Key protector for a storage volume using multiple keys

US 8,509,449 B2
Filed: 07/24/2009
Issued: 08/13/2013
Est. Priority Date: 07/24/2009
Status: Active Grant

First Claim

Patent Images

1. A method of creating a key protector for a storage volume, the method comprising:

generating an intermediate key with a computing device;

protecting, based at least in part on a public key of a public/private key pair of an entity, the intermediate key for encrypting and decrypting a volume master key;

encrypting based at least in part on the intermediate key, the volume master key for encrypting and decrypting one or more volume encryption keys that are used to encrypt the storage volume; and

storing a key protector for the storage volume, the key protector being associated with the entity and including both the encrypted volume master key and the intermediate key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A key protector for a storage volume is created by generating an intermediate key and protecting, based at least in part on a public/private key pair, the intermediate key. A volume master key for encrypting and decrypting one or more volume encryption keys that are used to encrypt the storage volume can be encrypted in different manners, including being encrypted based at least in part on the intermediate key. A key protector for the storage volume is stored that includes both the encrypted volume master key and information indicating how to obtain the intermediate key. Subsequently, the key protector can be accessed and, based at least in part on a private key of the entity associated with the key protector, the intermediate key can be decrypted. The intermediate key can then be used to decrypt the volume master key.

37 Citations

View as Search Results

18 Claims

1. A method of creating a key protector for a storage volume, the method comprising:
- generating an intermediate key with a computing device;
  
  protecting, based at least in part on a public key of a public/private key pair of an entity, the intermediate key for encrypting and decrypting a volume master key;
  
  encrypting based at least in part on the intermediate key, the volume master key for encrypting and decrypting one or more volume encryption keys that are used to encrypt the storage volume; and
  
  storing a key protector for the storage volume, the key protector being associated with the entity and including both the encrypted volume master key and the intermediate key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method as recited in claim 1, further comprising storing the key protector on the storage volume.
  - 3. A method as recited in claim 1, further comprising:
    - generating an encrypted intermediate key by encrypting the intermediate key based at least in part on the volume master key, and storing the encrypted intermediate key in the key protector;
      
      obtaining a new volume master key;
      
      obtaining the intermediate key by decrypting the encrypted intermediate key using the volume master key;
      
      generating a new encrypted volume master key by encrypting, based at least in part on the intermediate key, the new volume master key;
      
      replacing the encrypted volume master key in the key protector with the new encrypted volume master key;
      
      generating a new encrypted intermediate key by encrypting, based at least in part on the new volume master key, the intermediate key; and
      
      replacing the encrypted intermediate key in the key protector with the new encrypted intermediate key.
  - 4. A method as recited in claim 1, the storing further comprising storing, in the key protector, both information identifying a private key of the public/private key pair and a protector type identifier that identifies the key protector as being a key protector based on a public key.
  - 5. A method as recited in claim 1, wherein the storage volume comprises a removable flash memory device.
  - 6. A method as recited in claim 1, wherein the entity comprises a user and wherein protecting the intermediate key is based at least in part on a digital certificate of the user obtained when the user is authenticated to the computing device.
  - 7. A method as recited in claim 6, the storing further comprising storing, in the key protector, a certificate identifier that identifies the digital certificate.
  - 8. A method as recited in claim 1, further comprising, in response to receiving a request to access the storage volume:
    - obtaining a private key of the entity;
      
      obtaining, based at least in part on the private key, the intermediate key; and
      
      using the intermediate key to decrypt the encrypted volume master key for decrypting the one or more volume encryption keys.
  - 9. A method as recited in claim 1, further comprising repeating the generating, the protecting, the encrypting, and the storing for one or more additional key protectors.

10. A method of accessing an encrypted storage volume, the method comprising:
- obtaining a private key of an entity associated with a key protector stored on the encrypted storage volume, the private key being of a public/private key pair;
  
  obtaining, based at least in part on the private key, an intermediate key for encrypting and decrypting a volume master key; and
  
  using the intermediate key by a computing device to decrypt the volume master key from the key protector for decrypting one or more volume encryption keys that are used to decrypt the storage volume.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. A method as recited in claim 10, wherein the key protector includes an encrypted intermediate key, and wherein obtaining the intermediate key comprises decrypting, based at least in part on the private key, the encrypted intermediate key.
  - 12. A method as recited in claim 10, wherein the key protector is stored in an unencrypted portion of the encrypted storage volume.
  - 13. A method as recited in claim 10, wherein the encrypted storage volume comprises a removable flash memory device.
  - 14. A method as recited in claim 10, wherein the key protector includes an encrypted intermediate key that is encrypted based on the volume master key, the method further comprising:
    - receiving a new volume master key;
      
      decrypting, based at least in part on the volume master key, the intermediate key from the key protector;
      
      generating a new encrypted intermediate key by encrypting, based at least in part on the new volume master key, the intermediate key;
      
      storing the new encrypted intermediate key in the key protector;
      
      generating a new encrypted volume master key by encrypting, based at least in part on the intermediate key, the new volume master key; and
      
      storing the new encrypted volume master key in the key protector.
  - 15. A method as recited in claim 10, the key protector further including both information identifying the private key of the public/private key pair that includes the private key and a protector type identifier that identifies the key protector as being a key protector based on the public key.
  - 16. A method as recited in claim 10, wherein the private key is identified based on a digital certificate, the key protector further including a certificate identifier that identifies the digital certificate.
  - 17. A method as recited in claim 10, the key protector further including a data portion storing a public key of a secondary public/private key pair generated in encrypting the intermediate key.

18. A computer-readable storage device that includes computer-executable instructions, which when executed by a computing device, cause the computing device to:
- generate an intermediate key with a computing device;
  
  protect, based at least in part on a public key of a public/private key pair of an entity, the intermediate key for encrypting and decrypting a volume master key;
  
  encrypt based at least in part on the intermediate key, the volume master key for encrypting and decrypting one or more volume encryption keys that are used to encrypt the storage volume; and
  
  store a key protector for the storage volume, the key protector being associated with the entity and including both the encrypted volume master key and the intermediate key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Ureche, Octavian T., Sinha, Gaurav, Dussart, Nils, Liu, Yi, Bharadwaj, Vijay G., Ferguson, Niels T.
Primary Examiner(s)
PERUNGAVOOR, VENKATANARAY

Application Number

US12/509,255
Publication Number

US 20110022856A1
Time in Patent Office

1,481 Days
Field of Search

None
US Class Current

380/284
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/62   Protecting access to data v...

G06F 21/78   to assure secure storage of...

H04L 2463/062   applying encryption of the ...

H04L 9/0822   using key encryption key

H04L 9/0844   with user authentication or...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

Key protector for a storage volume using multiple keys

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Key protector for a storage volume using multiple keys

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links