Systems and methods for data encryption using plugins within virtual systems and subsystems

US 7,987,497 B1
Filed: 03/05/2004
Issued: 07/26/2011
Est. Priority Date: 03/05/2004
Status: Active Grant

First Claim

Patent Images

1. A method executed by a computer system, the method comprising:

executing, by a host operating system running on the computer system, an encryption program, a virtual machine monitor, an encryption plug-in, and a file system, wherein the encryption plug-in is configured to interface with the encryption program;

interfacing, via an encryption-application program interface, the virtual machine monitor with the encryption plug-in, wherein the encryption plug-in enables the virtual machine monitor to interface with the encryption program;

executing, by the computer system, a virtual machine, the virtual machine including a virtual hard drive, wherein the virtual machine monitor is configured to store the virtual hard drive within a file in the file system;

providing sector-level encryption by encrypting, by the virtual machine monitor using the encryption program, the file including the virtual hard drive; and

storing, by the host operating system, the file in the file system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Several embodiments of the present invention provide a means for improving data access security in computer systems to support high-security applications, and certain of these embodiments are specifically directed to providing sector-level encryption of a virtual hard disk in a virtual machine environment. More specifically, certain embodiments are directed to providing sector-level encryption by using plug-ins in a virtual machine environment, thereby providing improved data access security in a computer system that supports high-security applications. Certain embodiments also use encryption plug-ins associated with standard encryption software for exchanging data between a virtual machine (VM) and its associated virtual hard drive(s) (VHDs). Moreover, several embodiments of the present invention are directed to the use of plug-in encryption services that interface with, and provide services for, a VM via a VM Encryption API (or its equivalent).

77 Citations

View as Search Results

22 Claims

1. A method executed by a computer system, the method comprising:
- executing, by a host operating system running on the computer system, an encryption program, a virtual machine monitor, an encryption plug-in, and a file system, wherein the encryption plug-in is configured to interface with the encryption program;
  
  interfacing, via an encryption-application program interface, the virtual machine monitor with the encryption plug-in, wherein the encryption plug-in enables the virtual machine monitor to interface with the encryption program;
  
  executing, by the computer system, a virtual machine, the virtual machine including a virtual hard drive, wherein the virtual machine monitor is configured to store the virtual hard drive within a file in the file system;
  
  providing sector-level encryption by encrypting, by the virtual machine monitor using the encryption program, the file including the virtual hard drive; and
  
  storing, by the host operating system, the file in the file system.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - executing, by the virtual machine, a guest operating system, the guest operating system including a guest file system.
  - 3. The method of claim 2, wherein encrypting the file includes encrypting metadata associated with the guest file system.
  - 4. The method of claim 1, further comprising:
    - interfacing, via the encryption-application program interface, the virtual machine monitor with a second encryption plug-in, wherein the second encryption plug-in enables the virtual machine monitor to interface with a second encryption program, wherein the second encryption program implements a different encryption technique than an encryption technique implemented by the encryption program.
  - 5. The method of claim 4, further comprising:
    - executing a second virtual machine, the second virtual machine including a second virtual hard drive, wherein the virtual machine monitor is configured to store the second virtual hard drive within a second file;
      
      encrypting, by the second virtual machine monitor using the second encryption program via the second plug-in, the second file including the second virtual hard drive; and
      
      storing, by the host operating system, the second file in the file system.
  - 6. The method of claim 1, further comprising:
    - reading metadata in the file, the metadata indicating that the encryption program was used to encrypt the file;
      
      selecting the encryption program from a group of different encryption programs;
      
      decrypting, by the virtual machine monitor using the encryption program, the file including the virtual hard drive; and
      
      executing, by the virtual machine, a guest operating system, the guest operating system stored in the virtual hard drive.
  - 7. The method of claim 1, wherein the file includes a plurality of files.

8. A computer system, comprising:
- a processor;
  
  a hard drive;
  
  a computer readable storage medium operatively coupled to the processor and the hard drive, the computer readable storage medium including instructions that upon execution by the processor cause the computer system to;
  
  execute a host operating system, wherein the host operating system is configured to execute a virtual machine monitor, a plurality of encryption programs, a plurality of encryption plug-ins, and a host file system,wherein the virtual machine monitor includes an encryption-application program interface,wherein the encryption plug-ins are configured to interface the virtual machine monitor with the plurality of encryption programs via the encryption-application program interface;
  
  execute the virtual machine monitor, the virtual machine monitor configured to execute a virtual machine including a virtual hard drive, the virtual machine configured to execute a guest operating system, the guest operating system including a guest file system that includes metadata;
  
  wherein the virtual machine monitor is configured to interface with a first encryption plug-in selected from the plurality of encryption plug-ins;
  
