Data encryption for virtual workspaces

US 10,346,618 B1
Filed: 03/24/2017
Issued: 07/09/2019
Est. Priority Date: 03/24/2017
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving a user request to access a workspace, the user request associated with a user having access credentials under a customer account with a provider of a multi-tenant environment;

allocating a virtual machine instance to execute the workspace, the virtual machine instance being configured using a machine image for the workspace and provided using a physical resource of the multi-tenant environment;

allocating a first storage volume for the workspace, the first storage volume provided using a network-attached, block-based storage system of the multi-tenant environment, the first storage volume encrypted using a first data encryption key and storing data from a workspace snapshot identified by the machine image;

creating a copy snapshot corresponding to the workspace snapshot;

obtaining a new data encryption key using a current workspace context and the master key for the customer account;

allocating a second storage volume for the workspace using the network-attached, block-based storage system, the second storage volume encrypted using the new data encryption key and storing data from the copy snapshot; and

causing the second storage volume to be attached to the virtual machine instance for the workspace, wherein a storage manager for the workspace is able to encrypt transmissions of data between the virtual machine instance and the second storage volume using the new data encryption key that is specific to the current workspace context.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Virtual workspaces can be provided using shared resources and network-attached storage. A workspace accessed under a customer account has a unique key generated using a combination of a customer master key and an encryption context. The encryption context is specific to the workspace, such as may include a hash of specific values for the workspace. When a new instance is generated, a first data volume is generated using a machine image and data snapshot encrypted under a current encryption key. The snapshot is copied to a new snapshot, and a new encryption key obtained that is based on the customer master key and the current encryption context. The snapshot is used to create a new data volume encrypted under the new encryption key. The new volume is attached to the workspace instance such that data transmitted between the workspace and the new volume is encrypted under the volume-specific encryption key.

14 Citations

View as Search Results

20 Claims

1. A computer-implemented method, comprising:
- receiving a user request to access a workspace, the user request associated with a user having access credentials under a customer account with a provider of a multi-tenant environment;
  
  allocating a virtual machine instance to execute the workspace, the virtual machine instance being configured using a machine image for the workspace and provided using a physical resource of the multi-tenant environment;
  
  allocating a first storage volume for the workspace, the first storage volume provided using a network-attached, block-based storage system of the multi-tenant environment, the first storage volume encrypted using a first data encryption key and storing data from a workspace snapshot identified by the machine image;
  
  creating a copy snapshot corresponding to the workspace snapshot;
  
  obtaining a new data encryption key using a current workspace context and the master key for the customer account;
  
  allocating a second storage volume for the workspace using the network-attached, block-based storage system, the second storage volume encrypted using the new data encryption key and storing data from the copy snapshot; and
  
  causing the second storage volume to be attached to the virtual machine instance for the workspace, wherein a storage manager for the workspace is able to encrypt transmissions of data between the virtual machine instance and the second storage volume using the new data encryption key that is specific to the current workspace context.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, further comprising:
    - determining context information for the workspace, the context information including one or more values for identified workspace parameters; and
      
      generating a hash of the context information to obtain the current workspace context.
  - 3. The computer-implemented method of claim 1, further comprising:
    - sending the current workspace context to a key management service storing the master key for the customer account, the master key unexportable from the key management service, wherein the key management service is enabled to generate the new data encryption key using the master key and the current workspace context.
  - 4. The computer-implemented method of claim 1, further comprising:
    - pausing the virtual machine instance before creating the copy snapshot; and
      
      resuming the virtual machine instance after the second storage volume is attached to the virtual machine instance.

5. A computer-implemented method, comprising:
- receiving a request to access a virtual desktop, the virtual desktop executing on a compute instance in a multi-tenant environment, the compute instance associated with a machine image;
  
  allocating the compute instance, the compute instance configured according to the machine image;
  
  allocating a first storage volume using a network-attached storage resource of the multi-tenant environment, the first storage volume encrypted using a first encryption key and associated with data from a stored snapshot corresponding to the machine image;
  
  creating a copy snapshot corresponding to the stored snapshot;
  
  obtaining a new encryption key using information about the compute instance;
  
  allocating a second storage volume using the network-attached storage resource, the second storage volume encrypted using the new encryption key and storing data from the copy snapshot; and
  
  causing the second storage volume to be attached to the compute instance, wherein transmissions between the compute instance and the second storage volume are encrypted using the new encryption key.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 6. The computer-implemented method of claim 5, further comprising:
    - determining context information for the compute instance, the context information including one or more values for identified instance parameters; and
      
