Encrypting file system and method

US 6,249,866 B1
Filed: 09/16/1997
Issued: 06/19/2001
Est. Priority Date: 09/16/1997
Status: Expired due to Term

First Claim

Patent Images

1. In a computer system having a file system, a method of encrypting or decrypting data in a file stored in a non-volatile storage, comprising:

receiving information at the file system indicating that the file is designated as encrypted;

receiving an encryption key associated with the file;

receiving a request to write file data to non-volatile storage and receiving the file data, and in response, encrypting the file data into encrypted file data at file system level software using the encryption key, writing the encrypted file data to non-volatile storage and writing encryption key information in association with the file to the same non-volatile storage as the encrypted file data; and

receiving a request to read file data from non-volatile storage, and in response, reading the encrypted file data from the non-volatile storage, decrypting the encrypted file data into decrypted file data at the file system level software using the encryption key, and returning the decrypted file data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for encryption and decryption of files. The system and method operate in conjunction with the file system to transparently encrypt and decrypt files in using a public key-private key pair encryption scheme. When a user puts a file in an encrypted directory or encrypts a file, all data writes to the disk for that file are encrypted with a random file encryption key generated from a random number and encrypted with the public key of a user and the public key of at least one recovery agent. The encrypted key information is stored with the file, whereby the user or a recovery agent can decrypt the file data using the private key thereof. When a proper private key is used, encrypted reads from the disk are decrypted transparently by the file system and returned to the user.

391 Citations

58 Claims

1. In a computer system having a file system, a method of encrypting or decrypting data in a file stored in a non-volatile storage, comprising:
- receiving information at the file system indicating that the file is designated as encrypted;
  
  receiving an encryption key associated with the file;
  
  receiving a request to write file data to non-volatile storage and receiving the file data, and in response, encrypting the file data into encrypted file data at file system level software using the encryption key, writing the encrypted file data to non-volatile storage and writing encryption key information in association with the file to the same non-volatile storage as the encrypted file data; and
  
  receiving a request to read file data from non-volatile storage, and in response, reading the encrypted file data from the non-volatile storage, decrypting the encrypted file data into decrypted file data at the file system level software using the encryption key, and returning the decrypted file data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 41, 42, 43)
- - 2. The method of claim 1 wherein the encryption key is encrypted with at least one public key before writing the encryption key information to the non-volatile storage in association with the file.
  - 3. The method of claim 2 further comprising obtaining the encryption key via a private key.
  - 4. The method of claim 2 wherein the encryption key is encrypted with a plurality of public keys into a plurality of encrypted keys and each of the encrypted keys are stored with the file.
  - 5. The method of claim 4 wherein at least one encrypted key is encrypted with the public key of a user and at least one other encrypted key is encrypted with the public key of a recovery agent.
  - 6. The method of claim 5 wherein the file encryption keys encrypted with the public key of each user is stored in a separate field from the file encryption keys encrypted with the public key of each recovery agent.
  - 7. The method of claim 6 further comprising verifying the integrity of the encryption key information stored with the file.
  - 8. The method of claim 7 wherein verifying the file encryption key includes hashing the file encryption key with the public key of a user, encrypting the hashed file encryption key and the file encryption key with the public key of the user, and storing the hashed file encryption key and the file encryption key with the file.
  - 9. The method of claim 5 further comprising receiving a private key of either a user or a recovery agent, and scanning the encrypted file encryption keys stored with the file by using the private key until a match is detected.
  - 10. The method of claim 1 wherein a recovery policy is stored in association with the file, and further comprising verifying the integrity of the recovery policy.
  - 11. The method of claim 10 wherein the recovery policy is stored in a field of the file having recovery agent information therein, and wherein verifying the integrity of the recovery policy includes hashing at least part of said field, encrypting the hashed part with the file encryption key and storing the encrypted hashed part as information with said field, retrieving the information and comparing the information with current information.
  - 12. The method of claim 1 further comprising generating a random number and basing the file encryption key thereon, and wherein the file encryption key is encrypted with at least one public key and stored in association with the file.
  - 13. The method of claim 1 wherein encrypting and decrypting data each include placing a callout to a run-time library of software functions.
  - 41. The method of claim 1 wherein writing encryption key information in association with the file includes writing file metadata.
  - 42. The method of claim 1 wherein writing encryption key information in association with the file includes writing information about an encryption algorithm.
  - 43. A computer-readable medium having computer-executable instructions for performing the method of claim 1.

