Migration of full-disk encrypted virtualized storage between blade servers
First Claim
1. A method comprising:
- with a chassis management module instantiating a plurality of virtual security hardware instances corresponding to a plurality of blade servers, obtaining a key from a first virtual security hardware instance of said plurality of virtual security hardware instances, the key to perform an operation on a first blade server of said plurality of blade servers, wherein the first virtual security hardware instance corresponds to said first blade server;
in response to a command directed at first security hardware of the first blade server, providing the key to the first blade server via a secure out-of-band communication channel between said chassis management module and said plurality of blade servers, wherein the secure out-of-band communication channel comprises a signal path that is inaccessible to an external network;
with said chassis management module, migrating, without decrypting, encrypted data stored on the first blade server to a second blade server of said plurality of blade servers, the encrypted data having been encrypted with the key; and
with said chassis management module, migrating said key from said first virtual security hardware instance to a second virtual security hardware instance of said plurality of virtual security hardware instances via said secure out-of-band communication channel, the second virtual security hardware instance corresponding to said second blade server.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, system and computer-readable storage medium with instructions to migrate full-disk encrypted virtual storage between blade servers. A key is obtained to perform an operation on a first blade server. The key is obtained from a virtual security hardware instance and provided to the first blade server via a secure out-of-band communication channel. The key is migrated from the first blade server to a second blade server. The key is used to perform hardware encryption of data stored on the first blade server. The data are migrated to the second blade server without decrypting the data at the first blade server, and the second blade server uses the key to access the data. Other embodiments are described and claimed.
37 Citations
15 Claims
-
1. A method comprising:
-
with a chassis management module instantiating a plurality of virtual security hardware instances corresponding to a plurality of blade servers, obtaining a key from a first virtual security hardware instance of said plurality of virtual security hardware instances, the key to perform an operation on a first blade server of said plurality of blade servers, wherein the first virtual security hardware instance corresponds to said first blade server; in response to a command directed at first security hardware of the first blade server, providing the key to the first blade server via a secure out-of-band communication channel between said chassis management module and said plurality of blade servers, wherein the secure out-of-band communication channel comprises a signal path that is inaccessible to an external network; with said chassis management module, migrating, without decrypting, encrypted data stored on the first blade server to a second blade server of said plurality of blade servers, the encrypted data having been encrypted with the key; and with said chassis management module, migrating said key from said first virtual security hardware instance to a second virtual security hardware instance of said plurality of virtual security hardware instances via said secure out-of-band communication channel, the second virtual security hardware instance corresponding to said second blade server. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system comprising:
-
a plurality of blade servers, a chassis management module, and a secure out-of-band communication channel between the plurality of blade servers and the chassis management module, the secure out-of-band communication channel being inaccessible to an external network, wherein; the chassis management module is configured to; instantiate a plurality of virtual security hardware instances respectively corresponding to said plurality of blade servers; obtain a key from a first virtual security hardware instance of said plurality of virtual security hardware instances, the key to perform an operation on a first blade server of said plurality of blade servers, wherein the first virtual hardware instance corresponds to said first blade server; and in response to a command directed at first security hardware of the first blade server, provide the key to the first blade server via the security out-of-band communication channel; the first blade server comprises an interface configured to obtain the key to perform the operation on the first blade server; and the chassis management module is further configured to; migrate, without decrypting, encrypted data stored on the first blade server to a second blade server of said plurality of blade servers, the encrypted data having been encrypted with the key; and migrate the key from the first virtual security hardware instance to a second virtual security hardware instance of said plurality of virtual security hardware instances via said secure out-of-band communication channel, the second virtual security hardware instance corresponding to said second blade server. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A non-transitory computer-readable storage medium comprising instructions which when executed by at least one processor cause the performance of the following operations comprising:
-
instantiating a plurality of virtual security hardware instances corresponding to a plurality of blade servers with a chassis management module; obtaining a key from a first virtual security hardware instance of said plurality of virtual security hardware instances, the key to perform an operation on a first blade server of said plurality of blade servers, wherein the first virtual security hardware instance corresponds to said first blade server; in response to a command directed at first security hardware of the first blade server, providing the key to the first blade server via a secure out-of-band communication channel between said chassis management module and said plurality of blade servers, wherein the secure out-of-band communication channel comprises a signal path that is inaccessible to an external network; migrating, without decrypting, encrypted data stored on the first blade server to a second blade server of said plurality of blade servers, the encrypted data having been encrypted with the key; and migrating said key from said first virtual security hardware instance to a second virtual security hardware instance of said plurality of virtual security hardware instances via said secure out-of-band communication channel, the second virtual security hardware instance corresponding to said second blade server. - View Dependent Claims (12, 13, 14, 15)
-
Specification