System and method for robust full-drive encryption

US 8,990,589 B1
Filed: 09/18/2014
Issued: 03/24/2015
Est. Priority Date: 09/18/2014
Status: Active Grant

First Claim

Patent Images

1. An automated method for performing fault-recoverable full-drive encryption in a computer system having computing hardware including a data storage drive containing content to be encrypted, the method comprising:

establishing, by the computer system, a plurality of segments in which the content to be encrypted is contained, each segment of the plurality of segments having a corresponding location on the data storage drive;

allocating, by the computer system, a buffer in non-volatile storage that is configured to temporarily retain different subsets of the plurality of segments at various times;

storing, by the computer system, an encrypted space mask in non-volatile storage that is configured to represent an encryption state of each segment of the plurality of segments;

sequentially encrypting, by the computer system, each segment of the plurality of segments to produce a corresponding encrypted segment;

in response to the encrypting of each segment, and prior to encrypting a subsequent segment, storing, by the computer system, a first copy of the encrypted segment in the buffer, and a second copy of the encrypted segment in a defined location on the data storage drive;

updating, by the computer system, the encrypted space mask to represent a current encryption state of the plurality of segments;

in response to an interruption of the sequential encrypting of the plurality of data segments, identifying, by the computer system, a second segment, of which a first encrypted copy is stored in the buffer, but wherein the encrypted space mask indicates the second segment as not being encrypted, the second segment being subsequent to a first segment indicated as being encrypted in the encrypted space mask;

in response to the identifying of the second segment, determining, by the computer system, based on the first encrypted copy of the second segment stored in the buffer, a current encryption state of the second segment; and

in response to the determining of the current encryption state of the second segment, correcting the encrypted space mask, by the computer system, to indicate the current encryption state of the second segment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and method for fault-recoverable full-drive encryption. A buffer is allocated to temporarily retain different subsets of the plurality of segments at various times. An encrypted space mask represents an encryption state of each segment. Prior to encrypting each subsequent segment, a first copy of the encrypted segment is stored in the buffer, and a second copy of the encrypted segment is stored on the data storage drive. The encrypted space mask is updated to represent a current encryption state of the plurality of segments. In response to an interruption of the encrypting process, the encrypted space mask and, in some embodiments, the buffer, are used to identify a correct encryption state of the drive, permitting recovery and resumption of the encryption process.

Citations

24 Claims

1. An automated method for performing fault-recoverable full-drive encryption in a computer system having computing hardware including a data storage drive containing content to be encrypted, the method comprising:
- establishing, by the computer system, a plurality of segments in which the content to be encrypted is contained, each segment of the plurality of segments having a corresponding location on the data storage drive;
  
  allocating, by the computer system, a buffer in non-volatile storage that is configured to temporarily retain different subsets of the plurality of segments at various times;
  
  storing, by the computer system, an encrypted space mask in non-volatile storage that is configured to represent an encryption state of each segment of the plurality of segments;
  
  sequentially encrypting, by the computer system, each segment of the plurality of segments to produce a corresponding encrypted segment;
  
  in response to the encrypting of each segment, and prior to encrypting a subsequent segment, storing, by the computer system, a first copy of the encrypted segment in the buffer, and a second copy of the encrypted segment in a defined location on the data storage drive;
  
  updating, by the computer system, the encrypted space mask to represent a current encryption state of the plurality of segments;
  
  in response to an interruption of the sequential encrypting of the plurality of data segments, identifying, by the computer system, a second segment, of which a first encrypted copy is stored in the buffer, but wherein the encrypted space mask indicates the second segment as not being encrypted, the second segment being subsequent to a first segment indicated as being encrypted in the encrypted space mask;
  
  in response to the identifying of the second segment, determining, by the computer system, based on the first encrypted copy of the second segment stored in the buffer, a current encryption state of the second segment; and
  
  in response to the determining of the current encryption state of the second segment, correcting the encrypted space mask, by the computer system, to indicate the current encryption state of the second segment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - identifying, by the computer system, the content to be encrypted; and
      
      determining, by the computer system, a data segment size by which the content is to be encrypted, such that all of the content is divided into a plurality of sequential segments, each segment having a corresponding location on the data storage drive.
  - 3. The method of claim 2, wherein the data segment size is determined based on an ascertained quantity of good sectors of a partition of the data storage drive to be encrypted.
  - 4. The method of claim 1, wherein the defined location in which the second copy of the encrypted segment is stored is the same location where that segment was stored prior to being encrypted.
  - 5. The method of claim 1, wherein the defined location in which the second copy of the encrypted segment is stored is a different location from where that segment was stored prior to being encrypted.
  - 6. The method of claim 1, wherein the encrypted space mask comprises at least one data structure selected from the group consisting of:
    - a bitmap sequence, a tree structure, an n-dimensional array, an interval graph, a multi-level bitmap, or any combination thereof.
  - 7. The method of claim 1, wherein the buffer stores a plurality of segments and is saved to the data storage drive in response to the encrypting of each segment, and wherein the encrypted space mask is saved to the data storage drive less frequently than the buffer.
  - 8. The method of claim 1, wherein the encrypted space mask is saved into the non-volatile storage only in response to a mask-saving condition having been satisfied.
  - 9. The method of claim 8, wherein the mask-saving condition is met when a predefined quantity of segments have been encrypted since a most recent saving of the encrypted space mask.
  - 10. The method of claim 1, wherein determining the current encryption state of the second segment is based on a comparative value of the first encrypted copy of the second segment stored in the buffer and the second encrypted copy of the second segment stored in the defined location on the data storage drive.
  - 11. The method of claim 1, wherein determining the current encryption state of the second segment is based on a determination of either a presence or an absence of the first encrypted copy of the second segment stored in the buffer.
  - 12. The method of claim 1, wherein determining the current encryption state of the second segment is based on a comparison between a sequential segment index value that is incremented for each encrypted segment written to the data storage drive, and a mask index value that represents a quantity of encryption state indicators of the encrypted state mask that are indicative of an encrypted segment.
  - 13. The method of claim 1, wherein determining the current encryption state of the second segment is based on a measure of informational entropy of the second encrypted copy of the second segment.

