System and method for encryption and decryption of data

US 9,135,471 B2
Filed: 03/10/2010
Issued: 09/15/2015
Est. Priority Date: 03/10/2010
Status: Active Grant

First Claim

Patent Images

1. An information handling system, comprising:

a processor;

a memory communicatively coupled to the processor;

a storage resource communicatively coupled to the processor, the storage resource having a sealed encryption key that is unique to the storage resource and associated only with the storage resource; and

a computer-readable medium coupled to the processor and having stored thereon instructions for managing encryption and decryption tasks, the instructions configured to, when executed by the processor;

encrypt or decrypt data associated with an input/output operation from the storage resource based on the unique sealed encryption key and a cryptographic function, the unique sealed encryption key is read access disabled, the cryptographic function is selected based on one or more characteristics associated with the data to be encrypted or decrypted;

determine an encryption status of a volume of the storage resource;

store a variable indicating whether the volume is partially encrypted or decrypted; and

boot from the volume of the storage resource and continue encryption or decryption of the data in response to a determination that the variable indicates that the volume is partially encrypted or decrypted, wherein completion of the encryption or decryption of the data results in full volume encryption (FVE) or full disk encryption (FDE).

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for reducing problems and disadvantages associated with traditional approaches to encryption and decryption of data are provided. A method for encryption and decryption of data, may include encrypting or decrypting data associated with an input/output operation based on at least one of an encryption key and a cryptographic function, wherein at least one of the encryption key and the cryptographic function are selected based on one or more characteristics associated with the data to be encrypted or decrypted. Another method may include encrypting an item of data based on at least one of a first-layer encryption key and a first-layer cryptographic function to produce first-layer encrypted data and encrypting the first-layer encrypted data based on at least one of a second-layer encryption key and a second-layer cryptographic function to produce second-layer encrypted data.

49 Citations

View as Search Results

20 Claims

1. An information handling system, comprising:
- a processor;
  
  a memory communicatively coupled to the processor;
  
  a storage resource communicatively coupled to the processor, the storage resource having a sealed encryption key that is unique to the storage resource and associated only with the storage resource; and
  
  a computer-readable medium coupled to the processor and having stored thereon instructions for managing encryption and decryption tasks, the instructions configured to, when executed by the processor;
  
  encrypt or decrypt data associated with an input/output operation from the storage resource based on the unique sealed encryption key and a cryptographic function, the unique sealed encryption key is read access disabled, the cryptographic function is selected based on one or more characteristics associated with the data to be encrypted or decrypted;
  
  determine an encryption status of a volume of the storage resource;
  
  store a variable indicating whether the volume is partially encrypted or decrypted; and
  
  boot from the volume of the storage resource and continue encryption or decryption of the data in response to a determination that the variable indicates that the volume is partially encrypted or decrypted, wherein completion of the encryption or decryption of the data results in full volume encryption (FVE) or full disk encryption (FDE).
- View Dependent Claims (2, 3, 4, 5)
- - 2. The information handling system according to claim 1, the one or more characteristics comprising:
    - a user associated with the information handling system, a port to which the storage resource associated with the input/output operation is coupled, a type of the storage resource associated with the input/output operation, a manufacturer of the storage resource associated with the input/output operation, a model of the storage resource associated with the input/output operation, a serial number of the storage resource associated with the input/output operation, a logical path of the storage resource associated with the input/output operation, and any other characteristic of the storage resource associated with the input/output operation.
  - 3. The information handling system according to claim 1, wherein the cryptographic function includes at least one of an encryption algorithm, an algorithm mode, a cryptographic hash, and a sign function.
  - 4. The information handling system according to claim 1, wherein the one or more characteristics are determined based on a security policy.
  - 5. The information handling system according to claim 4, wherein the security policy is established by an administrator at a management console remote from the information handling system and communicated to the information handling system.

6. A method for encryption and decryption of data, comprising:
- encrypting or decrypting data associated with an input/output operation from a storage resource based on a unique sealed encryption key and a cryptographic function, the unique sealed encryption key is unique to the storage resource and associated only with the storage resource, the unique sealed encryption key is read access disabled, the cryptographic function is selected based on one or more characteristics associated with the data to be encrypted or decrypted;
  
  determining an encryption status of a volume of a storage resource;
  
  storing a variable indicating whether the volume is partially encrypted or decrypted; and
  
  booting from the volume of the storage resource and continuing encrypting or decrypting the data in response to a determination that the variable indicates that the volume is partially encrypted or decrypted, wherein completion of the encrypting or decrypting of the data results in full volume encryption (FVE) or full disk encryption (FDE).
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method according to claim 6, the one or more characteristics comprising:
    - a user associated with an information handling system, a port to which the storage resource associated with the input/output operation is coupled, a type of the storage resource associated with the input/output operation, a manufacturer of the storage resource associated with the input/output operation, a model of the storage resource associated with the input/output operation, a serial number of the storage resource associated with the input/output operation, a logical path of the storage resource associated with the input/output operation, and a file type of the data to be encrypted or decrypted.
  - 8. The method according to claim 6, wherein the cryptographic function includes at least one of an encryption algorithm, an algorithm mode, a cryptographic hash, and a sign function.
  - 9. The method according to claim 6, wherein the one or more characteristics are determined based on a security policy.
  - 10. The method according to claim 9, further comprising:
    - establishing the security policy by an administrator at a management console remote from an information handling system; and
      
      communicating the security policy to the information handling system.

