Intelligent file encryption and secure backup system

US 8,667,273 B1
Filed: 05/30/2007
Issued: 03/04/2014
Est. Priority Date: 05/30/2006
Status: Active Grant

First Claim

Patent Images

1. A method implemented in a computer system including a memory, the method comprising:

hashing a data block in a file comprising one or more data blocks;

encrypting the data block;

including the hash of the data block and encrypted key elements in a header associated with the encrypted data block;

storing the encrypted data block and the header including the hash and the encrypted key elements in a memory on a computer system;

using the hash of the data block in the header associated with the encrypted data block to identify redundant copies of the data block;

receiving a request to access a particular file from the operating system;

identifying the data blocks associated with the particular file, and locations of the data blocks, wherein the locations of the data blocks are on the computer system or on a remote system;

transparently to the operating system, routing a subset of the data blocks responsive to the request through an encryption driver to decrypt the subset of the data blocks using the encrypted key elements prior to providing the requested data blocks to the operating system, thereby enabling the operating system to treat the encrypted data blocks as a readable file;

providing backup system with an incremental backup, in which only those encrypted data blocks which have been changed are backed up;

keeping an older version of the encrypted data block, when a newer version of the encrypted data block is added to the backup system; and

enabling restoration of a prior version of a file from the backup system, to reverse changes made to the file, the restoration using the hash in the header of each of the encrypted data blocks to restore the prior version of the file.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for secure transparent backup and encryption of data including compression, elimination of redundant information, all working integrated whether data is stored locally or shared in networks. When data is shared in networks, several computers may access encrypted objects simultaneously with the same limitations as for non-encrypted objects. The method and apparatus can automatically and invisible take backups and can easily restore any object to the exact content as it existed for a selected point in time using a snapshot capability in combination with the user interface described that has its focus on making the use very easy for the end user. The invention offers security and performance enhancements when used with tables containing approved hashes for executables and other objects based on company policy and virus scanning. Specific objects may also be easily detected even if they are encrypted.

118 Citations

View as Search Results

20 Claims

1. A method implemented in a computer system including a memory, the method comprising:
- hashing a data block in a file comprising one or more data blocks;
  
  encrypting the data block;
  
  including the hash of the data block and encrypted key elements in a header associated with the encrypted data block;
  
  storing the encrypted data block and the header including the hash and the encrypted key elements in a memory on a computer system;
  
  using the hash of the data block in the header associated with the encrypted data block to identify redundant copies of the data block;
  
  receiving a request to access a particular file from the operating system;
  
  identifying the data blocks associated with the particular file, and locations of the data blocks, wherein the locations of the data blocks are on the computer system or on a remote system;
  
  transparently to the operating system, routing a subset of the data blocks responsive to the request through an encryption driver to decrypt the subset of the data blocks using the encrypted key elements prior to providing the requested data blocks to the operating system, thereby enabling the operating system to treat the encrypted data blocks as a readable file;
  
  providing backup system with an incremental backup, in which only those encrypted data blocks which have been changed are backed up;
  
  keeping an older version of the encrypted data block, when a newer version of the encrypted data block is added to the backup system; and
  
  enabling restoration of a prior version of a file from the backup system, to reverse changes made to the file, the restoration using the hash in the header of each of the encrypted data blocks to restore the prior version of the file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein including the encrypted key elements in the header associated with the encrypted data block enables moving the encrypted data blocks to a different storage location.
  - 3. The method of claim 1, further comprising:
    - backing up the encrypted data block into a backup system, having a separate memory; and
      