      generating a hash of the context information to obtain the information about the compute instance used to obtain the new encryption key.
  - 7. The computer-implemented method of claim 6, further comprising:
    - determining the context information using values for the identified instance parameters associated with the virtual desktop.
  - 8. The computer-implemented method of claim 6, further comprising:
    - sending the information to a key management service storing a master key for customer generates the new encryption key using the master key and the information about the compute instance.
  - 9. The computer-implemented method of claim 5, further comprising:
    - determining the machine image associated with the compute instance, the machine image being a default machine image for generating compute instances associated with a customer account or a prior machine image generated using a prior compute instance associated with the customer account.
  - 10. The computer-implemented method of claim 5, wherein the stored snapshot represents a state of data for a prior version of the virtual desktop executing on the compute instance.
  - 11. The computer-implemented method of claim 5, wherein the transmissions between the compute instance and the second storage volume are encrypted, and wherein transmissions from the compute instance to the operating system are not encrypted using the new encryption key.
  - 12. The computer-implemented method of claim 5, further comprising:
    - detecting satisfaction of a termination criterion for the compute instance;
      
      capturing a final snapshot of the second storage volume;
      
      generating a new machine image corresponding to the compute instance; and
      
      terminating the compute instance, wherein the final snapshot and the new machine image are capable of being used to generate a new compute instance in the multi-tenant environment.
  - 13. The computer-implemented method of claim 5, further comprising:
    - generating a respective data encryption key for each storage volume allocated in the multi-tenant environment and associated with a customer account.
  - 14. The computer-implemented method of claim 5, further comprising:
    - pausing the compute instance before creating the copy snapshot; and
      
      resuming the compute instance after the second storage volume is attached to the compute instance.

15. A system, comprising:
- at least one processor; and
  
  memory including instructions that, when executed by the at least one processor, cause the system to;
  
  receive a request to access a virtual desktop, the virtual desktop executing on a compute instance in a multi-tenant environment, the compute instance associated with a machine image;
  
  allocate the compute instance, the compute instance configured according to the machine image;
  
  allocate a first storage volume using a network-attached storage resource of the multi-tenant environment, the first storage volume encrypted using a first encryption key and associated with data from a stored snapshot corresponding to the machine image;
  
  create a copy snapshot corresponding to the stored snapshot;
  
  obtain a new encryption key using information about the compute instance;
  
  allocate a second storage volume using the network-attached storage resource, the second storage volume encrypted using the new encryption key and storing data from the copy snapshot; and
  
  cause the second storage volume to be attached to the compute instance, wherein transmissions between the compute instance and the second storage volume are encrypted using the new encryption key.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the instructions when executed further cause the system to:
    - determine context information for the compute instance, the context information including one or more values for identified instance parameters; and
      
      generate a hash of the context information to obtain the information about the compute instance used to obtain the new encryption key.
  - 17. The system of claim 15, wherein the instructions when executed further cause the system to:
    - send the information to a key management service storing a master key for customer account associated with the request, wherein the key management service generates the new encryption key using the master key and the information about the compute instance.
  - 18. The system of claim 15, wherein the instructions when executed further cause the system to:
    - determine the machine image associated with the compute instance, the machine image being a default machine image for generating compute instances associated with a customer account or a prior machine image generated using a prior compute instance associated with the customer account.
  - 19. The system of claim 15, wherein the instructions when executed further cause the system to:
    - detect satisfaction of a termination criterion for the compute instance;
      
      capture a final snapshot of the second storage volume;
      
      generate a new machine image corresponding to the compute instance; and
      
      terminate the compute instance, wherein the final snapshot and the new machine image are capable of being used to generate a new compute instance in the multi-tenant environment.
  - 20. The system of claim 15, wherein the instructions when executed further cause the system to:
    - pause the compute instance before creating the copy snapshot; and
      
      resume the compute instance after the second storage volume is attached to the compute instance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Ah Kun, Malcolm Russell, Chakraborty, Anshuk, Ambareesh, Gopala Krishna, Dhande, Nakul Namdeo, Thomas, Nathan Bartholomew, Sun, Zhenghong, Subash, Prasanna, Paracha, Salman Aftab
Primary Examiner(s)
Okeke, Izunna

Application Number

US15/469,367
Time in Patent Office

837 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 2212/402   Encrypted data

G06F 2221/2107   File encryption

G06F 3/062   Securing storage systems

G06F 3/0623   in relation to content

G06F 3/0631   by allocating resources to ...

G06F 3/0637   Permissions

G06F 3/065   Replication mechanisms

G06F 3/0664   at device level, e.g. emula...

G06F 3/067   Distributed or networked st...

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 9/0861   Generation of secret inform...

H04L 9/088   Usage controlling of secret...

Data encryption for virtual workspaces

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

14 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Data encryption for virtual workspaces

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links