Techniques for secure data extraction in a virtual or cloud environment
First Claim
Patent Images
1. A method implemented in a non-transitory machine-readable storage medium and processed by a device configured to perform the method, comprising:
- acquiring, by the device, an encryption key tailored for a virtual processing environment that when executed is a virtual machine (VM), wherein acquiring further includes obtaining the encryption key from a Trusted Platform Module (TPM) on of the device;
identifying, by the device, selective data as a delta state of a virtual processing environment relative to a base state of the virtual processing environment;
extracting, by the device, the selective data from the virtual processing environment as the delta state and storing the delta state in a file separate from storage maintained for the virtual processing environment on the device; and
encrypting, by the device, the selective data with the encryption key using the delta state and a particular key unique to the device and when the virtual processing environment is to be started up sending the base state for the virtual processing environment to a host machine and then separately sending the encrypted delta state to the host machine, the host machine decrypting the encrypted delta state and inserting the decrypted delta state into to the base state before initiating the virtual processing environment on the host machine in the delta state.
12 Assignments
0 Petitions
Accused Products
Abstract
Techniques for secure data extraction in a virtual or cloud environment are presented. Desired data from a Virtual Machine (VM) or an entire VM is extracted and encrypted with a key. This key is sealed to a machine or a group of machines. The encrypted data is then migrated and successfully used on startup for instances of the VM by having the ability to access the sealed key (and unsealing it) to decrypt the encrypted data.
16 Citations
15 Claims
-
1. A method implemented in a non-transitory machine-readable storage medium and processed by a device configured to perform the method, comprising:
-
acquiring, by the device, an encryption key tailored for a virtual processing environment that when executed is a virtual machine (VM), wherein acquiring further includes obtaining the encryption key from a Trusted Platform Module (TPM) on of the device; identifying, by the device, selective data as a delta state of a virtual processing environment relative to a base state of the virtual processing environment; extracting, by the device, the selective data from the virtual processing environment as the delta state and storing the delta state in a file separate from storage maintained for the virtual processing environment on the device; and encrypting, by the device, the selective data with the encryption key using the delta state and a particular key unique to the device and when the virtual processing environment is to be started up sending the base state for the virtual processing environment to a host machine and then separately sending the encrypted delta state to the host machine, the host machine decrypting the encrypted delta state and inserting the decrypted delta state into to the base state before initiating the virtual processing environment on the host machine in the delta state. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method implemented in a non-transitory machine-readable storage medium and processed by a machine configured to perform the method, comprising:
-
transmitting, by the machine, a base image of a virtual processing environment to a target machine, wherein when the virtual processing environment is to be executed on the target machine, the virtual processing environment represents a virtual machine; separately communicating and transmitting, via the machine, selective encrypted data representing a given state for the base image to the target machine, the selective encrypted data stored separately from storage on the machine having the base image; and instructing, via the machine, the target machine to initiate a running image of the virtual processing environment representing the base image for validating, decrypting, and inserting the selective encrypted data into the running image creating the given state for the virtual processing environment on the target machine when initiating the virtual processing environment for execution on the target machine, wherein decrypting further includes decrypting, by the target machine, the selective encrypted data using a particular key specific to the target machine and using the given state. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A system, comprising:
-
a machine memory configured with a virtual data extractor that processes on one or more processors of the machine; the machine or a different machine configured with a virtual machine (VM) secure data distributor; wherein the virtual data extractor is configured to selectively identify, extract, and encrypt data associated with a given state of a VM and store the given state separately from storage for the VM, and the VM secure data distributor is configured to first deliver a base image of the VM to a target machine and then separately deliver the encrypted data to the target machine that is to run an instance of the VM and instruct the target machine to validate, decrypt, and insert the encrypted data within the instance to recreate the given state of the VM using the given state and a particular key of the target machine to decrypt the encrypted data when initiating the VM on the target machine.
-
Specification