Virtual machine image encryption

US 9,934,382 B2
Filed: 10/28/2014
Issued: 04/03/2018
Est. Priority Date: 10/28/2013
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for encrypting a virtual machine image, the method comprising:

locating an encrypted virtual machine image including an encryption boot loader;

extracting the encryption boot loader from the encrypted virtual machine image;

transmitting the extracted encryption boot loader to a designated trustee;

placing a pre-boot execution environment (PXE) on the encrypted virtual machine image; and

booting an operation system associated with the encrypted virtual machine image, wherein booting the operating system associated with encrypted virtual machine image includes;

receiving, from the PXE of the encrypted virtual machine image, a signal to initiate retrieval of the encryption boot loader from the designated trustee;

responsive to the signal from the PXE, retrieving the encryption boot loader from the designated trustee;

updating the encrypted virtual machine image to include the encryption boot loader; and

booting the operating system at the encrypted virtual machine using the encryption boot loader.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present disclosure include systems and methods for encrypting a virtual machine image and accessing an encrypted virtual machine image. According to some embodiments an encryption module can encrypt a virtual machine image and place an encryption boot loader. The encryption boot loader may be extracted from the encrypted virtual machine image, be transmitted to, and stored at a key storage system. Upon a request to boot an operating system associated with the encrypted virtual machine image, a pre-boot execution environment may communicate with an image service to retrieve the encryption boot loader from the remote key storage system. The virtual machine image may therefore be decrypted suing the encryption boot loader, which may allow booting of the operating system.

161 Citations

14 Claims

1. A computer implemented method for encrypting a virtual machine image, the method comprising:
- locating an encrypted virtual machine image including an encryption boot loader;
  
  extracting the encryption boot loader from the encrypted virtual machine image;
  
  transmitting the extracted encryption boot loader to a designated trustee;
  
  placing a pre-boot execution environment (PXE) on the encrypted virtual machine image; and
  
  booting an operation system associated with the encrypted virtual machine image, wherein booting the operating system associated with encrypted virtual machine image includes;
  
  receiving, from the PXE of the encrypted virtual machine image, a signal to initiate retrieval of the encryption boot loader from the designated trustee;
  
  responsive to the signal from the PXE, retrieving the encryption boot loader from the designated trustee;
  
  updating the encrypted virtual machine image to include the encryption boot loader; and
  
  booting the operating system at the encrypted virtual machine using the encryption boot loader.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - transmitting a decryption key associated with the encrypted virtual machine image to the designated trustee.
  - 3. The method of claim 1, further comprising:
    - encrypting the virtual machine image; and
      
      inserting the encryption boot loader into the encrypted virtual machine image.
  - 4. The method of claim 1, further comprising transmitting the encrypted virtual machine image to a public cloud computing platform.
  - 5. The method of claim 1, wherein the encrypted virtual machine image represents a virtual machine environment with one or more encrypted storage partitions.
  - 6. The method of claim 1, wherein booting the operating system associated with the encrypted virtual machine image, further comprises:
    - verifying the identity of the encrypted virtual machine image from which the signal was received;
      
      responsive to verification of the encrypted virtual machine image, retrieving a decryption key associated with the encrypted virtual machine image from the designated trustee;
      
      processing the retrieved encryption boot loader by injecting the retrieved decryption key in to the encryption boot loader; and
      
      performing a pre-boot authentication of the encrypted virtual machine image using the processed encryption boot loader.
  - 7. The method of claim 1, wherein retrieving the encryption boot loader from the designated trustee includes:
    - sending a request to a server coupled to a data repository storing the encryption boot loader;
      
      wherein the storage of encryption boot loader is associated with a plurality of trustees; and
      
      retrieving the encryption boot loader only if, the request is authorized;
      
      wherein the request is authorized based on the application at the server of a trustee policy to responses by the one or more designated trustees to the request.

8. A system comprising:
- a processor; and
  
  a memory having instructions stored thereon, which when executed by the processor, cause the system to;
  
  locate an encrypted virtual machine image including an encryption boot loader;
  
  extract the encryption boot loader from an encrypted virtual machine image;
  
  transmit the extracted encryption boot loader to a designated trustee;
  
  place a pre-boot execution environment (PXE) on the encrypted virtual machine image; and
  
  boot an operation system associated with the encrypted virtual machine image, wherein the instructions in the memory to boot the operating system include further instructions, which when executed by the processor, cause the system to;
  
  receive, from the PXE of the encrypted virtual machine image, a signal to initiate retrieval of the encryption boot loader from the designated trustee;
  
  retrieve the encryption boot loader from the designated trustee in response to the received signal from the PXE;
  
  update the encrypted virtual machine image to include the encryption boot loader; and
  
  boot the operating system at the encrypted virtual machine using the encryption boot loader.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the memory has further instructions, which when executed by the processor, cause the system to:
    - transmit a decryption key associated with the encrypted virtual machine image to the designated trustee.
  - 10. The system of claim 8, wherein the memory has further instructions, which when executed by the processor, cause the system to:
    - encrypt the virtual machine image; and
      
      insert the encryption boot loader into the encrypted virtual machine image.
  - 11. The system of claim 8, wherein the memory has further instructions, which when executed by the processor, cause the system to:
    - transmit, via a network, the encrypted virtual machine image to a public cloud computing platform.
  - 12. The system of claim 8, wherein the encrypted virtual machine image represents a virtual machine environment with one or more encrypted storage partitions.
  - 13. The system of claim 8, wherein the instructions in the memory to boot the operating system include further instructions, which when executed by the processor, cause the system to:
    - verify the identity of the encrypted virtual machine image from which the signal was received;
      
      retrieve a decryption key associated with the encrypted virtual machine image from the designated trustee, in response to verification of the encrypted virtual machine image;
      
      process the retrieved encryption boot loader by injecting the retrieved decryption key in to the encryption boot loader; and
      
      perform a pre-boot authentication of the encrypted virtual machine image using the processed encryption boot loader.
  - 14. The system of claim 8, wherein the instructions in the memory to retrieve the encryption boot loader from the designated trustee, include further instructions, which when executed by the processor, cause the system to:
    - send a request to a server coupled to a data repository storing the encryption boot loader;
      
      wherein the storage of encryption boot loader is associated with a plurality of trustees; and
      
      retrieve the encryption boot loader only if, the request is authorized;
      
      wherein the request is authorized based on the application at the server of a trustee policy to responses to the request by the one or more designated trustees.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cloudera Incorporated
Original Assignee
Cloudera Incorporated
Inventors
Garcia, Eduardo
Primary Examiner(s)
To, Baotran N

Application Number

US14/526,372
Publication Number

US 20160350535A1
Time in Patent Office

1,253 Days
Field of Search

713189, 713 2
US Class Current
CPC Class Codes

G06F 2009/45575   Starting, stopping, suspend...

G06F 21/572   Secure firmware programming...

G06F 21/575   Secure boot

G06F 2221/033   Test or assess software

G06F 2221/2107   File encryption

G06F 2221/2115   Third party

G06F 9/4406   Loading of operating system

G06F 9/45558   Hypervisor-specific managem...

Virtual machine image encryption

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

161 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual machine image encryption

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

161 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links