Method and apparatus for centrally managed encrypted partition

US 8,396,214 B2
Filed: 11/02/2006
Issued: 03/12/2013
Est. Priority Date: 11/02/2006
Status: Active Grant

First Claim

Patent Images

1. In a computer network comprising a main computer comprising a first persistent storage device and a remote computer comprising a memory unit and a second persistent storage device, a method for protecting data stored on the second storage device of the remote computer, the method comprising the steps of:

automatically creating a first computer generated cryptokey at the main computer;

storing the first computer generated cryptokey on the first persistent storage device of the main computer;

authenticating the remote computer to the main computer;

providing the first computer generated cryptokey from the main computer to the remote computer;

storing the first computer generated cryptokey in the memory unit of the remote computer without storing the first computer generated cryptokey in the second persistent storage device; and

mounting an operative partition encrypted with the first computer generated cryptokey to the remote computer, said operative partition mapped to the second persistent storage device, wherein said data stored on said second persistent storage device is accessible only if while said one remote computer is in communication with said one main computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for protecting a remote computer connected through a network to a main computer, by creating a cryptokey on the main computer, supplying the cryptokey to the remote computer and mounting a partition on the remote computer using the cryptokey. The cryptokey is not persistently stored on the remote computer but rather saved in its memory, and the connection of the remote computer to the main computer is periodically tested. Once the remote computer is disconnected, the encrypted partition is unmounted and the cryptokey is erased form the memory, thus disabling access of an attacker to data stored in the encrypted partition. The method incorporates swap partition encryption using a cryptokey created each time during the boot of the remote computer.

17 Citations

View as Search Results

8 Claims

1. In a computer network comprising a main computer comprising a first persistent storage device and a remote computer comprising a memory unit and a second persistent storage device, a method for protecting data stored on the second storage device of the remote computer, the method comprising the steps of:
- automatically creating a first computer generated cryptokey at the main computer;
  
  storing the first computer generated cryptokey on the first persistent storage device of the main computer;
  
  authenticating the remote computer to the main computer;
  
  providing the first computer generated cryptokey from the main computer to the remote computer;
  
  storing the first computer generated cryptokey in the memory unit of the remote computer without storing the first computer generated cryptokey in the second persistent storage device; and
  
  mounting an operative partition encrypted with the first computer generated cryptokey to the remote computer, said operative partition mapped to the second persistent storage device, wherein said data stored on said second persistent storage device is accessible only if while said one remote computer is in communication with said one main computer.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 further comprising the steps of:
    - automatically creating a second computer generated cryptokey at the remote computer;
      
      storing the second computer generated cryptokey in the memory unit of the remote computer without storing the second computer generated cryptokey in the second persistent storage device the main computer;
      
      creating a swap partition encrypted with the second computer generated cryptokey on a hard disk of the remote computer; and
      
      mounting the swap partition on the remote computer.
  - 3. The method of claim 1 further comprising the steps of:
    - testing whether the remote computer is connected to the main computer; and
      
      unmounting the operative partition and erasing the first computer generated cryptokey from the memory unit of the remote computer, if the remote computer is not connected to the main computer.
  - 4. The method of claim 1 wherein the authentication step comprises considering an at least one rule.
  - 5. The method of claim 4 wherein the at least one rule relates to one or more or the group consisting of:
    - when was the remote computer disconnected from the network;
      
      a user of the remote computer;
      
      or an intended use of the one remote computer.
  - 6. The method of claim 2 wherein the swap partition is created and mounted during each boot sequence of the remote computer.

7. An apparatus for protecting data stored on a persistent storage device associated with a remote computer connected through a network to a main computer, the apparatus comprising:
- a connection port to receive a first computer generated cryptokey from the main computer;
  
  a computer generated cryptokey generator for automatically and locally generating a second computer generated cryptokey;
  
  a memory device for storing the first and second computer generated cryptokeys, wherein the first and second computer generated cryptokeys are not stored in a persistent storage device;
  
  a first partition generating component for generating a first encrypted partition using the first computer generated cryptokey;
  
  a first mount/unmount device for mounting or unmounting the first encrypted partition to the remote computer using the first computer generated cryptokey, said first encrypted partition mapped to the persistent storage device;
  
  a second partition generating component for generating encrypted swap partition using the second computer generated cryptokey;
  
  a second mount/unmount device for mounting or unmounting the encrypted swap partition to the remote computer using the second computer generated cryptokey, said encrypted swap partition mapped to the persistent storage device;
  
  a connection testing component for testing whether the remote computer is connected to the main computer through the network; and
  
  an authentication component for determining whether the remote computer is authenticated to be connected to the main computer.

8. A non-transitory computer readable storage medium storing a set of instructions adapted to be executed by a general purpose computer to perform a method, the method comprising:
- automatically creating a first computer generated cryptokey at a main computer, wherein the main computer includes a first persistent storage device and communicates with a remote computer having a memory unit and a second persistent storage device;
  
  storing the first computer generated cryptokey on the first persistent storage device;
  
  authenticating an at least one remote computer to the at least one main computer;
  
  providing the first computer generated cryptokey from the main computer to the remote computer;
  
  storing the first computer generated cryptokey in a memory unit of the remote computer without storing the first computer generated cryptokey in the second persistent storage device; and
  
  meansmounting an operative partition encrypted with the first computer generated cryptokey to the remote computer, said operative partition mapped to the second persistent storage device storing data wherein said data is accessible only if said remote computer is by is in communication with said main computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sap Portals Israel Ltd (SAP SE)
Original Assignee
Sap Portals Israel Ltd (SAP SE)
Inventors
Helfman, Nadav Binyamin, Shribman, Aidan
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Woldemariam, Nega

Application Number

US11/592,280
Publication Number

US 20080107262A1
Time in Patent Office

2,322 Days
Field of Search

713/185, 713/189, 726/34
US Class Current

380/44
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 21/78   to assure secure storage of...

G06F 21/88   Detecting or preventing the...

Method and apparatus for centrally managed encrypted partition

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for centrally managed encrypted partition

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links