprising;
  
  receiving a first request from a first virtual machine to store data in a log structured volume and based on the first request;
  
  obtaining the data and an access control list of one or more users authorized to access the data;
  
  obtaining a data key that has a data key identifier;
  
  encrypting the data key and the access control list using a wrapping key to generate a wrapped blob;
  
  encrypting the data using the data key to generate encrypted data;
  
  storing the wrapped blob and the encrypted data in the log structured volume; and
  
  providing the data key identifier to one or more users on the access control list; and
  
  receiving a second request from a second virtual machine to obtain a snapshot of the data and based on the second request;
  
  obtaining an unwrapped blob containing the data key and the access control list;
  
  obtaining the data key and the access control list from the unwrapped blob; and
  
  authenticating a user associated with the second request and authorizing the user against the access control list and, upon a determination that the user is authenticated and authorized;
  
  decrypting the data using the data key; and
  
  providing a snapshot of the data to the second virtual machine.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The storage medium of claim 21 wherein the operations further comprise determining that a threshold condition associated with storage of the data on the log structured volume has occurred.
  - 23. The storage medium of claim 22 wherein the operations further comprise:
    - obtaining a new data key identified by a new data key identifier;
      
      decrypting the data using the data key;
      
      encrypting the new data key and the access control list using the wrapping key to generate a new wrapped blob;
      
      encrypting the data using the new data key to generate encrypted data;
      
      storing the new wrapped blob and the encrypted data in the log structured volume;
      
      providing the new data key identifier to the one or more users on the access control list; and
      
      preventing subsequent use of the data key.
  - 24. The storage medium of claim 22 wherein the threshold condition includes an amount of data protected by the data key.
  - 25. The storage medium of claim 24 wherein the amount of data protected by the data key is a cumulative amount.
  - 26. The storage medium of claim 24 wherein the amount of data protected by the data key is a current amount.
  - 27. The storage medium of claim 22 wherein the threshold condition includes a time duration that the data key has been in use.
  - 28. The storage medium of claim 21 wherein the operations further comprise:
    - auditing access of the data; and
      
      determining that the data has been accessed by a user that is not on the access control list and that the data key has been compromised.
  - 29. The storage medium of claim 28 wherein the operations further comprise:
    - obtaining a new data key identified by a new data key identifier;
      
      decrypting the data using the data key;
      
      encrypting the new data key and the access control list using the wrapping key to generate a new wrapped blob;
      
      encrypting the data using the new data key to generate encrypted data;
      
      storing the new wrapped blob and the encrypted data in the log structured volume;
      
      providing the new data key identifier to the one or more users on the access control list; and
      
      preventing subsequent use of the data key.
  - 30. The storage medium of claim 21 wherein storing the encrypted data includes compacting the encrypted data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Kadatch, Andrew, Halcrow, Michael A.

Granted Patent

US 8,996,887 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/193
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2107   File encryption

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0435   wherein the sending and rec...

H04L 63/0478   applying multiple layers of...

H04L 63/0823   using certificates cryptogr...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

LOG STRUCTURED VOLUME ENCRYPTION FOR VIRTUAL MACHINES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

LOG STRUCTURED VOLUME ENCRYPTION FOR VIRTUAL MACHINES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links