System for optimized key management with file groups
First Claim
1. A method of implementing a file system, comprising:
- creating a plurality of file encryption groups from a plurality of files stored in the file system based on common attributes of said plurality of files, wherein at least one of the file encryption groups includes multiple files stored in the file system;
associating each file encryption group of said plurality of file encryption groups with a respective key;
accessing one of the file encryption groups by utilizing one of the respective keys that is associated with the one file encryption group;
determining a modification in at least one attribute of a plurality of attributes for a file of the plurality of files;
utilizing the plurality of attributes for the file for indexing into a file encryption group table storing attributes for each of the plurality of file encryption groups;
determining whether an existing file encryption group of the plurality of file encryption groups has attributes matching the plurality of attribute for the file based on the indexing;
in response to determining a non-existence of an existing file encryption group having attributes matching the plurality of attributes for the file,generating a new file encryption group having attributes matching the plurality of attributes for the file;
including said file in the new file encryption group;
generating a read/write key pair for the new file encryption group;
encrypting said file with the write key of the read/write key pair generated for the new file encryption groups;
updating the table with said write key of the read/write key pair generated for the new file encryption group;
in response to determining an existence of an existing file encryption group having attributes match the plurality of attributes for the file,including said file in the existing file encryption group having the attributes matching the plurality of attributes for the file;
encrypting said file with the write key of the read/write key pair for the existing file encryption group having the attributes matching the plurality of attributes for the file; and
updating the table with the modification in the at least one attribute of the plurality of attributes for the file of the plurality of files.
2 Assignments
0 Petitions
Accused Products
Abstract
A group manager module may provide the capability to segregate or associate files into file encryption groups. A file may be placed into a file encryption group based on the attributes of the file. The attributes may be characteristics/parameters that describe who has access to a file such as UNIX permission/mode bits (group-read/write/executable bit, owner-read/write/executable bits, users-read/write/executable bits) or other system for access control lists (ACLs). Once associated with a file encryption group, the file may be encrypted with the encryption (or write) key of the selected file encryption group, and thus, decrypted with the decryption (or read) key of the file encryption group. A user may have membership into multiple file encryption groups as long as the user possesses the appropriate read/write key pairs. Membership of a file in a file encryption group is determined automatically by the system based on the permission attributes assigned by the system—groups are not explicitly created by administrators or other centralized authority. It is not users that belong to groups based on their access rights, but files which belong to groups based on their permission attributes.
145 Citations
17 Claims
-
1. A method of implementing a file system, comprising:
-
creating a plurality of file encryption groups from a plurality of files stored in the file system based on common attributes of said plurality of files, wherein at least one of the file encryption groups includes multiple files stored in the file system; associating each file encryption group of said plurality of file encryption groups with a respective key; accessing one of the file encryption groups by utilizing one of the respective keys that is associated with the one file encryption group; determining a modification in at least one attribute of a plurality of attributes for a file of the plurality of files; utilizing the plurality of attributes for the file for indexing into a file encryption group table storing attributes for each of the plurality of file encryption groups; determining whether an existing file encryption group of the plurality of file encryption groups has attributes matching the plurality of attribute for the file based on the indexing; in response to determining a non-existence of an existing file encryption group having attributes matching the plurality of attributes for the file, generating a new file encryption group having attributes matching the plurality of attributes for the file; including said file in the new file encryption group; generating a read/write key pair for the new file encryption group; encrypting said file with the write key of the read/write key pair generated for the new file encryption groups; updating the table with said write key of the read/write key pair generated for the new file encryption group; in response to determining an existence of an existing file encryption group having attributes match the plurality of attributes for the file, including said file in the existing file encryption group having the attributes matching the plurality of attributes for the file; encrypting said file with the write key of the read/write key pair for the existing file encryption group having the attributes matching the plurality of attributes for the file; and updating the table with the modification in the at least one attribute of the plurality of attributes for the file of the plurality of files. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 17)
-
-
9. A system for implementing a file system, comprising:
-
at least one processor; a memory coupled to said at least one processor; and a group manager module residing in said memory and executed by said at least one processor, wherein said group manager module is configured to create a plurality of file encryption groups from a plurality of flies stored in the file system based on common attributes of said plurality of files, wherein at least one of the file encryption groups includes multiple files stored in the file system, is also configured to associate each file encryption group of said plurality of file encryption groups with a respective key, and is further configured to access one of the file encryption groups by utilizing one of the respective keys that is associated with the one file encryption group; wherein said group manager module is further configured to determine a modification in at least one of the common attributes of a file of the plurality of files, wherein the at least one of the common attributes of the file was previously used by the group manger to determine which of the file encryption groups the file belongs to, is yet further configured to search for an existing file encryption group of said plurality of file encryption groups within a file encryption group table storing attributes for each of the plurality of file encryption groups using the modification in the at least one of the common attributes of said file, and determine whether an existing file encryption group of the plurality of file encryption groups has attributes matching the modification in the at least one of the common attributes of said file based on the search, and in response to determining a non-existence of an existing file encryption group having attributes matching the modification in the at least one of the common attributes said file, the module configured to, generate a new file encryption group having attributes matching the modification in the at least one of the common attributes of said file, include said file in the new file encryption group, generate a read/write key pair for the new file encryption group, encrypt said file with the write key of the read/write key pair generated for the new file encryption group, and update the table with said write key of the read/write key pair generated for the new file encryption group; and in response to determining an existence of an existing file encryption group having attributes matching the modification in the at least one of the common attributes of said file, the module configured to, include said file in the existing file encryption group having the attributes matching the modification in the at least one of the common attributes of said file, encrypt said file with the write key of the read/write key pair for the existing file encryption group having the attributes matching the modification in the at least one of the common attributes of said file, and update the table with the modification in the at least one of the common attributes of the files. - View Dependent Claims (10, 11, 12)
-
-
13. An apparatus for implementing a file system, comprising:
-
an interface configured to communicate with a storage device; an encryption/decryption module; and a manager module configured to associate multiple files of a plurality of files stored on said storage device into a file group based on a common attributes of a plurality of attributes of said multiple files and encrypting said multiple files with one encryption key of a plurality of encryption keys by utilizing said encryption/decryption module to create a file encryption group and wherein the manager module is further configured to, determine a modification in at least one attribute of the plurality of attributes for a file of the plurality of files; utilize the plurality of attributes for the file for indexing into a file encryption group table storing attributes for each of plurality of file encryption groups; determine whether an existing file encryption group of the plurality of file encryption groups has attributes matching the plurality of attributes for the file based on the indexing; and in response to determining a non-existence of an existing file encryption group having attributes matching the plurality of attributes for the file, the module configured to, generate a new file encryption group having attributes matching the plurality of attributes for the file; including said file in the new file encryption group; generate a read/write key pair for the new file encryption group; encrypt said file with the write key of the read/write key pair generated for the new file encryption group; update the table with said write key of the read/write key pair generated for the new file encryption group; and in response to determining an existence of an existing file encryption group having attributes matching the plurality of attributes for the file, the module configured to, include said file in the existing file encryption group having the attributes matching the plurality of attributes for the file; encrypt said file with the write key of the read/write key pair for the existing file encryption group having the attributes matching the plurality of attributes for the file; and update the table with the modification in the at least one attribute of the plurality of attributes for the file of the plurality of files. - View Dependent Claims (14, 15, 16)
-
Specification