Log structured volume encryption for virtual machines

US 8,996,887 B2
Filed: 02/24/2012
Issued: 03/31/2015
Est. Priority Date: 02/24/2012
Status: Active Grant

First Claim

Patent Images

1. A method implemented by one or more data processing apparatuses, the method comprising:

receiving a first request from a first virtual machine to store data in a log structured volume and based on the first request;

obtaining the data and an access control list of one or more users authorized to access the data;

obtaining a data key that has a data key identifier that identifies the data key, the data key identifier being different from the data key;

encrypting, using the one or more data processing apparatuses, the data key and the access control list using a wrapping key to generate a wrapped blob;

encrypting, using the one or more data processing apparatuses, the data using the data key to generate encrypted data;

storing the wrapped blob and the encrypted data in the log structured volume; and

providing the data key identifier to one or more users on the access control list;

receiving, from a second virtual machine, a second request that identifies the data key identifier, the second request being a request to obtain a snapshot of the data; and

based on the second request;

obtaining, based on the data key identifier, an unwrapped blob containing the data key and the access control list;

obtaining the data key and the access control list from the unwrapped blob; and

authenticating a user associated with the second request and authorizing the user against the access control list and, upon a determination that the user is authenticated and authorized;

decrypting, using the one or more data processing apparatuses, the data using the data key; and

providing a snapshot of the data to the second virtual machine;

determining that a threshold condition associated with storage of the data on the log structured volume has occurred and in response;

obtaining a new data key identified by a new data key identifier;

decrypting the data using the data key;

encrypting the new data key and the access control list using the wrapping key to generate a new wrapped blob;

encrypting the data using the new data key to generate encrypted data;

storing the new wrapped blob and the encrypted data in the log structured volume;

providing the new data key identifier to the one or more users on the access control list; and

preventing subsequent use of the data key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including a method for providing data. The method comprises receiving a first request from a first virtual machine (VM) to store data, obtaining the data and an access control list (ACL) of authorized users, obtaining a data key that has a data key identifier, encrypting the data key and the ACL using a wrapping key to generate a wrapped blob, encrypting the data, storing the wrapped blob and the encrypted data, and providing the data key identifier to users on the ACL. The method further comprises receiving a second request from a second VM to obtain a data snapshot, obtaining an unwrapped blob, obtaining the data key and the ACL from the unwrapped blob, authenticating a user associated with the second request, authorizing the user against the ACL, decrypting the data using the data key, and providing a snapshot of the data to the second VM.

128 Citations

21 Claims

1. A method implemented by one or more data processing apparatuses, the method comprising:
- receiving a first request from a first virtual machine to store data in a log structured volume and based on the first request;
  
  obtaining the data and an access control list of one or more users authorized to access the data;
  
  obtaining a data key that has a data key identifier that identifies the data key, the data key identifier being different from the data key;
  
  encrypting, using the one or more data processing apparatuses, the data key and the access control list using a wrapping key to generate a wrapped blob;
  
  encrypting, using the one or more data processing apparatuses, the data using the data key to generate encrypted data;
  
  storing the wrapped blob and the encrypted data in the log structured volume; and
  
  providing the data key identifier to one or more users on the access control list;
  
  receiving, from a second virtual machine, a second request that identifies the data key identifier, the second request being a request to obtain a snapshot of the data; and
  
  based on the second request;
  
  obtaining, based on the data key identifier, an unwrapped blob containing the data key and the access control list;
  
  obtaining the data key and the access control list from the unwrapped blob; and
  
  authenticating a user associated with the second request and authorizing the user against the access control list and, upon a determination that the user is authenticated and authorized;
  
  decrypting, using the one or more data processing apparatuses, the data using the data key; and
  
  providing a snapshot of the data to the second virtual machine;
  
  determining that a threshold condition associated with storage of the data on the log structured volume has occurred and in response;
  
  obtaining a new data key identified by a new data key identifier;
  
  decrypting the data using the data key;
  
  encrypting the new data key and the access control list using the wrapping key to generate a new wrapped blob;
  
  encrypting the data using the new data key to generate encrypted data;
  
  storing the new wrapped blob and the encrypted data in the log structured volume;
  
  providing the new data key identifier to the one or more users on the access control list; and
  
  preventing subsequent use of the data key.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the threshold condition includes an amount of data protected by the data key.
  - 3. The method of claim 2, wherein the amount of data protected by the data key is a cumulative amount.
  - 4. The method of claim 2, wherein the amount of data protected by the data key is a current amount.
  - 5. The method of claim 1, wherein the threshold condition includes a time duration that the data key has been in use.
  - 6. The method of claim 1, wherein storing the encrypted data includes compacting the encrypted data.

