Data encryption for virtual workspaces
First Claim
1. A computer-implemented method, comprising:
- receiving a user request to access a workspace, the user request associated with a user having access credentials under a customer account with a provider of a multi-tenant environment;
allocating a virtual machine instance to execute the workspace, the virtual machine instance being configured using a machine image for the workspace and provided using a physical resource of the multi-tenant environment;
allocating a first storage volume for the workspace, the first storage volume provided using a network-attached, block-based storage system of the multi-tenant environment, the first storage volume encrypted using a first data encryption key and storing data from a workspace snapshot identified by the machine image;
creating a copy snapshot corresponding to the workspace snapshot;
obtaining a new data encryption key using a current workspace context and the master key for the customer account;
allocating a second storage volume for the workspace using the network-attached, block-based storage system, the second storage volume encrypted using the new data encryption key and storing data from the copy snapshot; and
causing the second storage volume to be attached to the virtual machine instance for the workspace, wherein a storage manager for the workspace is able to encrypt transmissions of data between the virtual machine instance and the second storage volume using the new data encryption key that is specific to the current workspace context.
1 Assignment
0 Petitions
Accused Products
Abstract
Virtual workspaces can be provided using shared resources and network-attached storage. A workspace accessed under a customer account has a unique key generated using a combination of a customer master key and an encryption context. The encryption context is specific to the workspace, such as may include a hash of specific values for the workspace. When a new instance is generated, a first data volume is generated using a machine image and data snapshot encrypted under a current encryption key. The snapshot is copied to a new snapshot, and a new encryption key obtained that is based on the customer master key and the current encryption context. The snapshot is used to create a new data volume encrypted under the new encryption key. The new volume is attached to the workspace instance such that data transmitted between the workspace and the new volume is encrypted under the volume-specific encryption key.
14 Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
receiving a user request to access a workspace, the user request associated with a user having access credentials under a customer account with a provider of a multi-tenant environment; allocating a virtual machine instance to execute the workspace, the virtual machine instance being configured using a machine image for the workspace and provided using a physical resource of the multi-tenant environment; allocating a first storage volume for the workspace, the first storage volume provided using a network-attached, block-based storage system of the multi-tenant environment, the first storage volume encrypted using a first data encryption key and storing data from a workspace snapshot identified by the machine image; creating a copy snapshot corresponding to the workspace snapshot; obtaining a new data encryption key using a current workspace context and the master key for the customer account; allocating a second storage volume for the workspace using the network-attached, block-based storage system, the second storage volume encrypted using the new data encryption key and storing data from the copy snapshot; and causing the second storage volume to be attached to the virtual machine instance for the workspace, wherein a storage manager for the workspace is able to encrypt transmissions of data between the virtual machine instance and the second storage volume using the new data encryption key that is specific to the current workspace context. - View Dependent Claims (2, 3, 4)
-
-
5. A computer-implemented method, comprising:
-
receiving a request to access a virtual desktop, the virtual desktop executing on a compute instance in a multi-tenant environment, the compute instance associated with a machine image; allocating the compute instance, the compute instance configured according to the machine image; allocating a first storage volume using a network-attached storage resource of the multi-tenant environment, the first storage volume encrypted using a first encryption key and associated with data from a stored snapshot corresponding to the machine image; creating a copy snapshot corresponding to the stored snapshot; obtaining a new encryption key using information about the compute instance; allocating a second storage volume using the network-attached storage resource, the second storage volume encrypted using the new encryption key and storing data from the copy snapshot; and causing the second storage volume to be attached to the compute instance, wherein transmissions between the compute instance and the second storage volume are encrypted using the new encryption key. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system, comprising:
-
at least one processor; and memory including instructions that, when executed by the at least one processor, cause the system to; receive a request to access a virtual desktop, the virtual desktop executing on a compute instance in a multi-tenant environment, the compute instance associated with a machine image; allocate the compute instance, the compute instance configured according to the machine image; allocate a first storage volume using a network-attached storage resource of the multi-tenant environment, the first storage volume encrypted using a first encryption key and associated with data from a stored snapshot corresponding to the machine image; create a copy snapshot corresponding to the stored snapshot; obtain a new encryption key using information about the compute instance; allocate a second storage volume using the network-attached storage resource, the second storage volume encrypted using the new encryption key and storing data from the copy snapshot; and cause the second storage volume to be attached to the compute instance, wherein transmissions between the compute instance and the second storage volume are encrypted using the new encryption key. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification