SECURE DATA HANDLING BY A VIRTUAL MACHINE
First Claim
1. A system for executing a virtual machine instance, comprisingan executing environment for creating a virtual machine instance, wherein the virtual machine instance comprises:
- an instance authorization unit for receiving an instance authorization credential created externally of the virtual machine instance, wherein the instance authorization credential is uniquely associated with the virtual machine instance;
a data key unit for generating a request for a data key, based on the instance authorization credential associated with the virtual machine instance; and
a decryption unit for decrypting a data item based on the data key.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for executing a virtual machine instance is provided. An executing environment (11) is arranged for creating a virtual machine instance (10). The virtual machine instance (10) comprises an instance authorization unit (1) for receiving an instance authorization credential, wherein the instance authorization credential is uniquely associated with the virtual machine instance (10). A data key unit (2) is arranged for generating a request for a data key, based on the instance authorization credential associated with the virtual machine instance (10). A decryption unit (3) is arranged for decrypting a data item (7) based on the data key. A key server system (6) is arranged for issuing keys to a virtual machine instance (10). An instance authorization providing unit (22) is arranged for providing the instance authorization credential to the virtual machine instance (10).
29 Citations
15 Claims
-
1. A system for executing a virtual machine instance, comprising
an executing environment for creating a virtual machine instance, wherein the virtual machine instance comprises: -
an instance authorization unit for receiving an instance authorization credential created externally of the virtual machine instance, wherein the instance authorization credential is uniquely associated with the virtual machine instance; a data key unit for generating a request for a data key, based on the instance authorization credential associated with the virtual machine instance; and a decryption unit for decrypting a data item based on the data key. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A key server system for issuing keys to a virtual machine instance, comprising
an instance identifying unit for identifying a virtual machine instance based on at least one attribute that is specific to the virtual machine instance; -
an instance authorization determiner for determining an instance authorization credential, and uniquely associating the instance authorization credential with the virtual machine instance; an instance authorization providing unit for providing the instance authorization credential to the virtual machine instance; a data key request receiver for receiving a request for a data key from the virtual machine instance, wherein the request for the data key comprises an instance authorization component associated with the instance authorization credential; a data authorization unit for determining whether the virtual machine instance is authorized to receive the data key based on the instance authorization component; and a data key providing unit for providing the data key to the virtual machine instance if the virtual machine instance is authorized to receive the data key. - View Dependent Claims (9, 10, 11)
-
-
12. A virtual machine image capable of being instantiated as a virtual machine instance, wherein the virtual machine image comprises:
-
instruction code for causing the virtual machine instance to receive an instance authorization credential created externally of the virtual machine instance, wherein the instance authorization credential is uniquely associated with the virtual machine instance; instruction code for causing the virtual machine instance to generate a request for a data key, based on the instance authorization credential associated with the virtual machine instance; and instruction code for causing the virtual machine instance to decrypt a data item based on the data key.
-
-
13. A method of executing a virtual machine instance, the method comprising, by the virtual machine instance:
-
receiving an instance authorization credential, wherein the instance authorization credential is uniquely associated with the virtual machine instance; generating a request for a data key, based on the instance authorization credential associated with the virtual machine instance; and decrypting a data item based on the data key. - View Dependent Claims (15)
-
-
14. A method of issuing keys to a virtual machine instance, comprising
identifying a virtual machine instance based on at least one attribute that is specific to the virtual machine instance; -
determining an instance authorization credential, and uniquely associating the instance authorization credential with the virtual machine instance; providing the instance authorization credential to the virtual machine instance; receiving a request for a data key from the virtual machine instance, wherein the request for the data key comprises an instance authorization component associated with the instance authorization credential; determining whether the virtual machine instance is authorized to receive the data key based on the instance authorization component; and providing the data key to the virtual machine instance if the virtual machine instance is authorized to receive the data key.
-
Specification