Map-based rapid data encryption policy compliance
First Claim
1. A method implemented in a computing device, the method comprising:
- accessing an encrypted chunks map of a storage volume to comply with a policy for the computing device, the encrypted chunks map grouping sectors of the storage volume into one or more chunks and indicating for each chunk whether sectors in the chunk are unencrypted or encrypted, the policy indicating that data written by the computing device to the storage volume after activation of the policy be encrypted;
in response to a request to write data to a sector of the storage volume;
identifying a chunk that includes the sector of the storage volume to which the data is requested to be written; and
determining, using the encrypted chunks map, whether the identified chunk is unencrypted;
in response to determining the identified chunk is not unencrypted;
encrypting the data to be written; and
writing the encrypted data to the sector of the storage volume to which the data is requested to be written; and
in response to determining the identified chunk is unencrypted;
encrypting sectors included in the identified chunk;
updating the encrypted chunks map;
encrypting the data to be written; and
writing the encrypted data to the sector of the storage volume to which the data is requested to be written.
2 Assignments
0 Petitions
Accused Products
Abstract
To comply with a policy for a computing device indicating that data written by the computing device to the storage volume after activation of the policy be encrypted, a sector map is accessed. The sector map identifies one or more sectors of a storage volume and also identifies, for each of the one or more sectors of the storage volume, a signature of the content of the sector. In response to a request to read the content of a sector, the content of the sector is returned without decrypting the content if the sector is one of the one or more sectors and the signature of the content of the sector matches the signature of the sector identified in the sector map. Otherwise, the content of the sector is decrypted and the decrypted content is returned.
-
Citations
20 Claims
-
1. A method implemented in a computing device, the method comprising:
-
accessing an encrypted chunks map of a storage volume to comply with a policy for the computing device, the encrypted chunks map grouping sectors of the storage volume into one or more chunks and indicating for each chunk whether sectors in the chunk are unencrypted or encrypted, the policy indicating that data written by the computing device to the storage volume after activation of the policy be encrypted; in response to a request to write data to a sector of the storage volume; identifying a chunk that includes the sector of the storage volume to which the data is requested to be written; and determining, using the encrypted chunks map, whether the identified chunk is unencrypted; in response to determining the identified chunk is not unencrypted; encrypting the data to be written; and writing the encrypted data to the sector of the storage volume to which the data is requested to be written; and in response to determining the identified chunk is unencrypted; encrypting sectors included in the identified chunk; updating the encrypted chunks map; encrypting the data to be written; and writing the encrypted data to the sector of the storage volume to which the data is requested to be written. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computing device comprising:
-
one or more hardware processors; and one or more computer storage media devices having stored thereon multiple instructions that, when executed by the one or more processors to, cause the one or more processors to; access an encrypted chunks map of a storage volume to comply with a policy for the computing device, the encrypted chunks map grouping sectors of the storage volume into one or more chunks and indicating for each chunk whether sectors in the chunk are unencrypted or encrypted, the policy indicating that data written by the computing device to the storage volume after activation of the policy be encrypted; in response to a request to write data to a sector of the storage volume; identify a chunk that includes the sector of the storage volume to which the data is requested to be written; and determine, using the encrypted chunks map, whether the identified chunk is unencrypted; in response to determining the identified chunk is not unencrypted; encrypt the data to be written; and write the encrypted data to the sector of the storage volume to which the data is requested to be written; and in response to determining the identified chunk is unencrypted; read the sectors included in the identified chunk; replace, from the read sectors, the content of the sector being written to with the data begin written to the sector; encrypt the sectors included in the identified chunk, including the replaced sector; write the encrypted content of the sectors included in the identified chunk to the storage volume. - View Dependent Claims (12, 13, 14)
-
-
15. A method comprising:
-
receiving, by a computing device, a request to activate a policy for the computing device, the policy indicating that data written by the computing device to a storage volume after activation of the policy be encrypted; activating, in response to the request, the policy for the computing device, including; encrypting data written to the storage volume after returning an indication of compliance with the policy, using a map to identify one or more collections of content on the storage volume that are not encrypted, the map identifying one or more collections of content written to prior to the map being locked to prohibit changes to the map and the map including signatures of collections of content that were written to the storage volume prior to the map being locked, data written to the storage volume after the map is locked being encrypted but at least some data written to the storage volume before the map is locked not being encrypted, and using the map to determine whether to decrypt a collection of content in response to a request to read the collection of content; and returning, in response to the request to activate the policy, the indication of compliance with the policy despite at least part of the storage volume being unencrypted. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification