Protecting virtual machine data in cloud environments

US 9,892,265 B1
Filed: 03/31/2015
Issued: 02/13/2018
Est. Priority Date: 03/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a request for requested data at an encryption virtual machine, wherein the requested data is encrypted,the encryption virtual machine is configured to receive the request from a plurality of application virtual machines via a plurality of loaders,the requested data comprises one or more operating system modules, andthe operating system modules are configured to be used by the plurality of application virtual machines;

accessing the requested data in a storage volume, whereinthe storage volume is communicatively coupled to the encryption virtual machine,the encryption virtual machine is coupled between the plurality of application virtual machines and the storage volume,the requested data is retrieved from the storage volume, andthe requested data is decrypted at the encryption virtual machine; and

sending the decrypted data to the plurality of loaders.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various systems, methods, and processes to protect virtual machine data in a cloud environment are disclosed. A request for requested data is received at an encryption virtual machine. The requested data is encrypted, and the encryption virtual machine is configured to receive the request from an application virtual machine via a loader. The requested data includes one or more operating system modules, and the operating system modules are configured to be used by the application virtual machine. The requested data is accessed in a storage volume, which is communicatively coupled to the encryption virtual machine. The requested data is then retrieved from the storage volume and decrypted at the encryption virtual machine. The decrypted data is then sent to the loader.

71 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving a request for requested data at an encryption virtual machine, wherein the requested data is encrypted,the encryption virtual machine is configured to receive the request from a plurality of application virtual machines via a plurality of loaders,the requested data comprises one or more operating system modules, andthe operating system modules are configured to be used by the plurality of application virtual machines;
  
  accessing the requested data in a storage volume, whereinthe storage volume is communicatively coupled to the encryption virtual machine,the encryption virtual machine is coupled between the plurality of application virtual machines and the storage volume,the requested data is retrieved from the storage volume, andthe requested data is decrypted at the encryption virtual machine; and
  
  sending the decrypted data to the plurality of loaders.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, whereinthe one or more operating system modules comprise operating system data, andthe operating system data is used by a loader of the plurality of loaders to boot an application virtual machine of the plurality of application virtual machines.
  - 3. The method of claim 1, whereinthe storage volume is not communicatively coupled to the plurality of application virtual machines.
  - 4. The method of claim 2, whereinthe loader implements a Storage Area Network (SAN) client,the encryption virtual machine implements a SAN target, andthe SAN client serves the application virtual machine with the decrypted data sent to the loader from the SAN target.
  - 5. The method of claim 2, further comprising:
    - accessing a map file in the encryption virtual machine prior to accessing the requested data in a storage volume, whereinthe map file comprises an encryption key associated with the application virtual machine,the map file maintains a mapping between the application virtual machine and the encryption key associated with the application virtual machine, andthe map file comprises a location of the requested data in the storage volume.
  - 6. The method of claim 2, whereinthe loader is communicatively coupled to both the application virtual machine and the encryption virtual machine.
  - 7. The method of claim 4, whereinthe SAN client uses Internet Small Computer System Interface (iSCSI) protocol to send the request for data to the SAN target;
    - andthe SAN target uses the iSCSI protocol to send the decrypted data to the SAN client.
  - 8. The method of claim 2, whereinthe loader is implemented in a virtual disk, the loader is a boot loader, and the virtual disk is an iPXE disk.

9. A non-transitory computer readable storage medium comprising program instructions executable to:
- receive a request for requested data at an encryption virtual machine, wherein the requested data is encrypted,the encryption virtual machine is configured to receive the request from a plurality of application virtual machines via a plurality of loaders,the requested data comprises one or more operating system modules, andthe operating system modules are configured to be used by the plurality of application virtual machines;
  
  access the requested data in a storage volume, whereinthe storage volume is communicatively coupled to the encryption virtual machine,the encryption virtual machine is coupled between the plurality of application virtual machines and the storage volume,the requested data is retrieved from the storage volume, andthe requested data is decrypted at the encryption virtual machine; and
  
