Systems and methods for selective encryption of operating system metadata for host-based encryption of data at rest on a logical unit

US 8,261,068 B1
Filed: 09/30/2008
Issued: 09/04/2012
Est. Priority Date: 09/30/2008
Status: Active Grant

First Claim

Patent Images

1. A method for establishing and controlling read/write access to at least one encrypted logical unit in operable communication with a host, the method comprising:

providing an I/O filter driver to an I/O stack for a host in communication with a logical unit (LUN), the host disposed above the I/O filter driver in the I/O stack and the LUN being disposed below the I/O filter driver in the I/O stack;

virtualizing the LUN into two logical entities, the first logical entity comprising an encrypted VLU (eVLU), the eVLU comprising an encrypted region, a plaintext data region, and a plaintext metadata region, the second logical entity comprising a virtual logical unit (VLU), the VLU comprising a logical representation of a portion of the eVLU as seen by entities disposed above the I/O filter driver in the I/O stack, the VLU comprising a plaintext version of information stored in the encrypted region and in the plaintext data region;

configuring the encrypted region to store only encrypted data, such that write commands to the VLU go through the I/O filter driver, are encrypted using an encryption key, and are stored in the encrypted region of the eVLU as encrypted data, and wherein read commands to the VLU go through the I/O filter driver to be read from the encrypted region of the eVLU and are decrypted using the encryption key;

configuring the plaintext data region to store only plaintext data, such that read/write commands to the plaintext region are permitted whether or not the I/O filter driver is available, wherein the plaintext data region of the eVLU corresponds to a predetermined region of the VLU, the predetermined region corresponding to a location that is accessed either by a process running on the system before the I/O filter driver is loaded to the system or by a process running below the I/O filter driver in the I/O stack, and wherein the I/O filter driver is configured to prevent any encrypted writes to the plaintext data region; and

configuring the plaintext metadata region to store only plaintext metadata, the plaintext metadata comprising information relating to access to the encryption key, wherein the I/O filter driver is configured to prevent encrypted data from being written to the plaintext metadata region and is further configured to prevent read/write access to the metadata region by any entity except the I/O filter driver.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided for providing an operating system (OS) independent input/output (I/O) filter driver capable of encrypting at least a portion of a logical unit (LUN), the method comprising the unordered steps of: providing an I/O filter driver component to an I/O stack for a host in communication with the LUN; determining, based at least in part on at least one of OS requirements and an arrangement of data on the LUN, at least one region in the LUN that contains data that is used below the I/O filter driver in an I/O stack on the host; and performing at least one of a read and a write of the one or more regions while keeping the one or more regions in plaintext, while permitting other regions of the LUN to be at least one of encrypted and decrypted.

169 Citations

20 Claims

1. A method for establishing and controlling read/write access to at least one encrypted logical unit in operable communication with a host, the method comprising:
- providing an I/O filter driver to an I/O stack for a host in communication with a logical unit (LUN), the host disposed above the I/O filter driver in the I/O stack and the LUN being disposed below the I/O filter driver in the I/O stack;
  
  virtualizing the LUN into two logical entities, the first logical entity comprising an encrypted VLU (eVLU), the eVLU comprising an encrypted region, a plaintext data region, and a plaintext metadata region, the second logical entity comprising a virtual logical unit (VLU), the VLU comprising a logical representation of a portion of the eVLU as seen by entities disposed above the I/O filter driver in the I/O stack, the VLU comprising a plaintext version of information stored in the encrypted region and in the plaintext data region;
  
  configuring the encrypted region to store only encrypted data, such that write commands to the VLU go through the I/O filter driver, are encrypted using an encryption key, and are stored in the encrypted region of the eVLU as encrypted data, and wherein read commands to the VLU go through the I/O filter driver to be read from the encrypted region of the eVLU and are decrypted using the encryption key;
  
  configuring the plaintext data region to store only plaintext data, such that read/write commands to the plaintext region are permitted whether or not the I/O filter driver is available, wherein the plaintext data region of the eVLU corresponds to a predetermined region of the VLU, the predetermined region corresponding to a location that is accessed either by a process running on the system before the I/O filter driver is loaded to the system or by a process running below the I/O filter driver in the I/O stack, and wherein the I/O filter driver is configured to prevent any encrypted writes to the plaintext data region; and
  
  configuring the plaintext metadata region to store only plaintext metadata, the plaintext metadata comprising information relating to access to the encryption key, wherein the I/O filter driver is configured to prevent encrypted data from being written to the plaintext metadata region and is further configured to prevent read/write access to the metadata region by any entity except the I/O filter driver.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising storing in the plaintext metadata region information defining the encrypted region, the plaintext data region, and the size of the plaintext metadata region.
  - 3. The method of claim 1, further comprising storing in the I/O filter driver information defining the first encrypted region, the first plaintext data region, and the size of the first plaintext metadata region.
  - 4. The method of claim 1, wherein:
    - the first plaintext data region is further configured to store data that further comprises information available for read/write access to an operating system (OS) at the host even if the I/O filter driver is not loaded to the I/O stack.
  - 5. The method of claim 1, further comprising:
    - receiving a read/write request directed to the VLU prior to the I/O filter driver component being loaded to the I/O stack;
      
      permitting the read/write request if the read/write request is directed to a region of the VLU corresponding to the plaintext data region of the eVLU; and
      