11. An information handling system, comprising:
- a processor;
  
  a memory communicatively coupled to the processor;
  
  a storage resource communicatively coupled to the processor, the storage resource having a sealed encryption key that is unique to the storage resource and associated only with the storage resource; and
  
  a computer-readable medium coupled to the processor and having stored thereon instructions for encrypting an item of data from the storage resource, the instructions configured to, when executed by the processor;
  
  encrypt the item of data based on a first-layer encryption key and a first-layer cryptographic function to produce first-layer encrypted data, the first-layer encryption key being the unique sealed encryption key, the unique sealed encryption key is read access disabled; and
  
  encrypt the first-layer encrypted data based on at least one of a second-layer encryption key and a second-layer cryptographic function to produce second-layer encrypted data;
  
  determine an encryption status of a volume of the storage resource;
  
  store a variable indicating whether the volume is partially encrypted or decrypted; and
  
  boot from the volume of the storage resource and continue encryption of items of data from the storage resource in response to a determination that the variable indicates that the volume is partially encrypted or decrypted, wherein completion of the encryption of the items of data results in full volume encryption (FVE) or full disk encryption (FDE).
- View Dependent Claims (12, 13, 14, 15)
- - 12. The information handling system according to claim 11, the instructions further configured to encrypt the second-layer encrypted data based on at least one of a third-layer encryption key and a third-layer cryptographic function to produce third-layer encrypted data.
  - 13. The information handling system according to claim 11, wherein the first-layer encryption key and the first-layer cryptographic function are unique to a first component of the information handling system and the second-layer encryption key and the second-layer cryptographic function are unique to a second component different than the first component.
  - 14. The information handling system according to claim 13, wherein each of the first component and the second component comprises one of:
    - a user of the information handling system, the processor of the information handling system, the storage resource of the information handling system, a bus via which the storage resource of the information handling system is coupled, a cryptoprocessor of the information handling system, and an encryption accelerator of the information handling system.
  - 15. The information handling system according to claim 11, the instructions further configured to:
    - decrypt the second-layer encrypted data based on at least one of the second-layer encryption key and the second-layer cryptographic function to produce first-layer encrypted data; and
      
      decrypt the first-layer encrypted data based on at least one of the first-layer encryption key and the first-layer cryptographic function to produce the item of data.

16. A method for encrypting data, comprising:
- encrypting an item of data from a storage resource based on a first-layer encryption key and a first-layer cryptographic function to produce first-layer encrypted data, the first-layer encryption key being a unique sealed encryption key, the unique sealed encryption key is unique to the storage resource and associated only with the storage resource, the unique sealed encryption key is read access disabled;
  
  encrypting the first-layer encrypted data based on at least one of a second-layer encryption key and a second-layer cryptographic function to produce second-layer encrypted data;
  
  determining an encryption status of a volume of a storage resource;
  
  storing a variable indicating whether the volume is partially encrypted or decrypted; and
  
  booting from the volume of the storage resource and continuing encryption of items of data from the storage resource in response to a determination that the variable indicates that the volume is partially encrypted or decrypted, wherein completion of the encryption of the items of data results in full volume encryption (FVE) or full disk encryption (FDE).
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method according to claim 16, further comprising encrypting the second-layer encrypted data based on at least one of a third-layer encryption key and a third-layer cryptographic function to produce third-layer encrypted data.
  - 18. The method according to claim 16, wherein the first-layer encryption key and the first-layer cryptographic function are unique to a first component of an information handling system and the second-layer encryption key and the second-layer cryptographic function are unique to a second component different than the first component.
  - 19. The method according to claim 18, wherein each of the first component and the second component comprises one of:
    - a user of the information handling system, the processor of the information handling system, the storage resource of the information handling system, a bus via which the storage resource of the information handling system is coupled, a cryptoprocessor of the information handling system, and an encryption accelerator of the information handling system.
  - 20. The method according to claim 16, further comprising:
    - decrypting the second-layer encrypted data based on at least one of the second-layer encryption key and the second-layer cryptographic function to produce first-layer encrypted data; and
      
      decrypting the first-layer encrypted data based on at least one of the first-layer encryption key and the first-layer cryptographic function to produce the item of data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dell Products LP (Dell Technologies Inc.)
Original Assignee
Dell Products LP (Dell Technologies Inc.)
Inventors
Stufflebeam, Kenneth W. Jr., Nelson, Amy Christine
Primary Examiner(s)
CHANG, KENNETH W

Application Number

US12/721,355
Publication Number

US 20110225428A1
Time in Patent Office

2,015 Days
Field of Search

713/190
US Class Current

1/1
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 21/72   in cryptographic circuits

G06F 21/78   to assure secure storage of...

System and method for encryption and decryption of data

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for encryption and decryption of data

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links