7. A method implemented by one or more data processing apparatuses, the method comprising:
- receiving a first request from a first virtual machine to store data in a log structured volume and based on the first request;
  
  obtaining the data and an access control list of one or more users authorized to access the data;
  
  obtaining a data key that has a data key identifier that identifies the data key, the data key identifier being different from the data key;
  
  encrypting, using the one or more data processing apparatuses, the data key and the access control list using a wrapping key to generate a wrapped blob;
  
  encrypting, using the one or more data processing apparatuses, the data using the data key to generate encrypted data;
  
  storing the wrapped blob and the encrypted data in the log structured volume; and
  
  providing the data key identifier to one or more users on the access control list;
  
  receiving, from a second virtual machine, a second request that identifies the data key identifier, the second request being a request to obtain a snapshot of the data; and
  
  based on the second request;
  
  obtaining, based on the data key identifier, an unwrapped blob containing the data key and the access control list;
  
  obtaining the data key and the access control list from the unwrapped blob; and
  
  authenticating a user associated with the second request and authorizing the user against the access control list and, upon a determination that the user is authenticated and authorized;
  
  decrypting, using the one or more data processing apparatuses, the data using the data key; and
  
  providing a snapshot of the data to the second virtual machine;
  
  auditing access of the data;
  
  determining that the data has been accessed by a user that is not on the access control list and that the data key has been compromised, and in response;
  
  obtaining a new data key identified by a new data key identifier;
  
  decrypting the data using the data key;
  
  encrypting the new data key and the access control list using the wrapping key to generate a new wrapped blob;
  
  encrypting the data using the new data key to generate encrypted data;
  
  storing the new wrapped blob and the encrypted data in the log structured volume;
  
  providing the new data key identifier to the one or more users on the access control list; and
  
  preventing subsequent use of the data key.

8. A system comprising:
- one or more data processing apparatuses programmed to perform operations comprising;
  
  receiving a first request from a first virtual machine to store data in a log structured volume and based on the first request;
  
  obtaining the data and an access control list of one or more users authorized to access the data;
  
  obtaining a data key that has a data key identifier that identifies the data key, the data key identifier being different from the data key;
  
  encrypting the data key and the access control list using a wrapping key to generate a wrapped blob;
  
  encrypting the data using the data key to generate encrypted data;
  
  storing the wrapped blob and the encrypted data in the log structured volume; and
  
  providing the data key identifier to one or more users on the access control list; and
  
  receiving, from a second virtual machine, a second request that identifies the data key identifier, the second request being a request to obtain a snapshot of the data and based on the second request;
  
  obtaining, based on the data key identifier, an unwrapped blob containing the data key and the access control list;
  
  obtaining the data key and the access control list from the unwrapped blob;
  
  authenticating a user associated with the second request and authorizing the user against the access control list and, upon a determination that the user is authenticated and authorized;
  
  decrypting the data using the data key; and
  
  providing a snapshot of the data to the second virtual machine;
  
  determining that a threshold condition associated with storage of the data on the log structured volume has occurred and in response;
  
  obtaining a new data key identified by a new data key identifier;
  
  decrypting the data using the data key;
  
  encrypting the new data key and the access control list using the wrapping key to generate a new wrapped blob;
  
  encrypting the data using the new data key to generate encrypted data;
  
  storing the new wrapped blob and the encrypted data in the log structured volume;
  
  providing the new data key identifier to the one or more users on the access control list; and
  
  preventing subsequent use of the data key.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system of claim 8, wherein the threshold condition includes an amount of data protected by the data key.
  - 10. The system of claim 9, wherein the amount of data protected by the data key is a cumulative amount.
  - 11. The system of claim 9, wherein the amount of data protected by the data key is a current amount.
  - 12. The system of claim 8, wherein the threshold condition includes a time duration that the data key has been in use.
  - 13. The system of claim 8, wherein storing the encrypted data includes compacting the encrypted data.

14. A system comprising:
- one or more data processing apparatuses programmed to perform operations comprising;
  
  receiving a first request from a first virtual machine to store data in a log structured volume and based on the first request;
  
  obtaining the data and an access control list of one or more users authorized to access the data;
  
  obtaining a data key that has a data key identifier that identifies the data key, the data key identifier being different from the data key;
  
  encrypting the data key and the access control list using a wrapping key to generate a wrapped blob;
  
  encrypting the data using the data key to generate encrypted data;
  
  storing the wrapped blob and the encrypted data in the log structured volume; and
  
  providing the data key identifier to one or more users on the access control list; and
  
  receiving, from a second virtual machine, a second request that identifies the data key identifier, the second request being a request to obtain a snapshot of the data and based on the second request;
  
  obtaining, based on the data key identifier, an unwrapped blob containing the data key and the access control list;
  
  obtaining the data key and the access control list from the unwrapped blob;
  
  authenticating a user associated with the second request and authorizing the user against the access control list and, upon a determination that the user is authenticated and authorized;
  
  decrypting the data using the data key; and
  
  providing a snapshot of the data to the second virtual machine;
  
  auditing access of the data;
  
  determining that the data has been accessed by a user that is not on the access control list and that the data key has been compromised, and in response;
  
  obtaining a new data key identified by a new data key identifier;
  
  decrypting the data using the data key;
  
  encrypting the new data key and the access control list using the wrapping key to generate a new wrapped blob;
  
  encrypting the data using the new data key to generate encrypted data;
  
  storing the new wrapped blob and the encrypted data in the log structured volume;
  
  providing the new data key identifier to the one or more users on the access control list; and
  
  preventing subsequent use of the data key.

