Techniques for secure data extraction in a virtual or cloud environment

US 9,514,313 B2
Filed: 05/31/2013
Issued: 12/06/2016
Est. Priority Date: 03/15/2013
Status: Expired due to Fees

First Claim

Patent Images

1. A method implemented in a non-transitory machine-readable storage medium and processed by a device configured to perform the method, comprising:

acquiring, by the device, an encryption key tailored for a virtual processing environment that when executed is a virtual machine (VM), wherein acquiring further includes obtaining the encryption key from a Trusted Platform Module (TPM) on of the device;

identifying, by the device, selective data as a delta state of a virtual processing environment relative to a base state of the virtual processing environment;

extracting, by the device, the selective data from the virtual processing environment as the delta state and storing the delta state in a file separate from storage maintained for the virtual processing environment on the device; and

encrypting, by the device, the selective data with the encryption key using the delta state and a particular key unique to the device and when the virtual processing environment is to be started up sending the base state for the virtual processing environment to a host machine and then separately sending the encrypted delta state to the host machine, the host machine decrypting the encrypted delta state and inserting the decrypted delta state into to the base state before initiating the virtual processing environment on the host machine in the delta state.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for secure data extraction in a virtual or cloud environment are presented. Desired data from a Virtual Machine (VM) or an entire VM is extracted and encrypted with a key. This key is sealed to a machine or a group of machines. The encrypted data is then migrated and successfully used on startup for instances of the VM by having the ability to access the sealed key (and unsealing it) to decrypt the encrypted data.

16 Citations

View as Search Results

15 Claims

1. A method implemented in a non-transitory machine-readable storage medium and processed by a device configured to perform the method, comprising:
- acquiring, by the device, an encryption key tailored for a virtual processing environment that when executed is a virtual machine (VM), wherein acquiring further includes obtaining the encryption key from a Trusted Platform Module (TPM) on of the device;
  
  identifying, by the device, selective data as a delta state of a virtual processing environment relative to a base state of the virtual processing environment;
  
  extracting, by the device, the selective data from the virtual processing environment as the delta state and storing the delta state in a file separate from storage maintained for the virtual processing environment on the device; and
  
  encrypting, by the device, the selective data with the encryption key using the delta state and a particular key unique to the device and when the virtual processing environment is to be started up sending the base state for the virtual processing environment to a host machine and then separately sending the encrypted delta state to the host machine, the host machine decrypting the encrypted delta state and inserting the decrypted delta state into to the base state before initiating the virtual processing environment on the host machine in the delta state.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 further comprising, sealing, by the device, the encryption key.
  - 3. The method of claim 2, wherein sealing further includes tying the sealed encryption key to a defined set of devices.
  - 4. The method of claim 1, wherein acquiring further includes registering the virtual processing environment to obtain the encryption key.
  - 5. The method of claim 4, wherein registering further includes registering the virtual processing environment with a local environment of the device.
  - 6. The method of claim 4, wherein registering further includes registering the virtual processing environment with a third-party credential arbiter.
  - 7. The method of claim 1, wherein identifying further includes dynamically recognizing the selective data as the virtual processing environment processes based on one or more of:
    - a policy evaluation, a specific operation being processed within the virtual processing environment, and a type assigned to the selective data.
  - 8. The method of claim 1, wherein encrypting further includes storing the encrypted selective data in a repository.
  - 9. The method of claim 1, wherein encrypting further includes transmitting the encrypted selective data as a stream over a network to a resource.

10. A method implemented in a non-transitory machine-readable storage medium and processed by a machine configured to perform the method, comprising:
- transmitting, by the machine, a base image of a virtual processing environment to a target machine, wherein when the virtual processing environment is to be executed on the target machine, the virtual processing environment represents a virtual machine;
  
  separately communicating and transmitting, via the machine, selective encrypted data representing a given state for the base image to the target machine, the selective encrypted data stored separately from storage on the machine having the base image; and
  
  instructing, via the machine, the target machine to initiate a running image of the virtual processing environment representing the base image for validating, decrypting, and inserting the selective encrypted data into the running image creating the given state for the virtual processing environment on the target machine when initiating the virtual processing environment for execution on the target machine, wherein decrypting further includes decrypting, by the target machine, the selective encrypted data using a particular key specific to the target machine and using the given state.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10, wherein transmitting further includes identifying the target machine in response to an authorized cluster of machines that includes the target machine.
  - 12. The method of claim 10, wherein transmitting further includes deciding to transmit the base image to the target machine in response to a dynamically evaluated policy.
  - 13. The method of claim 10, wherein instructing further includes directing the running image to a third-party credential arbiter to assist in validating the selective encrypted data.
  - 14. The method of claim 10, wherein instructing further includes directing the running image to use a sealed Trusted Platform Module key to validate the selective encrypted data.

15. A system, comprising:
- a machine memory configured with a virtual data extractor that processes on one or more processors of the machine;
  
  the machine or a different machine configured with a virtual machine (VM) secure data distributor;
  
  wherein the virtual data extractor is configured to selectively identify, extract, and encrypt data associated with a given state of a VM and store the given state separately from storage for the VM, and the VM secure data distributor is configured to first deliver a base image of the VM to a target machine and then separately deliver the encrypted data to the target machine that is to run an instance of the VM and instruct the target machine to validate, decrypt, and insert the encrypted data within the instance to recreate the given state of the VM using the given state and a particular key of the target machine to decrypt the encrypted data when initiating the VM on the target machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetIQ Corporation (Open Text Corporation)
Original Assignee
NetIQ Corporation (Open Text Corporation)
Inventors
Angelo, Michael F., Burch, Lloyd Leon
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US13/906,761
Publication Number

US 20140281509A1
Time in Patent Office

1,285 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 21/57   Certifying or maintaining t...

G06F 21/602   Providing cryptographic fac...

G06F 2221/2107   File encryption

G06F 9/45558   Hypervisor-specific managem...

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 9/08   Key distribution or managem...

H04L 9/3234   involving additional secure...

Techniques for secure data extraction in a virtual or cloud environment

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for secure data extraction in a virtual or cloud environment

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links