System and method for secure data disposal
First Claim
1. A machine-implemented method comprising:
- initializing one or more expected Platform Configuration Registers (expected PCRs) in a nonvolatile data area, wherein the expected PCRs are secured by a hardware-based Trusted Platform Module (TPM), wherein the initializing is performed by;
generating a random number;
storing the generated random number in a nonvolatile memory;
seeding one or more of the expected PCRs with the generated random number;
inputting a plurality of startup code processes to a hash algorithm process resulting in a first plurality of hash values;
updating the expected PCRs using the first plurality of hash values; and
saving the expected PCRs in the nonvolatile data area that is secured by the TPM;
storing a plurality of encrypted files, each of the encrypted files encrypted using a drive encryption key stored in an encrypted data object; and
booting the machine one or more times after the initializing, during each of the boots;
retrieving, by the TPM, the previously stored random number from the nonvolatile memory;
seeding one or more Platform Configuration Registers (PCRs) with the retrieved random number;
inputting the plurality of startup code processes to the hash algorithm process resulting in a second plurality of hash values;
updating the PCRs using the second plurality of hash values; and
decrypting the encrypted data object in response to the PCRs being the same as the corresponding expected PCRs.
3 Assignments
0 Petitions
Accused Products
Abstract
A system, method, and program product is provided that initializes expected PCRs stored in a TPM by generating and storing a random number, seeding expected PCRs with the random number, inputting a set of startup code processes to a hash algorithm resulting in a set of hash values, updating the expected PCRs using the set of hash values, and saving the expected PCRs in a nonvolatile data area that is secured by the TPM. Upon reboot, the random number is retrieved from the nonvolatile data area, the PCRs are seeded with the retrieved random number, the startup code processes are input to the hash algorithm process resulting in another set of hash values, the PCRs are updated using the resulting set of hash values, and an encrypted data object is decrypted in response to the PCRs being the same as the expected PCRs.
-
Citations
17 Claims
-
1. A machine-implemented method comprising:
-
initializing one or more expected Platform Configuration Registers (expected PCRs) in a nonvolatile data area, wherein the expected PCRs are secured by a hardware-based Trusted Platform Module (TPM), wherein the initializing is performed by; generating a random number; storing the generated random number in a nonvolatile memory; seeding one or more of the expected PCRs with the generated random number; inputting a plurality of startup code processes to a hash algorithm process resulting in a first plurality of hash values; updating the expected PCRs using the first plurality of hash values; and saving the expected PCRs in the nonvolatile data area that is secured by the TPM; storing a plurality of encrypted files, each of the encrypted files encrypted using a drive encryption key stored in an encrypted data object; and booting the machine one or more times after the initializing, during each of the boots; retrieving, by the TPM, the previously stored random number from the nonvolatile memory; seeding one or more Platform Configuration Registers (PCRs) with the retrieved random number; inputting the plurality of startup code processes to the hash algorithm process resulting in a second plurality of hash values; updating the PCRs using the second plurality of hash values; and decrypting the encrypted data object in response to the PCRs being the same as the corresponding expected PCRs. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A information handling system comprising:
-
one or more processors; a memory accessible by at least one of the processors; one or more nonvolatile storage areas accessible by at least one of the processors; a plurality of startup code processes stored in the nonvolatile storage areas; a Trusted Platform Module (TPM) that secures a plurality of expected Platform Configuration Registers (PCRs) stored in a first secure nonvolatile memory; a random number generator included in the TPM; and a set of instructions stored in the memory and executed by at least one of the processors in order to perform actions of; initializing a plurality of the expected PCRs by; generating a random number using the TPM'"'"'s random number generator; storing the generated random number in the second secure nonvolatile memory; seeding one or more of the expected PCRs with the generated random number; inputting the startup code processes to a hash algorithm process resulting in a first plurality of hash values; updating the expected PCRs using the first plurality of hash values; and saving the expected PCRs in one of the nonvolatile storage areas, wherein the nonvolatile storage area used to save the expected PCRs is secured by the TPM; storing a plurality of encrypted files, each of the plurality of encrypted files encrypted using a drive encryption key stored in an encrypted data object; and booting the information handling system one or more times after the initializing, during each of the boots; retrieving, by the TPM, the previously stored random number from the nonvolatile storage area; seeding a plurality of PCRs with the retrieved random number; inputting the plurality of startup code processes to the hash algorithm process resulting in a second plurality of hash values; updating the PCRs using the second plurality of hash values; and decrypting the encrypted data object stored on one of the nonvolatile storage areas in response to the one or more PCRs being the same as the corresponding one or more selected from the expected PCRs. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computer program product stored in a non-transitory computer readable medium, comprising functional descriptive material that, when executed by an information handling system, causes the information handling system to perform actions that include:
-
initializing one or more expected Platform Configuration Registers (PCRs) in a nonvolatile data area, wherein the expected PCRs are secured by a hardware-based Trusted Platform Module (TPM), wherein the initializing is performed by; generating a random number; storing the generated random number in a nonvolatile memory; seeding one or more of the expected PCRs with the generated random number; inputting a plurality of startup code processes to a hash algorithm process resulting in a first plurality of hash values; updating the expected PCRs using the first plurality of hash values; and saving the expected PCRs in the nonvolatile data area that is secured by the TPM; storing a plurality of encrypted files, each of the encrypted files encrypted using a drive encryption key stored in an encrypted data object; and booting the machine one or more times after the initializing, during each of the boots; retrieving, by the TPM, the previously stored random number from the nonvolatile memory; seeding one or more Platform Configuration Registers (PCRs) with the retrieved random number; inputting the plurality of startup code processes to the hash algorithm process resulting in a second plurality of hash values; updating the PCRs using the second plurality of hash values; and decrypting the encrypted data object in response to the PCRs being the same as the corresponding expected PCRs. - View Dependent Claims (14, 15, 16, 17)
-
Specification