System and method for robust full-drive encryption
First Claim
1. An automated method for performing fault-recoverable full-drive encryption in a computer system having computing hardware including a data storage drive containing content to be encrypted, the method comprising:
- establishing, by the computer system, a plurality of segments in which the content to be encrypted is contained, each segment of the plurality of segments having a corresponding location on the data storage drive;
allocating, by the computer system, a buffer in non-volatile storage that is configured to temporarily retain different subsets of the plurality of segments at various times;
storing, by the computer system, an encrypted space mask in non-volatile storage that is configured to represent an encryption state of each segment of the plurality of segments;
sequentially encrypting, by the computer system, each segment of the plurality of segments to produce a corresponding encrypted segment;
in response to the encrypting of each segment, and prior to encrypting a subsequent segment, storing, by the computer system, a first copy of the encrypted segment in the buffer, and a second copy of the encrypted segment in a defined location on the data storage drive;
updating, by the computer system, the encrypted space mask to represent a current encryption state of the plurality of segments;
in response to an interruption of the sequential encrypting of the plurality of data segments, identifying, by the computer system, a second segment, of which a first encrypted copy is stored in the buffer, but wherein the encrypted space mask indicates the second segment as not being encrypted, the second segment being subsequent to a first segment indicated as being encrypted in the encrypted space mask;
in response to the identifying of the second segment, determining, by the computer system, based on the first encrypted copy of the second segment stored in the buffer, a current encryption state of the second segment; and
in response to the determining of the current encryption state of the second segment, correcting the encrypted space mask, by the computer system, to indicate the current encryption state of the second segment.
2 Assignments
0 Petitions
Accused Products
Abstract
System and method for fault-recoverable full-drive encryption. A buffer is allocated to temporarily retain different subsets of the plurality of segments at various times. An encrypted space mask represents an encryption state of each segment. Prior to encrypting each subsequent segment, a first copy of the encrypted segment is stored in the buffer, and a second copy of the encrypted segment is stored on the data storage drive. The encrypted space mask is updated to represent a current encryption state of the plurality of segments. In response to an interruption of the encrypting process, the encrypted space mask and, in some embodiments, the buffer, are used to identify a correct encryption state of the drive, permitting recovery and resumption of the encryption process.
-
Citations
24 Claims
-
1. An automated method for performing fault-recoverable full-drive encryption in a computer system having computing hardware including a data storage drive containing content to be encrypted, the method comprising:
-
establishing, by the computer system, a plurality of segments in which the content to be encrypted is contained, each segment of the plurality of segments having a corresponding location on the data storage drive; allocating, by the computer system, a buffer in non-volatile storage that is configured to temporarily retain different subsets of the plurality of segments at various times; storing, by the computer system, an encrypted space mask in non-volatile storage that is configured to represent an encryption state of each segment of the plurality of segments; sequentially encrypting, by the computer system, each segment of the plurality of segments to produce a corresponding encrypted segment; in response to the encrypting of each segment, and prior to encrypting a subsequent segment, storing, by the computer system, a first copy of the encrypted segment in the buffer, and a second copy of the encrypted segment in a defined location on the data storage drive; updating, by the computer system, the encrypted space mask to represent a current encryption state of the plurality of segments; in response to an interruption of the sequential encrypting of the plurality of data segments, identifying, by the computer system, a second segment, of which a first encrypted copy is stored in the buffer, but wherein the encrypted space mask indicates the second segment as not being encrypted, the second segment being subsequent to a first segment indicated as being encrypted in the encrypted space mask; in response to the identifying of the second segment, determining, by the computer system, based on the first encrypted copy of the second segment stored in the buffer, a current encryption state of the second segment; and in response to the determining of the current encryption state of the second segment, correcting the encrypted space mask, by the computer system, to indicate the current encryption state of the second segment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for performing fault-recoverable full-drive encryption in a computer system, the system comprising:
computing hardware, including at least one processor, a memory device electrically interfaced with the processor, and a data storage drive containing content to be encrypted, the memory device containing instructions that, when executed, cause the processor to implement; a coordinator engine configured to establish a plurality of segments in which the content to be encrypted is contained, each segment of the plurality of segments having a corresponding location on the data storage drive; an encryption engine configured to sequentially encrypt each segment of the plurality of segments to produce a corresponding encrypted segment; and a fault recovery engine; the coordinator engine being further configured to; allocate a buffer in non-volatile storage that is configured to temporarily retain different subsets of the plurality of segments at various times; store an encrypted space mask in non-volatile storage that represents an encryption state of each segment of the plurality of segments; in response to the encrypting of each segment and prior to encrypting a subsequent segment, store a first copy of the encrypted segment in the buffer, and a second copy of the encrypted segment in a defined location on the data storage drive; update the encrypted space mask to represent a current encryption state of the plurality of segments; the fault recovery engine being configured to; in response to an interruption of the sequential encrypting of the plurality of data segments, identify a second segment, of which a first encrypted copy is stored in the buffer, but wherein the encrypted space mask indicates the second segment as not being encrypted, the second segment being subsequent to a first segment indicated as being encrypted in the encrypted space mask; determine, in response to the identifying of the second segment, determine, based on the first encrypted copy of the second segment stored in the buffer, a current encryption state of the second segment; and in response to determining the current encryption state of the second segment, correct the encrypted space mask to indicate the current encryption state of the second segment. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
-
24. A system for performing fault-recoverable full-drive encryption in a computer system having computing hardware including a data storage drive containing content to be encrypted, the system comprising:
-
means for establishing a plurality of segments in which the content to be encrypted is contained, each segment of the plurality of segments having a corresponding location on the data storage drive; means for allocating a buffer in non-volatile storage that is configured to temporarily retain different subsets of the plurality of segments at various times; means for storing an encrypted space mask in non-volatile storage that is configured to represent an encryption state of each segment of the plurality of segments; means for sequentially encrypting each segment of the plurality of segments to produce a corresponding encrypted segment; means for storing a first copy of the encrypted segment in the buffer, and a second copy of the encrypted segment in a defined location on the data storage drive in response to the encrypting of each segment, and prior to encrypting a subsequent segment; means for updating the encrypted space mask to represent a current encryption state of the plurality of segments; means for identifying a second segment, of which a first encrypted copy is stored in the buffer, but wherein the encrypted space mask indicates the second segment as not being encrypted, the second segment being subsequent to a first segment indicated as being encrypted in the encrypted space mask, in response to an interruption of the sequential encrypting of the plurality of data segments; means for determining based on the first encrypted copy of the second segment stored in the buffer, a current encryption state of the second segment in response to the identifying of the second segment; and means for correcting the encrypted space mask to indicate the current encryption state of the second segment, in response to the determining of the current encryption state of the second segment.
-
Specification