Migration of full-disk encrypted virtualized storage between blade servers
First Claim
Patent Images
1. A method comprising:
- with a chassis management module instantiating a plurality of virtual security hardware instances corresponding to a plurality of blade servers, obtaining a key from a first virtual security hardware instance of said plurality of virtual security hardware instances, the key to perform an operation on a first blade server of said plurality of blade servers, wherein the first virtual security hardware instance corresponds to said first blade server;
in response to a command directed at first security hardware of the first blade server, providing the key to the first blade server via a secure out-of-band communication channel between said chassis management module and said plurality of blade servers, wherein the secure out-of-band communication channel comprises a signal path that is inaccessible to an external network;
with said chassis management module, migrating, without decrypting, encrypted data stored on the first blade server to a second blade server of said plurality of blade servers, the encrypted data having been encrypted with the key; and
with said chassis management module, migrating said key from said first virtual security hardware instance to a second virtual security hardware instance of said plurality of virtual security hardware instances via said secure out-of-band communication channel, the second virtual security hardware instance corresponding to said second blade server.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, system and computer-readable storage medium with instructions to migrate full-disk encrypted virtual storage between blade servers. A key is obtained to perform an operation on a first blade server. The key is obtained from a virtual security hardware instance and provided to the first blade server via a secure out-of-band communication channel. The key is migrated from the first blade server to a second blade server. The key is used to perform hardware encryption of data stored on the first blade server. The data are migrated to the second blade server without decrypting the data at the first blade server, and the second blade server uses the key to access the data. Other embodiments are described and claimed.
37 Citations
15 Claims
-
1. A method comprising:
-
with a chassis management module instantiating a plurality of virtual security hardware instances corresponding to a plurality of blade servers, obtaining a key from a first virtual security hardware instance of said plurality of virtual security hardware instances, the key to perform an operation on a first blade server of said plurality of blade servers, wherein the first virtual security hardware instance corresponds to said first blade server; in response to a command directed at first security hardware of the first blade server, providing the key to the first blade server via a secure out-of-band communication channel between said chassis management module and said plurality of blade servers, wherein the secure out-of-band communication channel comprises a signal path that is inaccessible to an external network; with said chassis management module, migrating, without decrypting, encrypted data stored on the first blade server to a second blade server of said plurality of blade servers, the encrypted data having been encrypted with the key; and with said chassis management module, migrating said key from said first virtual security hardware instance to a second virtual security hardware instance of said plurality of virtual security hardware instances via said secure out-of-band communication channel, the second virtual security hardware instance corresponding to said second blade server. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system comprising:
-
a plurality of blade servers, a chassis management module, and a secure out-of-band communication channel between the plurality of blade servers and the chassis management module, the secure out-of-band communication channel being inaccessible to an external network, wherein; the chassis management module is configured to; instantiate a plurality of virtual security hardware instances respectively corresponding to said plurality of blade servers; obtain a key from a first virtual security hardware instance of said plurality of virtual security hardware instances, the key to perform an operation on a first blade server of said plurality of blade servers, wherein the first virtual hardware instance corresponds to said first blade server; and in response to a command directed at first security hardware of the first blade server, provide the key to the first blade server via the security out-of-band communication channel; the first blade server comprises an interface configured to obtain the key to perform the operation on the first blade server; and the chassis management module is further configured to; migrate, without decrypting, encrypted data stored on the first blade server to a second blade server of said plurality of blade servers, the encrypted data having been encrypted with the key; and migrate the key from the first virtual security hardware instance to a second virtual security hardware instance of said plurality of virtual security hardware instances via said secure out-of-band communication channel, the second virtual security hardware instance corresponding to said second blade server. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A non-transitory computer-readable storage medium comprising instructions which when executed by at least one processor cause the performance of the following operations comprising:
-
instantiating a plurality of virtual security hardware instances corresponding to a plurality of blade servers with a chassis management module; obtaining a key from a first virtual security hardware instance of said plurality of virtual security hardware instances, the key to perform an operation on a first blade server of said plurality of blade servers, wherein the first virtual security hardware instance corresponds to said first blade server; in response to a command directed at first security hardware of the first blade server, providing the key to the first blade server via a secure out-of-band communication channel between said chassis management module and said plurality of blade servers, wherein the secure out-of-band communication channel comprises a signal path that is inaccessible to an external network; migrating, without decrypting, encrypted data stored on the first blade server to a second blade server of said plurality of blade servers, the encrypted data having been encrypted with the key; and migrating said key from said first virtual security hardware instance to a second virtual security hardware instance of said plurality of virtual security hardware instances via said secure out-of-band communication channel, the second virtual security hardware instance corresponding to said second blade server. - View Dependent Claims (12, 13, 14, 15)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeIntel Corporation
-
Original AssigneeIntel Corporation
-
InventorsSakthikumar, Palsamy, Zimmer, Vincent J.
-
Primary Examiner(s)Pham, Luu
-
Assistant Examiner(s)Baum, Ronald
-
Application NumberUS12/317,945Publication NumberTime in Patent Office2,345 DaysField of Search380/278US Class Current1/1CPC Class CodesG06F 11/203 using migrationG06F 21/57 Certifying or maintaining t...G06F 21/80 in storage media based on m...G06F 2221/2107 File encryptionH04L 41/00 Arrangements for maintenanc...H04L 41/28 Restricting access to netwo...H04L 41/344 Out-of-band transfersH04L 63/061 for key exchange, e.g. in p...H04L 9/0827 involving distinctive inter...H04L 9/0877 using additional device, e....
