Systems and methods for implementing transparent encryption
First Claim
1. A method of providing transparent encryption for a web resource, the method comprising:
- receiving, at a key manager operating on a first server, an encryption key policy;
receiving, at the key manager, from the web resource, one or more user identifiers and one or more resource locators, wherein the web resource comprises a file store accessible to a plurality of users and is operated by a resource administrator;
defining, at the key manager, an access control list based on a selection of user identifiers;
associating, at the key manager, the access control list and the encryption key policy with a first resource locator from the one or more resource locators;
generating, at the key manager, an encryption key and a key identifier for the first resource locator;
establishing a secure communication channel between the first server and a second server;
sending, from the first server, to the second server, encryption information using the secure communication channel, wherein the encryption information comprises;
the encryption key, the key identifier, and the access control list;
storing, at a transparent encryption module on the second server, the encryption key and the access control list in protected memory;
receiving, at the transparent encryption module, from a client device, an input comprising a request to access a first resource stored in the web resource and a user identifier;
determining, at the transparent encryption module, that the user identifier is included in the access control list for the first resource;
encrypting, at the transparent encryption module, using the encryption key, data that is passed from the client device to the first resource; and
decrypting, at the transparent encryption module, using the encryption key, data that is passed from the first resource to the client device.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of providing transparent encryption for a web resource includes a key manager receiving an encryption key policy; receiving user identifiers and resource locators; defining an access control list based the user identifiers; generating an encryption key and a key identifier for a first resource locator; and establishing a secure communication channel between first and second watchdog modules. The method also includes the watchdog sending encryption information using the secure communication channel. The method also includes a transparent encryption module storing the encryption key and the access control list in protected memory; receiving an input comprising a request to access the first resource stored in the web resource; determining that the user identifier is included in the access control list; encrypting data using the encryption key; and decrypting data using the encryption key.
-
Citations
15 Claims
-
1. A method of providing transparent encryption for a web resource, the method comprising:
-
receiving, at a key manager operating on a first server, an encryption key policy; receiving, at the key manager, from the web resource, one or more user identifiers and one or more resource locators, wherein the web resource comprises a file store accessible to a plurality of users and is operated by a resource administrator; defining, at the key manager, an access control list based on a selection of user identifiers; associating, at the key manager, the access control list and the encryption key policy with a first resource locator from the one or more resource locators; generating, at the key manager, an encryption key and a key identifier for the first resource locator; establishing a secure communication channel between the first server and a second server; sending, from the first server, to the second server, encryption information using the secure communication channel, wherein the encryption information comprises;
the encryption key, the key identifier, and the access control list;storing, at a transparent encryption module on the second server, the encryption key and the access control list in protected memory; receiving, at the transparent encryption module, from a client device, an input comprising a request to access a first resource stored in the web resource and a user identifier; determining, at the transparent encryption module, that the user identifier is included in the access control list for the first resource; encrypting, at the transparent encryption module, using the encryption key, data that is passed from the client device to the first resource; and decrypting, at the transparent encryption module, using the encryption key, data that is passed from the first resource to the client device. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system comprising:
-
a first server comprising a key manager, wherein the first server is configured to; receive, at the key manager, an encryption key policy; receive, at the key manager, from a web resource, one or more user identifiers and one or more resource locators, wherein the web resource comprises a file store accessible to a plurality of users and is operated by a resource administrator; define, at the key manager, an access control list based on a selection of user identifiers; associate, at the key manager, the access control list and the encryption key policy with a first resource locator from the one or more resource locators; generate, at the key manager, an encryption key and a key identifier for the first resource locator; establish a secure communication channel between the first server and a second server; and send, from the first server, to the second server, encryption information using the secure communication channel, wherein the encryption information comprises;
the encryption key, the key identifier, and the access control list; andthe second server comprising a transparent encryption module, wherein the second server is configured to; store, at the transparent encryption module, the encryption key and the access control list in protected memory; receive, at the transparent encryption module, from a client device, an input comprising a request to access a first resource stored in the web resource and a user identifier; determine, at the transparent encryption module, that the user identifier is included in the access control list for the first resource; encrypt, at the transparent encryption module, using the encryption key, data that is passed from the client device to the first resource; and decrypt, at the transparent encryption module, using the encryption key, data that is passed from the first resource to the client device. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A plurality non-transitory computer-readable media, comprising:
-
a first non-transitory computer-readable medium comprising first instructions which, when executed by a first server, causes the first server to; receive an encryption key policy; receive from a web resource, one or more user identifiers and one or more resource locators, wherein the web resource comprises a file store accessible to a plurality of users and is operated by a resource administrator; define an access control list based on a selection of user identifiers; associate the access control list and the encryption key policy with a first resource locator from the one or more resource locators; generate an encryption key and a key identifier for the first resource locator; establish a secure communication channel between the first server and a second server; and send, from the first server, to the second server, encryption information using the secure communication channel, wherein the encryption information comprises;
the encryption key, the key identifier, and the access control list; anda second non-transitory computer-readable medium comprising second instructions which, when executed by a second server, causes the second server to; store the encryption key and the access control list in protected memory; receive from a client device, an input comprising a request to access a first resource stored in the web resource and a user identifier; determine that the user identifier is included in the access control list for the first resource; encrypt, using the encryption key, data that is passed from the client device to the first resource; and decrypt, using the encryption key, data that is passed from the first resource to the client device. - View Dependent Claims (12, 13, 14, 15)
-
Specification