Encryption system in a virtualized environment
First Claim
1. An encryption system comprising:
- a plurality of computing devices;
a set of computers for (i) providing to the computing devices encryption configuration data that specifies how data messages from the computing devices have to be encrypted, (ii) collecting key-usage statistics from a set of the computing devices, (iii) determining whether the set of computing devices needs to use at least one new key based on the collected key-usage statistics from the set of computing devices, and (iv) directing the computing devices to use new keys based on the determination that the set of computing devices needs to use at least one new key; and
a set of key managers for the computing devices to access to retrieve encryption keys for encrypting data messages sent by the computing devices;
wherein the set of computers does not store any encryption key used by the computing devices to encrypt data messages sent by the computing devices.
1 Assignment
0 Petitions
Accused Products
Abstract
For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host. When two different GVMs are part of two different logical overlay networks that are implemented on common network fabric, the method in some embodiments encrypts the data messages exchanged between the GVMs of one logical network differently than the data messages exchanged between the GVMs of another logical network. In some embodiments, the method can also encrypt different types of data messages from the same GVM differently. Also, in some embodiments, the method can dynamically enforce encryption rules in response to dynamically detected events, such as malware infections.
72 Citations
20 Claims
-
1. An encryption system comprising:
-
a plurality of computing devices; a set of computers for (i) providing to the computing devices encryption configuration data that specifies how data messages from the computing devices have to be encrypted, (ii) collecting key-usage statistics from a set of the computing devices, (iii) determining whether the set of computing devices needs to use at least one new key based on the collected key-usage statistics from the set of computing devices, and (iv) directing the computing devices to use new keys based on the determination that the set of computing devices needs to use at least one new key; and a set of key managers for the computing devices to access to retrieve encryption keys for encrypting data messages sent by the computing devices; wherein the set of computers does not store any encryption key used by the computing devices to encrypt data messages sent by the computing devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. For a system that comprises a plurality of computer devices, an encryption method comprising:
-
to a computing device, providing encryption configuration data that specifies how data messages from the computing device have to be encrypted; to the computing device, providing credentials for accessing a set of key managers to access to retrieve encryption keys for encrypting data messages sent by the computing device; collecting key-usage statistics from a set of computing devices; determining whether the set of computing devices needs to use at least one new key based on collected key-usage statistics from the plurality of computing devices; and directing the set of computing devices to use new keys based on the determination that the set of computing devices needs to use at least one new key, wherein the plurality of computer devices does not store any encryption key used by the computing device to encrypt data messages sent by the computing device. - View Dependent Claims (18, 19, 20)
-
Specification