14. In a computer system having a file system, a method of reading unencrypted file data or encrypted file data and returning the data read as unencrypted file data, comprising, receiving at the file system from a requesting program a request to read file data from a non-volatile storage, reading the file data, determining at file system software if the file data is encrypted, and if the file data is not encrypted, returning the file data to the requesting program, and if the file data is encrypted, obtaining a file encryption key for that file by applying a private key to the file encryption key data, the file encryption key data including the file encryption key encrypted with a public key and stored on the same non-volatile storage and in association with the file, providing the file encryption key and the file data to a file system level decryption mechanism, decrypting the file data into unencrypted file data, and returning the unencrypted file data to the requesting program.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 44, 45, 46)
- - 15. The method of claim 14 wherein determining if the file data is encrypted includes checking an encryption bit stored in association with the file data.
  - 16. The method of claim 14 wherein receiving a request to read file data from the non-volatile storage includes notifying the file system of a raw data read, wherein encrypted data is read from the non-volatile storage and returned without providing said data to the decryption mechanism.
  - 17. The method of claim 14 further comprising verifying the file encryption key.
  - 18. The method of claim 17 wherein verifying the file encryption key includes decrypting encrypted file encryption key information stored with the file.
  - 19. The method of claim 14 wherein the file encryption key is separately encrypted with a plurality of public keys into a plurality of sets of file encryption key data, at least one public key being of a user and another being of a recovery agent, and wherein each set of encrypted file encryption key data is stored in association with the file.
  - 20. The method of claim 19 further comprising receiving a private key of either a user or a recovery agent, and scanning the encrypted file encryption key data stored with the file by applying a private key to the encrypted file encryption key data until known information stored with the file encryption key data is detected.
  - 21. The method of claim 19 further comprising verifying the integrity of information stored with respect to at least one recovery agent.
  - 44. The method of claim 14 wherein obtaining a file encryption key includes reading file metadata.
  - 45. The method of claim 14 further comprising reading information about an encryption algorithm from the file encryption key data.
  - 46. A computer-readable medium having computer-executable instructions for performing the method of claim 14.

22. In a computer system having a file system, a method of storing selected file data as encrypted file data, including receiving at the file system a request to write the file data and the file data to be written as encrypted, encrypting the file data via file system level software into encrypted file data by using a file encryption key, encrypting the file encryption key with a public key, writing the encrypted file data to a non-volatile storage, and writing the encrypted file encryption key to the same non-volatile storage as the encrypted file data and in association therewith.
- View Dependent Claims (23, 47, 48, 49)
- - 23. The method of claim 22 wherein receiving a request to write file data to the non-volatile storage includes notifying the file system of a raw data write, wherein data is written to the non-volatile storage without further encrypting said data.
  - 47. The method of claim 22 wherein writing the encrypted file encryption key to the same non-volatile storage as the encrypted file data and in association therewith includes writing file metadata.
  - 48. The method of claim 22 further comprising writing information about an encryption algorithm to the same non-volatile storage as the encrypted file data and in association therewith.
  - 49. A computer-readable medium having computer-executable instructions for performing the method of claim 22.

24. In a computer system having a file system, a system for encrypting data written by the file system to a non-volatile storage, comprising, means for obtaining a file encryption key, a software encryption mechanism at a file system software level for converting unencrypted data to encrypted data based on the file encryption key, the file system writing at least some of the data as encrypted data to a file in the non-volatile storage, and means for encrypting the file encryption key, the file system writing the encrypted file encryption key to the same nonvolatile storage as the encrypted data and in association therewith.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 25. The system of claim 24 further comprising means for retrieving the file encryption key stored in association with the file, including means for decrypting the encrypted file encryption key, and a software decryption mechanism at the file system software level for converting encrypted data to decrypted data based on the file encryption key.
  - 26. The system of claim 24 wherein the means for obtaining a file encryption key includes a random number generator.
  - 27. The system of claim 24 wherein the means for obtaining a file encryption key includes an interface to a cryptography service.
  - 28. The system of claim 25 wherein the means for encrypting the file encryption key includes means for accessing a public key of at least one user.
  - 29. The system of claim 28 wherein the means for decrypting the file encryption key includes means for receiving a private key corresponding to the public key of at least one user.
  - 30. The system of claim 25 wherein the means for encrypting the file encryption key includes means for accessing a public key of at least one recovery agent.
  - 31. The system of claim 28 wherein the means for decrypting the file encryption key includes means for receiving a private key corresponding to the public key of at least one recovery agent.
  - 32. The system of claim 24 wherein the encryption mechanism includes an installable software encryption driver.
  - 33. The system of claim 32 wherein the encryption mechanism further includes a library of functions called by the encryption driver through the file system.
  - 34. The system of claim 33 further comprising a generic data transformation mechanism for communicating between the encryption driver and the library of functions.
  - 35. The system of claim 25 wherein the encryption mechanism and the decryption mechanism include a common installable software encryption driver.
  - 36. The system of claim 25 further comprising means for verifying the integrity of the retrieved file encryption key.
  - 37. The system of claim 36 wherein the means for verifying includes means for storing with the file encrypted information based on the file encryption key.
  - 38. The system of claim 25 wherein the encryption mechanism includes an installable software encryption driver and the means for obtaining a file encryption key includes an interface to a cryptography service, and further comprising means for encrypting communications between the service and the encryption driver.
  - 39. The system of claim 24 wherein the means for obtaining the file encryption key includes a key context buffer accessible at the file system software level for temporarily storing file encryption key information in association with the file.
  - 40. The system of claim 25 wherein the means for retrieving the file encryption key includes a key context buffer accessible at the file system software level for temporarily storing file encryption key information in association with the file.