14. A system for performing fault-recoverable full-drive encryption in a computer system, the system comprising:
- computing hardware, including at least one processor, a memory device electrically interfaced with the processor, and a data storage drive containing content to be encrypted, the memory device containing instructions that, when executed, cause the processor to implement;
  
  a coordinator engine configured to establish a plurality of segments in which the content to be encrypted is contained, each segment of the plurality of segments having a corresponding location on the data storage drive;
  
  an encryption engine configured to sequentially encrypt each segment of the plurality of segments to produce a corresponding encrypted segment; and
  
  a fault recovery engine;
  
  the coordinator engine being further configured to;
  
  allocate a buffer in non-volatile storage that is configured to temporarily retain different subsets of the plurality of segments at various times;
  
  store an encrypted space mask in non-volatile storage that represents an encryption state of each segment of the plurality of segments;
  
  in response to the encrypting of each segment and prior to encrypting a subsequent segment, store a first copy of the encrypted segment in the buffer, and a second copy of the encrypted segment in a defined location on the data storage drive;
  
  update the encrypted space mask to represent a current encryption state of the plurality of segments;
  
  the fault recovery engine being configured to;
  
  in response to an interruption of the sequential encrypting of the plurality of data segments, identify a second segment, of which a first encrypted copy is stored in the buffer, but wherein the encrypted space mask indicates the second segment as not being encrypted, the second segment being subsequent to a first segment indicated as being encrypted in the encrypted space mask;
  
  determine, in response to the identifying of the second segment, determine, based on the first encrypted copy of the second segment stored in the buffer, a current encryption state of the second segment; and
  
  in response to determining the current encryption state of the second segment, correct the encrypted space mask to indicate the current encryption state of the second segment.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The system of claim 14, further comprising:
    - a drive parameter analysis engine configured to;
      
      identify the content to be encrypted; and
      
      determine a data segment size by which the content is to be encrypted, such that all of the content is divided into a plurality of sequential segments, each segment having a corresponding location on the data storage drive.
  - 16. The system of claim 15, wherein the data segment size is determined based on an ascertained quantity of good sectors of a partition of the data storage drive to be encrypted.
  - 17. The system of claim 14, wherein the buffer stores a plurality of segments and is saved to the data storage drive in response to the encrypting of each segment, and wherein the encrypted space mask is saved to the data storage drive less frequently than the buffer.
  - 18. The system of claim 14, wherein the encrypted space mask is saved into the non-volatile storage only in response to a mask-saving condition having been satisfied.
  - 19. The system of claim 18, wherein the mask-saving condition is met when a predefined quantity of segments have been encrypted since a most recent saving of the encrypted space mask.
  - 20. The system of claim 14, wherein the current encryption state of the second segment is determined based on a comparative value of the first encrypted copy of the second segment stored in the buffer and the second encrypted copy of the second segment stored in the defined location on the data storage drive.
  - 21. The system of claim 14, wherein the current encryption state of the second segment is determined based on a determination of either a presence or an absence of the first encrypted copy of the second segment stored in the buffer.
  - 22. The system of claim 14, wherein the current encryption state of the second segment is determined based on a comparison between a sequential segment index value that is incremented for each encrypted segment written to the data storage drive, and a mask index value that represents a quantity of encryption state indicators of the encrypted state mask that are indicative of an encrypted segment.
  - 23. The system of claim 14, wherein the current encryption state of the second segment is determined based on a measure of informational entropy of the second encrypted copy of the second segment.

24. A system for performing fault-recoverable full-drive encryption in a computer system having computing hardware including a data storage drive containing content to be encrypted, the system comprising:
- means for establishing a plurality of segments in which the content to be encrypted is contained, each segment of the plurality of segments having a corresponding location on the data storage drive;
  
  means for allocating a buffer in non-volatile storage that is configured to temporarily retain different subsets of the plurality of segments at various times;
  
  means for storing an encrypted space mask in non-volatile storage that is configured to represent an encryption state of each segment of the plurality of segments;
  
  means for sequentially encrypting each segment of the plurality of segments to produce a corresponding encrypted segment;
  
  means for storing a first copy of the encrypted segment in the buffer, and a second copy of the encrypted segment in a defined location on the data storage drive in response to the encrypting of each segment, and prior to encrypting a subsequent segment;
  
  means for updating the encrypted space mask to represent a current encryption state of the plurality of segments;
  
  means for identifying a second segment, of which a first encrypted copy is stored in the buffer, but wherein the encrypted space mask indicates the second segment as not being encrypted, the second segment being subsequent to a first segment indicated as being encrypted in the encrypted space mask, in response to an interruption of the sequential encrypting of the plurality of data segments;
  
  means for determining based on the first encrypted copy of the second segment stored in the buffer, a current encryption state of the second segment in response to the identifying of the second segment; and
  
  means for correcting the encrypted space mask to indicate the current encryption state of the second segment, in response to the determining of the current encryption state of the second segment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lab A.O. Kaspersky
Original Assignee
Kaspersky Lab ZAO
Inventors
Kazarkin, Lev A.
Primary Examiner(s)
Paliwal, Yogesh

Application Number

US14/490,185
Time in Patent Office

187 Days
Field of Search

713/193
US Class Current

713/193
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 2212/1052   Security improvement

G06F 3/0674   Disk device

System and method for robust full-drive encryption

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for robust full-drive encryption

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links