15. A non-transitory storage medium having instructions stored thereon that, when executed, cause data processing apparatus to perform operations comprising:
- receiving a first request from a first virtual machine to store data in a log structured volume and based on the first request;
  
  obtaining the data and an access control list of one or more users authorized to access the data;
  
  obtaining a data key that has a data key identifier that identifies the data key, the data key identifier being different from the data key;
  
  encrypting the data key and the access control list using a wrapping key to generate a wrapped blob;
  
  encrypting the data using the data key to generate encrypted data;
  
  storing the wrapped blob and the encrypted data in the log structured volume; and
  
  providing the data key identifier to one or more users on the access control list;
  
  receiving, from a second virtual machine, a second request that identifies the data key identifier, the second request being a request to obtain a snapshot of the data and based on the second request;
  
  obtaining, based on the data key identifier, an unwrapped blob containing the data key and the access control list;
  
  obtaining the data key and the access control list from the unwrapped blob; and
  
  authenticating a user associated with the second request and authorizing the user against the access control list and, upon a determination that the user is authenticated and authorized;
  
  decrypting the data using the data key; and
  
  providing a snapshot of the data to the second virtual machine;
  
  determining that a threshold condition associated with storage of the data on the log structured volume has occurred and in response;
  
  obtaining a new data key identified by a new data key identifier;
  
  decrypting the data using the data key;
  
  encrypting the new data key and the access control list using the wrapping key to generate a new wrapped blob;
  
  encrypting the data using the new data key to generate encrypted data;
  
  storing the new wrapped blob and the encrypted data in the log structured volume;
  
  providing the new data key identifier to the one or more users on the access control list; and
  
  preventing subsequent use of the data key.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory storage medium of claim 15, wherein the threshold condition includes an amount of data protected by the data key.
  - 17. The non-transitory storage medium of claim 16, wherein the amount of data protected by the data key is a cumulative amount.
  - 18. The non-transitory storage medium of claim 16, wherein the amount of data protected by the data key is a current amount.
  - 19. The non-transitory storage medium of claim 15, wherein the threshold condition includes a time duration that the data key has been in use.
  - 20. The non-transitory storage medium of claim 15, wherein storing the encrypted data includes compacting the encrypted data.

21. A non-transitory storage medium having instructions stored thereon that, when executed, cause data processing apparatus to perform operations comprising:
- receiving a first request from a first virtual machine to store data in a log structured volume and based on the first request;
  
  obtaining the data and an access control list of one or more users authorized to access the data;
  
  obtaining a data key that has a data key identifier that identifies the data key, the data key identifier being different from the data key;
  
  encrypting the data key and the access control list using a wrapping key to generate a wrapped blob;
  
  encrypting the data using the data key to generate encrypted data;
  
  storing the wrapped blob and the encrypted data in the log structured volume; and
  
  providing the data key identifier to one or more users on the access control list;
  
  receiving, from a second virtual machine, a second request that identifies the data key identifier, the second request being a request to obtain a snapshot of the data and based on the second request;
  
  obtaining, based on the data key identifier, an unwrapped blob containing the data key and the access control list;
  
  obtaining the data key and the access control list from the unwrapped blob; and
  
  authenticating a user associated with the second request and authorizing the user against the access control list and, upon a determination that the user is authenticated and authorized;
  
  decrypting the data using the data key; and
  
  providing a snapshot of the data to the second virtual machine;
  
  auditing access of the data;
  
  determining that the data has been accessed by a user that is not on the access control list and that the data key has been compromised, and in response;
  
  obtaining a new data key identified by a new data key identifier;
  
  decrypting the data using the data key;
  
  encrypting the new data key and the access control list using the wrapping key to generate a new wrapped blob;
  
  encrypting the data using the new data key to generate encrypted data;
  
  storing the new wrapped blob and the encrypted data in the log structured volume;
  
  providing the new data key identifier to the one or more users on the access control list; and
  
  preventing subsequent use of the data key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Kadatch, Andrew, Halcrow, Michael A.
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
SONG, HEE K

Application Number

US13/405,036
Publication Number

US 20130227303A1
Time in Patent Office

1,131 Days
Field of Search

726 2- 6, 726/7, 726/26, 726/27, 713/2, 713/168, 713/193, 713/181, 380/44, 380/45, 380/277, 380/278, 380/287
US Class Current

713/193
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2107   File encryption

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0435   wherein the sending and rec...

H04L 63/0478   applying multiple layers of...

H04L 63/0823   using certificates cryptogr...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

Log structured volume encryption for virtual machines

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

128 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Log structured volume encryption for virtual machines

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

128 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others