Encrypting file system and method
First Claim
1. In a computing device, a system comprising:
- an interchangeable cryptographic module including at least one algorithm for converting unencrypted data into encrypted data and converting encrypted data into unencrypted data; and
file system level software that maintains files on a non-volatile storage including reading and writing file data to the files on the non-volatile storage, the file system level software configured to;
1) identify a file maintained on the non-volatile storage as an encrypted file;
2) receive a request to write presently unencrypted file data to the encrypted file, and in response;
a) to communicate with the interchangeable cryptographic module including providing key data to convert the unencrypted file data into encrypted file data, andb) to write the encrypted file data to the encrypted file on the non-volatile storage; and
3) receive a request to read file data from the encrypted file, and in response;
a) to read the encrypted file on the non-volatile storage to obtain encrypted data corresponding to the request,b) to communicate with the interchangeable cryptographic module including providing key data to convert the encrypted data into unencrypted data, andc) to return the unencrypted data.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for encryption and decryption of files. The system and method operate in conjunction with the file system to transparently encrypt and decrypt files in using a public key-private key pair encryption scheme. When a user puts a file in an encrypted directory or encrypts a file, data writes to the disk for that file are encrypted with a random file encryption key generated from a random number and encrypted with the public key of a user and the public key of at least one recovery agent. The encrypted key information is stored with the file, whereby the user or a recovery agent can decrypt the file data using a private key. With a correct private key, encrypted reads are decrypted transparently by the file system and returned to the user. One or more selectable encryption and decryption algorithms may be provided via interchangeable cryptographic modules.
-
Citations
24 Claims
-
1. In a computing device, a system comprising:
-
an interchangeable cryptographic module including at least one algorithm for converting unencrypted data into encrypted data and converting encrypted data into unencrypted data; and file system level software that maintains files on a non-volatile storage including reading and writing file data to the files on the non-volatile storage, the file system level software configured to; 1) identify a file maintained on the non-volatile storage as an encrypted file; 2) receive a request to write presently unencrypted file data to the encrypted file, and in response; a) to communicate with the interchangeable cryptographic module including providing key data to convert the unencrypted file data into encrypted file data, and b) to write the encrypted file data to the encrypted file on the non-volatile storage; and 3) receive a request to read file data from the encrypted file, and in response; a) to read the encrypted file on the non-volatile storage to obtain encrypted data corresponding to the request, b) to communicate with the interchangeable cryptographic module including providing key data to convert the encrypted data into unencrypted data, and c) to return the unencrypted data. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-implemented method, comprising:
-
operably connecting an interchangeable cryptographic module to file system level software, the interchangeable cryptographic module including a plurality of selectable algorithms for converting unencrypted data into encrypted data and converting encrypted data into unencrypted data; the file system level software; 1) receiving a request to read file data from an encrypted file; 2) obtaining key data that corresponds to a key to use and algorithm data corresponding to a selected algorithm of the plurality to use for data decryption; 3) reading encrypted file data corresponding to the requested data from the encrypted file; and 4) returning unencrypted file data corresponding to the request by communicating with the interchangeable cryptographic module to invoke the selected algorithm and decrypt the encrypted file data into the unencrypted file data via the key. - View Dependent Claims (8, 9, 10)
-
-
11. In a computer system, a method comprising:
-
receiving information at file system level software indicating that a file has encrypted file data stored in a non-volatile storage; obtaining a key for decrypting the file data from key information maintained in association with the file on the same non-volatile storage as the encrypted file data; and receiving a request to read encrypted file data of the encrypted file from the non-volatile storage, and in response, reading the encrypted file data from the non-volatile storage, decrypting the encrypted file data into decrypted file data at the file system level software using the key, and returning the decrypted file data. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer-implemented method, comprising:
-
operably connecting an interchangeable cryptographic module to file system level software, the interchangeable cryptographic module including a plurality of selectable algorithms for converting unencrypted data into encrypted data and converting encrypted data into unencrypted data; the file system level software; 1) receiving a request to write presently unencrypted file data to an encrypted file; 2) obtaining key data that corresponds to a key to use and algorithm data corresponding to a selected algorithm of the plurality to use for data encryption; 3) communicating with the interchangeable cryptographic module to invoke the selected algorithm and encrypt the unencrypted file data into the encrypted file data via the key; and 4) writing the encrypted file data corresponding to the request to the encrypted file on the non-volatile storage. - View Dependent Claims (20, 21, 22)
-
-
23. In a computer system having a file system, a method of returning requested file data, comprising:
-
receiving at file system software a request to read file data of an encrypted file; determining whether file data corresponding to the request is stored on a storage medium or has been decrypted to an access-controlled location; and if the file data has been decrypted to the access-controlled location, returning the file data in decrypted form from the access-controlled location in response to the request;
orif the file data is stored on the storage medium, reading the file data corresponding to the request from the storage medium, calling an interchangeable cryptographic module to decrypt the file data into unencrypted file data, and returning the unencrypted file data in response to the request. - View Dependent Claims (24)
-
Specification