      failing the read/write request if the read/write request is directed to a region of the VLU corresponding to the encrypted region of the eVLU.
  - 6. The method of claim 1, further comprising:
    - defining the first plaintext data region based at least in part on one of the operating system (OS), the type of LUN, and an arrangement of data on the LUN.
  - 7. The method of claim 1, wherein the I/O filter driver is further configured to include encryption manager functions that enable the I/O filter driver to facilitate encryption of data written to the encrypted region and decryption of data read from the encrypted region.
  - 8. The method of claim 1, wherein if the I/O filter driver has not yet been provided to the I/O stack of the system, permitting read/write access to the plaintext data region and to regions of the VLU corresponding to the plaintext data region and preventing all write access to the regions of the VLU corresponding to first encrypted region.
  - 9. The method of claim 1, further comprising permitting an entity disposed below the I/O filter driver in the I/O stack to have read/write access to the first plaintext data region even if the I/O filter driver is not available.
  - 10. The method of claim 1, further comprising setting a state of the eVLU, to be encrypted, such that the system stores in persistent memory that the state of the LUN is encrypted.
  - 11. The method of claim 10, wherein if the I/O filter driver has been loaded to the I/O stack of the system and the encryption key is available, enabling the I/O filter driver to control all read/write access to the encrypted region.
  - 12. The method of claim 10, wherein if the I/O filter driver has been loaded to the I/O stack of the system, the encryption key is not available, and a predetermined time limit has not expired, permitting read/write access only to the plaintext data region of the eVLU and to regions of the VLU corresponding to the plaintext data region of the eVLU, and pending all read/write access to the encrypted region of the VLU until the encryption key is available.
  - 13. The method of claim 10, wherein if the I/O filter driver has been loaded to the I/O stack of the system, the encryption key is not available and a predetermined time limit has expired, permitting read/write access only to the plaintext data region of the eVLU and to regions of the VLU corresponding to the plaintext data region of the eVLU, and failing all read/write access to the encrypted region of the VLU.
  - 14. The method of claim 1, wherein if the I/O filter driver has been loaded to the I/O stack of the system, and wherein a state of the VLU cannot be determined, permitting read/write access only to the region of the VLU corresponding to the plaintext data region of the eVLU and failing all read/write access to the encrypted region of the VLU.
  - 15. The method of claim 1, wherein the plaintext data region is configured to store data that comprises at least one of the following:
    - (a) information used by a predetermined entity disposed in the I/O stack below the I/O filter driver;
      
      (b) information used by a predetermined entity prior to the I/O filter driver being loaded to the I/O stack; and
      
      (c) information used by an operating system running on the host;
  - 16. The method of claim 1, further comprising storing the state of at least one of the VLU and eVLU in a persistent memory location.

17. A system for controlling read/write access to an encrypted virtual logical unit (eVLU), the system comprising:
- an input/output (I/O) filter driver disposed within an I/O stack of the system, wherein the I/O filter driver is disposed on the I/O stack between a host and a logical unit (LUN);
  
  a first logical entity configured as a first virtualization of the LUN, the first logical entity comprising an encrypted VLU (eVLU), the eVLU comprising an encrypted region, a plaintext data region, and a plaintext metadata region;
  
  a second logical entity configured as a second virtualization of the LUN, wherein the second logical entity comprising a virtual logical unit (VLU), the VLU comprising a logical representation of a portion of the eVLU as seen by entities disposed above the I/O filter driver in the I/O stack, the VLU comprising a plaintext version of information stored in the encrypted region and in the plaintext data region;
  
  wherein the encrypted region is configured to store only encrypted data, such that write commands to the VLU go through the I/O filter driver, are encrypted using an encryption key, and are stored in the encrypted region of the eVLU as encrypted data, and wherein read commands to the VLU go through the I/O filter driver to be read from the encrypted region of the eVLU and are decrypted using the encryption key;
  
  wherein the plaintext data region is configured to store only plaintext data, such that read/write commands to the plaintext region are permitted whether or not the I/O filter driver is available, wherein the plaintext data region of the eVLU corresponds to a predetermined region of the VLU, the predetermined region corresponding to a location that is accessed either by a process running on the system before the I/O filter driver is loaded to the system or by a process running below the I/O filter driver in the I/O stack, and wherein the I/O filter driver is configured to prevent any encrypted writes to the plaintext data region; and
  
  wherein the plaintext metadata region is configured to store only plaintext metadata, the plaintext metadata comprising information relating to access to the encryption key, wherein the I/O filter driver is configured to prevent encrypted data from being written to the plaintext metadata region and is further configured to prevent read/write access to the metadata region by any entity except the I/O filter driver.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the I/O filter driver is further comprises an encryption manager that enables the I/O filter driver to facilitate encryption of data written to the encrypted region and decryption of data read from the encrypted region.
  - 19. The system of claim 17, wherein the I/O filter driver is configured to the system in a way such that access requests to the VLU can be received before the I/O filter driver is loaded to the I/O stack of the system, and wherein the persistent storage device stores information indicating that, if the state of the VLU is set to encrypted and the I/O filter driver has not been loaded to the I/O stack of the system, read/write access is permitted only to the plaintext data region of the VLU and write access to the encrypted region of the VLU is prohibited.
  - 20. The system of claim 17, wherein the plaintext data region is configured to store data that comprises at least one of the following:
    - (a) information used by a predetermined entity disposed in the I/O stack below the I/O filter driver,(b) information used by a predetermined entity prior to the I/O filter driver being loaded to the I/O stack; and
      
      (c) information used by an operating system running on the host.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Raizen, Helen S., Harwood, John, Bappe, Michael E., Epstein, Edith, Kothandan, Sathiyamoorthy
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
Vaughan, Michael R

Application Number

US12/242,638
Time in Patent Office

1,435 Days
Field of Search

None
US Class Current

713/165
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Systems and methods for selective encryption of operating system metadata for host-based encryption of data at rest on a logical unit

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

169 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for selective encryption of operating system metadata for host-based encryption of data at rest on a logical unit

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

169 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links