  wherein the virtual machine monitor is configured to encrypt, using the first encryption program, a file including the virtual hard drive thereby encrypting the guest file system and the guest file system metadata;
  
  wherein the host operating system is configured to store, on the hard drive, the file in the host file system;
  
  wherein the virtual machine monitor is configured to determine that the first encryption program was used to encrypt the file; and
  
  wherein the virtual machine monitor is configured to decrypt using the first encryption program, the file.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The computer system of claim 8, wherein the file includes a plurality of files.
  - 10. The computer system of claim 8, wherein the file includes information that identifies the first encryption program was used to encrypt the file.
  - 11. The computer system of claim 8, wherein the computer readable storage medium further comprises instructions that upon execution cause the computer system to:
    - encrypt, by the host operating system, the host file system.
  - 12. The computer system of claim 8, wherein the computer readable storage medium further comprises instructions that upon execution cause the computer system to:
    - encrypt file names, header information, metadata, and file characteristics associated with the guest file system.

13. A computer system, comprising:
- a processor;
  
  a hard drive;
  
  a computer readable storage medium operatively coupled to the processor and the hard drive, the computer readable storage medium including instructions that upon execution by the processor cause the computer system to;
  
  run a host operating system including a virtual machine monitor, an encryption program, and an encryption plug-in, wherein the encryption plug-in is configured to interface with the encryption program;
  
  interface, via an encryption-application program interface, the virtual machine monitor with the encryption plug-in thereby interfacing the virtual machine monitor with the encryption program;
  
  execute a virtual machine that includes a virtual hard drive;
  
  encrypt, by the virtual machine using the encryption program, a file including the virtual hard drive thereby providing sector-level encryption for virtual hard drive; and
  
  store the encrypted file on the hard drive.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer system of claim 13, wherein the computer readable storage medium further comprises instructions that upon execution by the processor cause the computer system to:
    - execute, by the virtual machine, a guest operating system that includes a guest file system.
  - 15. The computer system of claim 14, wherein the instructions that upon execution by the processor cause the computer system to encrypt the file further comprise instructions that upon execution by the processor cause the computer system to:
    - encrypt the file thereby encrypting file names associated with the guest file system.
  - 16. The computer system of claim 14, wherein the instructions that upon execution by the processor cause the computer system to encrypt the file further comprise instructions that upon execution by the processor cause the computer system to:
    - encrypt the file thereby encrypting header information associated with the guest file system.
  - 17. The computer system of claim 14, wherein the instructions that upon execution by the processor cause the computer system to encrypt the file further comprise instructions that upon execution by the processor cause the computer system to:
    - encrypt the file thereby encrypting metadata associated with the guest file system.
  - 18. The computer system of claim 14, wherein the instructions that upon execution by the processor cause the computer system to encrypt the file further comprise instructions that upon execution by the processor cause the computer system to:
    - encrypt the file thereby encrypting file system characteristics associated with the guest file system.

19. A memory device including processor executable instructions, the memory device comprising instructions that upon execution by a processor cause the processor to:
- host, by a virtual machine monitor, a first partition and a second partition, wherein the first partition includes a virtual machine, the virtual machine including a virtual hard drive;
  
  execute an encryption program in a second partition;
  
  interface the virtual machine monitor to an encryption plug-in via an encryption-application program interface, wherein the encryption plug-in is configured to interface the virtual machine monitor with the encryption program;
  
  encrypt, by the virtual machine using the encryption program, a file including the virtual hard drive thereby providing sector-level encryption for the virtual hard drive; and
  
  store the encrypted file on a hard drive.
- View Dependent Claims (20, 21, 22)
- - 20. The memory device of claim 19, wherein the second partition includes a host operating system, the host operating system including a host file system.
  - 21. The memory device of claim 20, wherein the file is stored in the host file system.
  - 22. The memory device of claim 21, further comprising instructions that upon execution by the processor cause the processor to:
    - encrypt, by the host operating system, the host file system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Giles, Aaron, Traut, Eric P., Vega, Rene Antonio
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Louie; Oscar A

Application Number

US10/794,898
Time in Patent Office

2,699 Days
Field of Search

713/200, 726/2, 726/16, 726/26, 726/27
US Class Current

726/2
CPC Class Codes

G06F 13/385   for adaptation of a particu...

G06F 21/53   by executing in a restricte...

G06F 2213/0058   Bus-related hardware virtua...

G06F 2213/3802   Harddisk connected to a com...

G06F 9/45537   Provision of facilities of ...

Systems and methods for data encryption using plugins within virtual systems and subsystems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

77 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for data encryption using plugins within virtual systems and subsystems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

77 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links