      identifying duplicate encrypted data blocks encrypted with different encryption keys, based on the hash of the data block in the header of the encrypted data block.
  - 4. The method of claim 3, further comprising:
    - storing only a single copy of the encrypted data block in the backup system.
  - 5. The method of claim 4, wherein if multiple copies of the encrypted data block are found in separate locations, the single copy of the encrypted data block is stored, and the multiple locations are added to the header.
  - 6. The method of claim 4, further comprising:
    - generating an index block on the backup system, the index block containing information of file names and hashes of unencrypted and encrypted data blocks, used to identify the data portion of the files.
  - 7. The method of claim 6, wherein the data portions of the encrypted data blocks are stored in a separate location from the hash, the separate location identified in the header.
  - 8. The method of claim 1, wherein when subportion of a particular data block is altered, the incremental backup only backs up the subportion of the particular data block.
  - 9. The method of claim 1, further comprising:
    - enabling a restoration of a system at a selected time, where the restoration restores versions of each encrypted data block from the selected time.
  - 10. The method of claim 1, further comprising:
    - hashing the encrypted data block;
      
      adding the hash of the encrypted data block to the header;
      
      using the hash of the data block and the hash of the encrypted data block to verify the validity of the encrypted data block, without accessing the data block.
  - 11. The method of claim 1, further comprising:
    - utilizing a plurality of encryption keys for encrypting various data blocks, the encryption key selected for a particular data block based on an intended use of the particular data block.
  - 12. The method of claim 11, wherein a lower level key is used for less secure data blocks, and a higher level security is used for more valuable data blocks.
  - 13. The method of claim 1, further comprising:
    - using the hash as a file name for the encrypted data block, and using header to connect a logical name of the encrypted data block with the file name.
  - 14. The method of claim 13, further comprising:
    - building a tree directory structure of the file names using one or more characters for each directory node, and one or more levels, to speed up search.

15. An apparatus comprising:
- a processor to create one or more blocks from a file, and to hash each data block;
  
  the processor to encrypt the one or more data blocks;
  
  the processor to insert the hash and encrypted key element into a header associated with the encrypted data block, the hash in the header used to identify redundant copies of the data block and the encrypted key elements used in decrypting the data block;
  
  a memory to store the one or more encrypted data blocks and the associated header;
  
  an operating system to request the data blocks associated with the file; and
  
  an encryption driver to intercept the encrypted data blocks requested by the operating system, and decrypt the encrypted data blocks, using the encrypted key element, transparently to the operating system, allowing the operating system to treat the encrypted data blocks as a readable file;
  
  a backup system to provide incremental backup, the backup system to maintain a prior version of an encrypted data block, when an updated version of the data block is received;
  
  the processor using the one or more encrypted data blocks in the backup system to restore of a prior version of a file, the file having been divided into the one or more encrypted data blocks, the processor using the hash in the header of each of the plurality of data blocks to restore the prior version of the file.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, further comprising:
    - the processor to name each of the encrypted data block based on the hash associated with the encrypted data block to uniquely identify the data block.
  - 17. The system of claim 15, further comprising:
    - a backup system in which the hashes are used as identifiers to quickly find objects and further to prevent redundant storing of objects.
  - 18. The system of claim 17, further comprising:
    - the processor to receive at least one new encrypted data block for a new file, compare the new encrypted data block'"'"'s hash with hashes of already backed up objects; and
      
      the processor to send the at least one new encrypted data block to the backup system only when no identical instances of the new encrypted data block are identified on the backup system based on the comparison.
  - 19. The system of claim 17, further comprising:
    - the processor to restore one or more data blocks from the backup system, the restore decision function to use hashes to find the data blocks to restore.
  - 20. The system of claim 15, further comprising:
    - a system driver to perform the encryption and decryption of the data blocks such that the encryption and the decryption are transparent to an operating system and to a user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Data Locker Incorporated
Original Assignee
Kurt Uno Lennartsson, Leif Olov Billstrom
Inventors
Lennartsson, Kurt Uno, Billstrom, Leif Olov
Primary Examiner(s)
ABYANEH, ALI S

Application Number

US11/807,726
Time in Patent Office

2,470 Days
Field of Search

713/165, 713/167, 713/181, 707/640, 380/200
US Class Current

713/165
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6209   to a single file or object,...

H04L 63/0428   wherein the data content is...

Intelligent file encryption and secure backup system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

118 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Intelligent file encryption and secure backup system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others