Virtual machine images encryption using trusted computing group sealing
First Claim
1. A method for storing a customized virtual machine, the method comprising:
- configuring a host machine to a desired state, wherein the host machine has a trusted platform module;
recording a platform configuration register state based on the desired state;
forming a sealed blob from a private key and a platform configuration register state to verify whether the virtual machine can be executed;
receiving a customer'"'"'s symmetric key at a data center;
encrypting the customer'"'"'s symmetric key with a public key of the data center to form a wrapped customer'"'"'s symmetric key;
storing the wrapped customer'"'"'s symmetric key;
provisioning a virtual machine on the host machine, wherein the virtual machine is selected from a catalog of stock virtual machines;
instantiating the virtual machine on the host machine;
configuring the virtual machine, based on customer inputs, to form a customer'"'"'s configured virtual machine;
creating an image from the customer'"'"'s configured virtual machine;
unwrapping the wrapped customer'"'"'s symmetric key to form a copy of the customer'"'"'s symmetric key;
encrypting the customer'"'"'s configured virtual machine with the copy of the customer'"'"'s symmetric key to form an encrypted configured virtual machine; and
storing the encrypted configured virtual machine to non-volatile storage.
2 Assignments
0 Petitions
Accused Products
Abstract
A host machine provisions a virtual machine from a catalog of stock virtual machines. The host machine instantiates the virtual machine. The host machine configures the virtual machine, based on customer inputs, to form a customer'"'"'s configured virtual machine. The host machine creates an image from the customer'"'"'s configured virtual machine. The host machine unwraps a sealed customer'"'"'s symmetric key to form a customer'"'"'s symmetric key. The host machine encrypts the customer'"'"'s configured virtual machine with the customer'"'"'s symmetric key to form an encrypted configured virtual machine. The host machine stores the encrypted configured virtual machine to non-volatile storage.
-
Citations
13 Claims
-
1. A method for storing a customized virtual machine, the method comprising:
-
configuring a host machine to a desired state, wherein the host machine has a trusted platform module; recording a platform configuration register state based on the desired state; forming a sealed blob from a private key and a platform configuration register state to verify whether the virtual machine can be executed; receiving a customer'"'"'s symmetric key at a data center; encrypting the customer'"'"'s symmetric key with a public key of the data center to form a wrapped customer'"'"'s symmetric key; storing the wrapped customer'"'"'s symmetric key; provisioning a virtual machine on the host machine, wherein the virtual machine is selected from a catalog of stock virtual machines; instantiating the virtual machine on the host machine; configuring the virtual machine, based on customer inputs, to form a customer'"'"'s configured virtual machine; creating an image from the customer'"'"'s configured virtual machine; unwrapping the wrapped customer'"'"'s symmetric key to form a copy of the customer'"'"'s symmetric key; encrypting the customer'"'"'s configured virtual machine with the copy of the customer'"'"'s symmetric key to form an encrypted configured virtual machine; and storing the encrypted configured virtual machine to non-volatile storage. - View Dependent Claims (2, 3)
-
-
4. A method for executing a customer'"'"'s configured virtual machine, the method comprising:
-
configuring a host machine to a desired state, wherein the host machine has a trusted platform module; recording a platform configuration register state based on the desired state; forming a sealed blob from a private key and a platform configuration register state; receiving a customer selection of an encrypted configured virtual machine image; obtaining the sealed blob from a data structure controlled by a data center; unsealing the sealed blob to form a data center private key, wherein unsealing further comprises; determining whether the host machine has the current trusted platform state to match a first trusted platform state of the host machine, and in response, decrypting a customer'"'"'s symmetric key with the data center private key, wherein the first trusted platform state of the host machine corresponds to a time during which the sealed blob was created; decrypting the customer'"'"'s configured virtual machine from the encrypted configured virtual machine; and executing the customer'"'"'s configured virtual machine on a host processor of the host machine. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13)
-
Specification