Encrypting file system and method
First Claim
1. In a computer system having a file system, a method of encrypting or decrypting data in a file stored in a non-volatile storage, comprising:
- receiving information at the file system indicating that the file is designated as encrypted;
receiving an encryption key associated with the file;
receiving a request to write file data to non-volatile storage and receiving the file data, and in response, encrypting the file data into encrypted file data at file system level software using the encryption key, writing the encrypted file data to non-volatile storage and writing encryption key information in association with the file to the same non-volatile storage as the encrypted file data; and
receiving a request to read file data from non-volatile storage, and in response, reading the encrypted file data from the non-volatile storage, decrypting the encrypted file data into decrypted file data at the file system level software using the encryption key, and returning the decrypted file data.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for encryption and decryption of files. The system and method operate in conjunction with the file system to transparently encrypt and decrypt files in using a public key-private key pair encryption scheme. When a user puts a file in an encrypted directory or encrypts a file, all data writes to the disk for that file are encrypted with a random file encryption key generated from a random number and encrypted with the public key of a user and the public key of at least one recovery agent. The encrypted key information is stored with the file, whereby the user or a recovery agent can decrypt the file data using the private key thereof. When a proper private key is used, encrypted reads from the disk are decrypted transparently by the file system and returned to the user.
391 Citations
58 Claims
-
1. In a computer system having a file system, a method of encrypting or decrypting data in a file stored in a non-volatile storage, comprising:
-
receiving information at the file system indicating that the file is designated as encrypted;
receiving an encryption key associated with the file;
receiving a request to write file data to non-volatile storage and receiving the file data, and in response, encrypting the file data into encrypted file data at file system level software using the encryption key, writing the encrypted file data to non-volatile storage and writing encryption key information in association with the file to the same non-volatile storage as the encrypted file data; and
receiving a request to read file data from non-volatile storage, and in response, reading the encrypted file data from the non-volatile storage, decrypting the encrypted file data into decrypted file data at the file system level software using the encryption key, and returning the decrypted file data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 41, 42, 43)
-
- 14. In a computer system having a file system, a method of reading unencrypted file data or encrypted file data and returning the data read as unencrypted file data, comprising, receiving at the file system from a requesting program a request to read file data from a non-volatile storage, reading the file data, determining at file system software if the file data is encrypted, and if the file data is not encrypted, returning the file data to the requesting program, and if the file data is encrypted, obtaining a file encryption key for that file by applying a private key to the file encryption key data, the file encryption key data including the file encryption key encrypted with a public key and stored on the same non-volatile storage and in association with the file, providing the file encryption key and the file data to a file system level decryption mechanism, decrypting the file data into unencrypted file data, and returning the unencrypted file data to the requesting program.
- 22. In a computer system having a file system, a method of storing selected file data as encrypted file data, including receiving at the file system a request to write the file data and the file data to be written as encrypted, encrypting the file data via file system level software into encrypted file data by using a file encryption key, encrypting the file encryption key with a public key, writing the encrypted file data to a non-volatile storage, and writing the encrypted file encryption key to the same non-volatile storage as the encrypted file data and in association therewith.
- 24. In a computer system having a file system, a system for encrypting data written by the file system to a non-volatile storage, comprising, means for obtaining a file encryption key, a software encryption mechanism at a file system software level for converting unencrypted data to encrypted data based on the file encryption key, the file system writing at least some of the data as encrypted data to a file in the non-volatile storage, and means for encrypting the file encryption key, the file system writing the encrypted file encryption key to the same nonvolatile storage as the encrypted data and in association therewith.
- 50. In a computer system having a file system, a system for encrypting data written by the file system to a non-volatile storage, comprising, a file encryption key, a software encryption mechanism connected to the file system and configured to convert unencrypted data to encrypted data based on the file encryption key, the file system communicating with the encryption mechanism to write at least some of the data as encrypted data to a file in the non-volatile storage, a mechanism configured to encrypt the file encryption key into at least one set of encrypted key data, the file system writing each set of encrypted key data to the same non-volatile storage as the encrypted data and in association therewith.
-
56. In a computer system having a file system, a method of returning requested file data, comprising:
-
receiving at file system software a request to read file data of an encrypted file;
determining whether file data corresponding to the request is stored on a storage medium or has been decrypted to an access-controlled location; and
if the file data has been decrypted to the access-controlled location, returning the file data in decrypted form from the access-controlled location in response to the request;
orif the file data is stored on the storage medium, reading the file data corresponding to the request from the storage medium, decrypting the file data at the file system software into unencrypted file data, and returning the unencrypted file data in response to the request. - View Dependent Claims (57, 58)
-
Specification