Encrypting operating system
First Claim
1. A computer system comprising:
- a memory portion containing an encrypted data file, wherein the memory portion comprises a first logical protected memory to store encrypted data files and a second logical protected memory to store encrypted key data;
an operating system comprising a kernel to use a unique system-identifier to verify a user to control access to the encrypted data file, wherein the kernel comprises a virtual node (a) to decrypt an encrypted directory entry to determine a location of the encrypted data file and (b) to decrypt the encrypted data file to access data file contents contained therein; and
an encryption key management system to control access to the encrypted data files and the encrypted key data, wherein the encryption key management system comprises a key engine, the key engine to receive a pass key and a data file name to generate an encrypted data file name key, the key engine also to use the encrypted data file name key and the data file contents to generate an encrypted data file contents key, the key engine also to encrypt the data file contents with the encrypted data file contents key to generate encrypted data file contents and to encrypt the data file name with the encrypted data file name key to generate an encrypted data file name.
3 Assignments
0 Petitions
Accused Products
Abstract
A method of and system for encrypting and decrypting data on a computer system is disclosed. In one embodiment, the system comprises an encrypting operating system (EOS), which is a modified UNIX operating system. The EOS is configured to use a symmetric encryption algorithm and an encryption key to encrypt data transferred from physical memory to secondary devices, such as disks, swap devices, network file systems, network buffers, pseudo file systems, or any other structures external to the physical memory and on which can data can be stored. The EOS further uses the symmetric encryption algorithm and the encryption key to decrypt data transferred from the secondary devices back to physical memory. In other embodiments, the EOS adds an extra layer of security by also encrypting the directory structure used to locate the encrypted data. In a further embodiment a user or process is authenticated and its credentials checked before a file can be accessed, using a key management facility that controls access to one or more keys for encrypting and decrypting data.
83 Citations
65 Claims
-
1. A computer system comprising:
-
a memory portion containing an encrypted data file, wherein the memory portion comprises a first logical protected memory to store encrypted data files and a second logical protected memory to store encrypted key data; an operating system comprising a kernel to use a unique system-identifier to verify a user to control access to the encrypted data file, wherein the kernel comprises a virtual node (a) to decrypt an encrypted directory entry to determine a location of the encrypted data file and (b) to decrypt the encrypted data file to access data file contents contained therein; and an encryption key management system to control access to the encrypted data files and the encrypted key data, wherein the encryption key management system comprises a key engine, the key engine to receive a pass key and a data file name to generate an encrypted data file name key, the key engine also to use the encrypted data file name key and the data file contents to generate an encrypted data file contents key, the key engine also to encrypt the data file contents with the encrypted data file contents key to generate encrypted data file contents and to encrypt the data file name with the encrypted data file name key to generate an encrypted data file name. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A computer system comprising:
-
a. a first device having an operating system kernel and a directory structure with directory information comprising encrypted data file names and corresponding encrypted data file locations for accessing encrypted data files within a file system, the operating system kernel to decrypt the encrypted data file names and encrypted data file locations using one or more encryption keys to recover clear data corresponding to the data file names, data file locations, and data files, the operating system kernel comprising a virtual node to encrypt the clear data using the one or more encryption keys to generate cipher data corresponding to the directory information and encrypted data files; b. a key generator to generate the one or more encryption keys from identifiers unique to the computer system and unique to encrypted data files on the computer system; and c. a second device coupled to the first device to exchange cipher data with the first device. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
-
-
41. A method of storing an encrypted data file in a computer file system having a directory, the method comprising:
-
a. receiving a clear data file having a name; and b. executing kernel code in an operating system, the kernel code comprising a virtual node comprising drivers to encrypt the clear data file to generate an encrypted data file using a symmetric key, store the encrypted data file at a location in the computer file system, and store in the directory an entry containing an encryption of the name and an encryption of the location, wherein the symmetric key is generated in part by dividing a first key into sub-keys each corresponding to a block of the data file, modifying each of the sub-keys based on an identifier of a corresponding block to produce modified sub-keys, and combining the modified sub-keys. - View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
