Systems and methods for selective encryption of operating system metadata for host-based encryption of data at rest on a logical unit
First Claim
1. A method for establishing and controlling read/write access to at least one encrypted logical unit in operable communication with a host, the method comprising:
- providing an I/O filter driver to an I/O stack for a host in communication with a logical unit (LUN), the host disposed above the I/O filter driver in the I/O stack and the LUN being disposed below the I/O filter driver in the I/O stack;
virtualizing the LUN into two logical entities, the first logical entity comprising an encrypted VLU (eVLU), the eVLU comprising an encrypted region, a plaintext data region, and a plaintext metadata region, the second logical entity comprising a virtual logical unit (VLU), the VLU comprising a logical representation of a portion of the eVLU as seen by entities disposed above the I/O filter driver in the I/O stack, the VLU comprising a plaintext version of information stored in the encrypted region and in the plaintext data region;
configuring the encrypted region to store only encrypted data, such that write commands to the VLU go through the I/O filter driver, are encrypted using an encryption key, and are stored in the encrypted region of the eVLU as encrypted data, and wherein read commands to the VLU go through the I/O filter driver to be read from the encrypted region of the eVLU and are decrypted using the encryption key;
configuring the plaintext data region to store only plaintext data, such that read/write commands to the plaintext region are permitted whether or not the I/O filter driver is available, wherein the plaintext data region of the eVLU corresponds to a predetermined region of the VLU, the predetermined region corresponding to a location that is accessed either by a process running on the system before the I/O filter driver is loaded to the system or by a process running below the I/O filter driver in the I/O stack, and wherein the I/O filter driver is configured to prevent any encrypted writes to the plaintext data region; and
configuring the plaintext metadata region to store only plaintext metadata, the plaintext metadata comprising information relating to access to the encryption key, wherein the I/O filter driver is configured to prevent encrypted data from being written to the plaintext metadata region and is further configured to prevent read/write access to the metadata region by any entity except the I/O filter driver.
10 Assignments
0 Petitions
Accused Products
Abstract
A method is provided for providing an operating system (OS) independent input/output (I/O) filter driver capable of encrypting at least a portion of a logical unit (LUN), the method comprising the unordered steps of: providing an I/O filter driver component to an I/O stack for a host in communication with the LUN; determining, based at least in part on at least one of OS requirements and an arrangement of data on the LUN, at least one region in the LUN that contains data that is used below the I/O filter driver in an I/O stack on the host; and performing at least one of a read and a write of the one or more regions while keeping the one or more regions in plaintext, while permitting other regions of the LUN to be at least one of encrypted and decrypted.
169 Citations
20 Claims
-
1. A method for establishing and controlling read/write access to at least one encrypted logical unit in operable communication with a host, the method comprising:
-
providing an I/O filter driver to an I/O stack for a host in communication with a logical unit (LUN), the host disposed above the I/O filter driver in the I/O stack and the LUN being disposed below the I/O filter driver in the I/O stack; virtualizing the LUN into two logical entities, the first logical entity comprising an encrypted VLU (eVLU), the eVLU comprising an encrypted region, a plaintext data region, and a plaintext metadata region, the second logical entity comprising a virtual logical unit (VLU), the VLU comprising a logical representation of a portion of the eVLU as seen by entities disposed above the I/O filter driver in the I/O stack, the VLU comprising a plaintext version of information stored in the encrypted region and in the plaintext data region; configuring the encrypted region to store only encrypted data, such that write commands to the VLU go through the I/O filter driver, are encrypted using an encryption key, and are stored in the encrypted region of the eVLU as encrypted data, and wherein read commands to the VLU go through the I/O filter driver to be read from the encrypted region of the eVLU and are decrypted using the encryption key; configuring the plaintext data region to store only plaintext data, such that read/write commands to the plaintext region are permitted whether or not the I/O filter driver is available, wherein the plaintext data region of the eVLU corresponds to a predetermined region of the VLU, the predetermined region corresponding to a location that is accessed either by a process running on the system before the I/O filter driver is loaded to the system or by a process running below the I/O filter driver in the I/O stack, and wherein the I/O filter driver is configured to prevent any encrypted writes to the plaintext data region; and configuring the plaintext metadata region to store only plaintext metadata, the plaintext metadata comprising information relating to access to the encryption key, wherein the I/O filter driver is configured to prevent encrypted data from being written to the plaintext metadata region and is further configured to prevent read/write access to the metadata region by any entity except the I/O filter driver. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system for controlling read/write access to an encrypted virtual logical unit (eVLU), the system comprising:
-
an input/output (I/O) filter driver disposed within an I/O stack of the system, wherein the I/O filter driver is disposed on the I/O stack between a host and a logical unit (LUN); a first logical entity configured as a first virtualization of the LUN, the first logical entity comprising an encrypted VLU (eVLU), the eVLU comprising an encrypted region, a plaintext data region, and a plaintext metadata region; a second logical entity configured as a second virtualization of the LUN, wherein the second logical entity comprising a virtual logical unit (VLU), the VLU comprising a logical representation of a portion of the eVLU as seen by entities disposed above the I/O filter driver in the I/O stack, the VLU comprising a plaintext version of information stored in the encrypted region and in the plaintext data region; wherein the encrypted region is configured to store only encrypted data, such that write commands to the VLU go through the I/O filter driver, are encrypted using an encryption key, and are stored in the encrypted region of the eVLU as encrypted data, and wherein read commands to the VLU go through the I/O filter driver to be read from the encrypted region of the eVLU and are decrypted using the encryption key; wherein the plaintext data region is configured to store only plaintext data, such that read/write commands to the plaintext region are permitted whether or not the I/O filter driver is available, wherein the plaintext data region of the eVLU corresponds to a predetermined region of the VLU, the predetermined region corresponding to a location that is accessed either by a process running on the system before the I/O filter driver is loaded to the system or by a process running below the I/O filter driver in the I/O stack, and wherein the I/O filter driver is configured to prevent any encrypted writes to the plaintext data region; and wherein the plaintext metadata region is configured to store only plaintext metadata, the plaintext metadata comprising information relating to access to the encryption key, wherein the I/O filter driver is configured to prevent encrypted data from being written to the plaintext metadata region and is further configured to prevent read/write access to the metadata region by any entity except the I/O filter driver. - View Dependent Claims (18, 19, 20)
-
Specification