Methods and systems for attaching an encrypted data partition during the startup of an operating system

US 9,817,675 B1
Filed: 01/31/2017
Issued: 11/14/2017
Est. Priority Date: 01/31/2017
Status: Active Grant

First Claim

Patent Images

1. A method for attaching one or more encrypted data partitions of a data storage device during a startup of an operating system of a computing system, the computing system comprising a processor, a memory and the data storage device, the method comprising:

monitoring the startup of the operating system;

after execution of a windows initialization process (wininit.exe) but prior to execution of a service control manager process (services.exe), pausing the startup of the operating system, and attaching the one or more encrypted data partitions to the operating system by (i) retrieving one or more decryption keys corresponding to the one or more encrypted data partitions from a key management server communicatively coupled to the computing system, and (ii) transmitting the one or more retrieved decryption keys to a disk filter driver of the operating system, the disk filter driver providing the operating system with access to the one or more encrypted data partitions; and

resuming the startup of the operating system with the one or more encrypted data partitions attached to the operating system.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

During the startup of an operating system of a computing system, a monitoring process of the operating system is used to detect an entry point of a daemon manager process. In response to detecting the entry point, the startup process is paused, and an early attach process is launched so as to attach one or more encrypted data partitions to the operating system. As part of the early attach process, the network stack of the computing system may be initialized, which allows the early attach process to retrieve one or more decryption keys corresponding to the one or more encrypted data partitions from an external key management server. The one or more decryption keys may be transmitted to a disk filter driver of the operating system, which provides the operating system with access to the one or more encrypted data partitions. Upon the conclusion of the early attach process, the operating system startup process resumes with the one or more encrypted data partitions now accessible to the operating system.

17 Citations

View as Search Results

13 Claims

1. A method for attaching one or more encrypted data partitions of a data storage device during a startup of an operating system of a computing system, the computing system comprising a processor, a memory and the data storage device, the method comprising:
- monitoring the startup of the operating system;
  
  after execution of a windows initialization process (wininit.exe) but prior to execution of a service control manager process (services.exe), pausing the startup of the operating system, and attaching the one or more encrypted data partitions to the operating system by (i) retrieving one or more decryption keys corresponding to the one or more encrypted data partitions from a key management server communicatively coupled to the computing system, and (ii) transmitting the one or more retrieved decryption keys to a disk filter driver of the operating system, the disk filter driver providing the operating system with access to the one or more encrypted data partitions; and
  
  resuming the startup of the operating system with the one or more encrypted data partitions attached to the operating system.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein monitoring the startup of the operating system comprises monitoring execution of a session manager process (smss.exe), a client/server runtime subsystem process (csrss.exe) and the windows initialization process (wininit.exe).
  - 3. The method of claim 1, wherein the pausing of the startup of the operating system comprises delaying execution of the service control manager process (services.exe), a local security authority subsystem server process (lsass.exe) and a windows logon process (winlogon.exe) until the one or more encrypted data partitions have been attached to the operating system.
  - 4. The method of claim 1, wherein retrieving the one or more decryption keys from the key management server comprises:
    - gaining access to a network that communicatively couples the computing system to the key management server;
      
      converting a domain name of the key management server into an Internet protocol (IP) address of the key management server;
      
      transmitting a request from the computing system to the IP address of the key management server, the request requesting the one or more decryption keys from the key management server; and
      
      receiving by the computing system the one or more decryption keys from the key management server.
  - 5. The method of claim 4, wherein gaining access to the network comprises:
    - requesting a dynamic IP address of a network interface of the computing system from a dynamic host configuration protocol (DHCP) server; and
      
      initializing a transmission control protocol (TCP)/IP network stack using the dynamic IP address of the network interface of the computing system.
  - 6. The method of claim 4, wherein gaining access to the network comprises:
    - determining a static IP address of a network interface of the computing system from the operating system; and
      
      initializing a transmission control protocol (TCP)/IP network stack using the static IP address of the network interface of the computing system.
  - 7. The method of claim 1, wherein the disk filter driver communicatively couples a file system driver of the operating system with a disk driver of the operating system.

8. A computing system comprising a processor, a memory and a data storage device, the data storage device comprising instructions that, when executed by the processor, cause the processor to:
- monitor a startup of the operating system;
  
  after execution of a windows initialization process (wininit.exe) but prior to execution of a service control manager process (services.exe), pause the startup of the operating system, and attach one or more encrypted data partitions of the data storage device to the operating system by (i) retrieving one or more decryption keys corresponding to the one or more encrypted data partitions from a key management server communicatively coupled to the computing system, and (ii) transmitting the one or more retrieved decryption keys to a disk filter driver of the operating system, the disk filter driver providing the operating system with access to the one or more encrypted data partitions; and
  
  resume the startup of the operating system with the one or more encrypted data partitions attached to the operating system.
- View Dependent Claims (9, 10)
- - 9. The computing system of claim 8, wherein monitoring the startup of the operating system comprises monitoring execution of a session manager process (smss.exe), a client/server runtime subsystem process (csrss.exe) and the windows initialization process (wininit.exe).
  - 10. The computing system of claim 8, wherein the pausing of the startup of the operating system comprises delaying execution of the service control manager process (services.exe), a local security authority subsystem server process (lsass.exe) and a windows logon process (winlogon.exe) until the one or more encrypted data partitions have been attached to the operating system.

11. A non-transitory machine-readable storage medium comprising software instructions that, when executed by a processor of a computing system, cause the processor to:
- monitor a startup of the operating system;
  
  after execution of a windows initialization process (wininit.exe) but prior to execution of a service control manager process (services.exe), pause the startup of the operating system, and attach one or more encrypted data partitions of a data storage device of the computing system to the operating system by (i) retrieving one or more decryption keys corresponding to the one or more encrypted data partitions from a key management server communicatively coupled to the computing system, and (ii) transmitting the retrieved one or more decryption keys to a disk filter driver of the operating system, the disk filter driver providing the operating system with access to the one or more encrypted data partitions; and
  
  resume the startup of the operating system with the one or more encrypted data partitions attached to the operating system.
- View Dependent Claims (12, 13)
- - 12. The non-transitory machine-readable storage medium of claim 11, wherein monitoring the startup of the operating system comprises monitoring execution of a session manager process (smss.exe), a client/server runtime subsystem process (csrss.exe) and the windows initialization process (wininit.exe).
  - 13. The non-transitory machine-readable storage medium of claim 11, wherein the pausing of the startup of the operating system comprises delaying execution of the service control manager process (services.exe), a local security authority subsystem server process (lsass.exe) and a windows logon process (winlogon.exe) until the one or more encrypted data partitions have been attached to the operating system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Entrust Corp.
Original Assignee
HyTrust, Inc. (Entrust Corp.)
Inventors
Katchapalayam, Babu, Pate, Stephen D.
Primary Examiner(s)
Abbaszadeh, Jaweed A
Assistant Examiner(s)
Pandey, Keshab

Application Number

US15/421,291
Time in Patent Office

287 Days
Field of Search

713300, 713310, 713320, 713321, 713322, 713323, 713324, 713330, 713345, 713370
US Class Current
CPC Class Codes

G06F 1/32   Means for saving power

G06F 21/575   Secure boot

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 9/44   Arrangements for executing ...

G06F 9/4406   Loading of operating system

G06F 9/4411   Configuring for operating w...

G06F 9/4418   Suspend and resume; Hiberna...

H04L 9/083   involving central third par...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

Methods and systems for attaching an encrypted data partition during the startup of an operating system

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for attaching an encrypted data partition during the startup of an operating system

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links