-
-
54. A computer system comprising:
-
a. a processor; b. a physical memory containing an encrypted data file and a directory, wherein the directory comprises a record having a first element corresponding to an encrypted name of the data file and a second element corresponding to an encrypted location of the data file in the memory; c. a secondary device coupled to the physical memory; and d. an operating system comprising a kernel, the kernel comprising a virtual node integrated with drivers to directly decrypt the first and second elements to access the encrypted data file from memory when transferring the data file from the memory to the secondary device and to directly re-encrypt the first and second elements when transferring the data file from the secondary device to the memory, wherein the drivers decrypt and re-encrypt the first and second elements using one or more keys generated from identifiers of one or more of the data file, a root directory containing the data file, and a file system containing the root directory. - View Dependent Claims (55, 56, 57, 58, 59, 60)
-
-
61. A computer system containing an operating system, the computer system comprising:
-
a kernel comprising a virtual node integrated with drivers to encrypt and decrypt data transferred between a memory and a secondary device, wherein the kernel comprises an encryption engine to encrypt clear data to generate cipher data, the encryption engine also to decrypt the cipher data to generate the clear data; a memory coupled to the encryption engine to store the cipher data, wherein the memory comprises a first logical protected memory to store encrypted file data and a second logical protected memory to store encrypted key data; an encryption key management system to control access to the encrypted file data and the encrypted key data, wherein the encryption key management system comprises a key engine to receive a pass key and the file name to generate an encrypted file name key, use the encrypted file name key and file contents to generate an encrypted file contents key, and encrypt the file contents with the encrypted file contents key to generate encrypted file contents.
-
-
62. A method of encrypting data, the method comprising:
-
receiving clear data; and executing kernel code in an operating system, wherein the kernel code comprises a virtual node integrated with drivers to use a symmetric key to encrypt the clear data to generate cipher data and to use the symmetric key to decrypt the cipher data to generate the clear data, and further wherein executing the kernel code comprises entering a pass key and a file name into a first encryption process to produce an encrypted file name and an encrypted file name key and processing the clear data together with the encrypted file name key to generate an encrypted file contents key and encrypted file contents.
-
-
63. A computer system comprising a memory portion containing an encrypted data file and an operating system comprising a kernel, wherein the kernel comprises a virtual node to decrypt an encrypted directory entry to determine a location of the encrypted data file and to decrypt the encrypted data file to access data contained therein, the virtual node to decrypt the data file using a first key generated from an identifier of the operating system, an identifier of a file system containing the data file, an identifier of a root directory containing the encrypted data file, an identifier of the data file, and a second key.
-
64. A computer system comprising:
-
a memory portion containing an encrypted data file, a first logical protected memory to store encrypted data files and a second logical protected memory to store encrypted key data, and an operating system comprising a kernel, wherein the kernel comprises a virtual node (a) to directly decrypt an encrypted directory entry to determine a location of the encrypted data file and (b) to directly decrypt the encrypted data file to access data file contents contained therein; and an encryption key management system to control access to the encrypted data files and the encrypted key data, wherein the encryption key management system comprises a key engine, the key engine to receive a pass key and a data file name to generate an encrypted data file name key, the key engine also to use the encrypted data file name key and the data file contents to generate an encrypted data file contents key, the key engine also to encrypt the data file contents with the encrypted data file contents key to generate encrypted data file contents and to encrypt the data file name with the encrypted data file name key to generate an encrypted data file name.
-
-
65. A method of storing an encrypted data file in a computer file system having a directory, the method comprising:
-
receiving a clear data file having a name; and executing kernel code in an operating system, the kernel code comprising a virtual node comprising drivers to directly encrypt the clear data file to generate an encrypted data file using a symmetric key, store the encrypted data file at a location in the computer file system, and store in the directory an entry containing an encryption of the name and an encryption of the location, wherein executing kernel code comprises; entering a pass key and a data file name into a first encryption process to produce an encrypted data file name and an encrypted data file name key; and processing the clear data file together with the encrypted data file name key to generate an encrypted file contents key and an encrypted file contents.
-
Specification