  send the decrypted data to the plurality of loaders.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The non-transitory computer readable storage medium of claim 9, whereinthe one or more operating system modules comprise operating system data, andthe operating system data is used by a loader of the plurality of loaders to boot an application virtual machine of the plurality of application virtual machines, andthe storage volume is not communicatively coupled to the application virtual machine.
  - 11. The non-transitory computer readable storage medium of claim 10, whereinthe loader implements a Storage Area Network (SAN) client,the encryption virtual machine implements a SAN target,the SAN client serves the application virtual machine with the decrypted data sent to the loader from the SAN target,the SAN client uses Internet Small Computer System Interface (iSCSI) protocol to send the request for data to the SAN target;
    - andthe SAN target uses the iSCSI protocol to send the decrypted data to the SAN client.
  - 12. The non-transitory computer readable storage medium of claim 10, further comprising:
    - accessing a map file in the encryption virtual machine prior to accessing the requested data in a storage volume, whereinthe map file comprises an encryption key associated with the application virtual machine,the map file maintains a mapping between the application virtual machine and the encryption key associated with the application virtual machine, andthe map file comprises a location of the requested data in the storage volume.
  - 13. The non-transitory computer readable storage medium of claim 10, whereinthe loader is communicatively coupled to both the application virtual machine and the encryption virtual machine.
  - 14. The non-transitory computer readable storage medium of claim 10, whereinthe loader is implemented in a virtual disk,the loader is a boot loader, andthe virtual disk is an iPXE disk.

15. A system comprising:
- one or more hardware processors; and
  
  a memory coupled to the one or more hardware processors, wherein the memory stores program instructions executable by the one or more hardware processors to;
  
  receive a request for requested data at an encryption virtual machine, wherein the requested data is encrypted,the encryption virtual machine is configured to receive the request from a plurality of application virtual machines via a plurality of loaders,the requested data comprises one or more operating system modules, andthe operating system modules are configured to be used by the plurality of application virtual machines;
  
  access the requested data in a storage volume, whereinthe storage volume is communicatively coupled to the encryption virtual machine,the encryption virtual machine is coupled between the plurality of application virtual machines and the storage volume,the requested data is retrieved from the storage volume, andthe requested data is decrypted at the encryption virtual machine; and
  
  send the decrypted data to the plurality of loaders.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, whereinthe one or more operating system modules comprise operating system data, andthe operating system data is used by a loader of the plurality of loaders to boot an application virtual machine of the plurality of application virtual machines, andthe storage volume is not communicatively coupled to the application virtual machine.
  - 17. The system of claim 16, whereinthe loader implements a Storage Area Network (SAN) client,the encryption virtual machine implements a SAN target,the SAN client serves the application virtual machine with the decrypted data sent to the loader from the SAN target,the SAN client uses Internet Small Computer System Interface (iSCSI) protocol to send the request for data to the SAN target;
    - andthe SAN target uses the iSCSI protocol to send the decrypted data to the SAN client.
  - 18. The system of claim 16, further comprising:
    - accessing a map file in the encryption virtual machine prior to accessing the requested data in a storage volume, whereinthe map file comprises an encryption key associated with the application virtual machine,the map file maintains a mapping between the application virtual machine and the encryption key associated with the application virtual machine, andthe map file comprises a location of the requested data in the storage volume.
  - 19. The system of claim 16, whereinthe loader is communicatively coupled to both the application virtual machine and the encryption virtual machine.
  - 20. The system of claim 16, whereinthe loader is implemented in a virtual disk,the loader is a boot loader, andthe virtual disk is an iPXE disk.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Veritas Technologies, LLC (Whitehouse Group Ltd.)
Original Assignee
Veritas Technologies, LLC (Whitehouse Group Ltd.)
Inventors
Tripathy, Soumya, Ghosh, Subhadeep
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
Savenkov, Vadim

Application Number

US14/674,205
Time in Patent Office

1,050 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/602   Providing cryptographic fac...

G06F 9/4406   Loading of operating system

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

Protecting virtual machine data in cloud environments

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

71 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting virtual machine data in cloud environments

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

71 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links