50. In a computer system having a file system, a system for encrypting data written by the file system to a non-volatile storage, comprising, a file encryption key, a software encryption mechanism connected to the file system and configured to convert unencrypted data to encrypted data based on the file encryption key, the file system communicating with the encryption mechanism to write at least some of the data as encrypted data to a file in the non-volatile storage, a mechanism configured to encrypt the file encryption key into at least one set of encrypted key data, the file system writing each set of encrypted key data to the same non-volatile storage as the encrypted data and in association therewith.
- View Dependent Claims (51, 52, 53, 54, 55)
- - 51. The system of claim 50 wherein the file system writes each set of encrypted key data as metadata associated with the encrypted data.
  - 52. The system of claim 50 wherein the system further includes a mechanism configured to obtain the encryption key from one of the sets of encrypted key data, and a decryption mechanism connected to the file system and configured to convert encrypted data read from the file into unencrypted data via the file encryption key.
  - 53. The system of claim 50 wherein the mechanism configured to encrypt the file encryption key uses a plurality of public keys to encrypt the file encryption key into a plurality of sets of encrypted key data.
  - 54. The system of claim 53 wherein at least one of the public keys corresponds to a user and at least one other of the public keys corresponds to a recovery agent.
  - 55. The system of claim 50 further wherein at least one set of file encryption key data includes information about an encryption algorithm.

56. In a computer system having a file system, a method of returning requested file data, comprising:
- receiving at file system software a request to read file data of an encrypted file;
  
  determining whether file data corresponding to the request is stored on a storage medium or has been decrypted to an access-controlled location; and
  
  if the file data has been decrypted to the access-controlled location, returning the file data in decrypted form from the access-controlled location in response to the request;
  
  or if the file data is stored on the storage medium, reading the file data corresponding to the request from the storage medium, decrypting the file data at the file system software into unencrypted file data, and returning the unencrypted file data in response to the request.
- View Dependent Claims (57, 58)
- - 57. The method of claim 56 wherein the access-controlled location comprises a cache.
  - 58. The method of claim 56 wherein determining whether file data corresponding to the request is stored on the storage medium or has been decrypted to the access-controlled location comprises evaluating caching status data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Garg, Praerit, Andrew, Brian, Gu, Jianrong, Brundrett, Peter, Reichel, Robert P., Miller, Thomas J., Kaplan, Keith S., Kelly, James W. Jr., Kimura, Gary D.
Primary Examiner(s)
Barron, Jr., Gilberto

Application Number

US08/931,774
Time in Patent Office

1,372 Days
Field of Search

380/21, 380/4, 380/25, 380/30, 380/286, 713/165, 713/166, 713/200-201
US Class Current

713/165
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/602   Providing cryptographic fac...

G06F 21/604   Tools and structures for ma...

G06F 21/6227   where protection concerns t...

G06F 2211/008   Public Key, Asymmetric Key,...

G06F 2221/2131   Lost password, e.g. recover...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

G06F 2221/2153   Using hardware token as a s...

H04L 9/0897   involving additional device...

Encrypting file system and method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

391 Citations

58 Claims

Specification

Solutions

Use Cases

Quick Links

Encrypting file system and method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

391 Citations

58 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links