SYSTEM AND METHOD FOR BACKING UP AND RESTORING FILES ENCRYPTED WITH FILE-LEVEL CONTENT PROTECTION

US 20110252233A1
Filed: 04/07/2010
Published: 10/13/2011
Est. Priority Date: 04/07/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of generating a backup ticket associated with a backup event, the method causing a computing device to perform steps comprising:

sending a backup secret from a first device to a second device having a file system encrypted on a per file and on a per class basis;

receiving at the first device from the second device a backup ticket containing encryption keys, wherein the second device creates the backup ticket based on the backup secret; and

storing the backup ticket on the first device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein are systems, methods, and non-transitory computer-readable storage media for initiating a backup, backing up encrypted data, and restoring backed up encrypted data. The method for initiating a backup includes sending a backup secret to a backup device having an encrypted file system, receiving from the backup device a backup ticket created based on the backup secret, and storing the backup ticket. The method for backing up encrypted data includes receiving a backup ticket and a backup secret, retrieving an escrow key bag containing protection class keys, decrypting the protection class keys with the backup ticket, generating a backup key bag containing new protection class keys, selecting a set of encrypted files to back up, decrypting the file encryption keys with corresponding decrypted protection class keys, re-encrypting the file encryption keys with new protection class keys, and transferring the selected encrypted files, the backup key bag, and metadata.

64 Citations

View as Search Results

26 Claims

1. A computer-implemented method of generating a backup ticket associated with a backup event, the method causing a computing device to perform steps comprising:
- sending a backup secret from a first device to a second device having a file system encrypted on a per file and on a per class basis;
  
  receiving at the first device from the second device a backup ticket containing encryption keys, wherein the second device creates the backup ticket based on the backup secret; and
  
  storing the backup ticket on the first device.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein the backup secret is derived from a user password.
  - 3. The computer-implemented method of claim 1, wherein the backup secret is generated randomly.
  - 4. The computer-implemented method of claim 1, wherein the second device creates the backup ticket further based on a host identity.

5. A system for generating a backup ticket associated with a backup event, the system comprising:
- a processor;
  
  a first module controlling the processor to receive at a first device having a file system encrypted on a per file and on a per class basis a backup secret from a second device;
  
  a second module controlling the processor to create a backup ticket containing encryption keys based on the backup secret; and
  
  a third module controlling the processor to send the backup ticket from the first device to the second device.
- View Dependent Claims (6, 7, 8, 9, 10, 11)
- - 6. The system of claim 5, wherein the backup secret is derived from a user password.
  - 7. The system of claim 5, wherein the backup secret is generated randomly.
  - 8. The system of claim 5, wherein the second module further controls the processor to create the backup ticket further based on a host identity.
  - 9. The system of claim 8, wherein the host identity is encrypted with the backup secret and not a device UID.
  - 10. The system of claim 5, the system further comprising sending a backup key bag to the second device.
  - 11. The system of claim 5, wherein secrets in the backup bag are wrapped with a device specific secret, such that items encrypted by the device specific secret can be backed up but not migrated to another device.

12. A non-transitory computer-readable storage medium storing instructions which, when executed by a computing device, cause the computing device to back up a computing device, the instructions comprising:
- receiving, from a second device, a backup ticket containing encryption keys encrypted with a backup secret at a first device having a file system encrypted on a per file and on a per class basis for a plurality of classes, and the backup secret;
  
  retrieving an escrow key bag on the first device, wherein the escrow key bag contains protection class keys for the plurality of classes;
  
  decrypting the protection class keys on the first device with the backup ticket;
  
  generating a backup key bag containing new protection class keys on the first device;
  
  selecting a set of encrypted files on the first device to back up;
  
  decrypting file encryption keys on the first device with the corresponding decrypted protection class keys;
  
  re-encrypting the file encryption keys corresponding to the selected set of encrypted files with the new protection class keys on the first device; and
  
  transferring from the first device to the second device the selected set of encrypted files, the backup key bag and metadata associated with the selected set of encrypted files.
- View Dependent Claims (13, 14, 15)
- - 13. The non-transitory computer-readable storage medium of claim 12, wherein the metadata contains encrypted file keys.
  - 14. The non-transitory computer-readable storage medium of claim 12, wherein the escrow key bag is stored as a plurality of separate files.
  - 15. The non-transitory computer-readable storage medium of claim 12, wherein the instructions further comprise placing the first device in a lockdown state.

16. A computer-implemented method of backing up a computing device, the method causing a computing device to perform steps comprising:
- sending from a second device a backup ticket containing encryption keys encrypted with a backup secret and the backup secret to a first device having a file system encrypted on a per file and on a per class basis, wherein the first device retrieves an escrow key bag containing protection class keys, decrypts protection class keys with the backup ticket and backup secret, generates a backup key bag containing new protection class keys, selects a set of encrypted files to back up, decrypts file encryption keys on the first device with the corresponding decrypted protection class keys, and re-encrypts the file encryption keys corresponding to the selected set of encrypted files with the new protection class keys on the first device; and
  
  receiving at the second device the selected set of encrypted files, the backup key bag and metadata associated with the selected set of encrypted files from the first device.
- View Dependent Claims (17, 18, 19)
- - 17. The computer-implemented method of claim 16, wherein the metadata contains encrypted file keys.
  - 18. The computer-implemented method of claim 17, wherein the backup key bag is stored as a plurality of separate files.
  - 19. The computer-implemented method of claim 16, wherein encrypted data is accessed directly from the filesystem.

20. A system for restoring backup files, the system comprising:
- a processor;
  
  a first module controlling the processor to send a backup ticket, a backup secret, and a host identifier to a first device having a file system encrypted on a per file and on a per class basis for a plurality of classes;
  
  a second module controlling the processor to send to the first device encrypted backup files, a backup key bag and associated metadata;
  
  a third module controlling the processor to decrypt the protection class keys in the backup key bag on the first device with a backup ticket;
  
  a fourth module controlling the processor to decrypt file encryption keys on the first device with the corresponding decrypted protection class keys from the backup key bag;
  
  a fifth module controlling the processor to retrieve an escrow key bag containing original protection class keys on the first device;
  
  a sixth module controlling the processor to re-encrypt the decrypted file encryption keys with the original protection class keys on the first device; and
  
  a seventh module controlling the processor to restore the re-encrypted backup files based on the encrypted file keys on the first device.
- View Dependent Claims (21, 22)
- - 21. The system of claim 20, wherein the metadata contains encrypted file keys.
  - 22. The system of claim 20, wherein the first device is different from a source device for the encrypted backup files.

23. A computer-implemented method of restoring backup files, the method causing a computing device to perform steps comprising:
- receiving, at a first device having a file system encrypted on a per file and on a per class basis, a backup ticket, a backup secret, and a host identifier from a second device;
  
  receiving from the second device encrypted backup files, a backup key bag and associated metadata comprising encrypted file keys;
  
  decrypting the protection class keys in the backup key bag on the first device with a backup ticket;
  
  decrypting file encryption keys on the first device with the corresponding decrypted protection class keys from the backup key bag;
  
  retrieving an escrow key bag containing original protection class keys on the first device;
  
  re-encrypting the file encryption keys with the original protection class keys on the first device; and
  
  restoring the re-encrypted backup files based on the encrypted file keys on the first device.
- View Dependent Claims (24, 25)
- - 24. The computer-implemented method of claim 23, wherein the metadata encrypted file keys.
  - 25. The computer-implemented method of claim 24, wherein the first device is different from a source device for the encrypted backup files.

26. A computer-implemented method of generating a backup ticket associated with a backup event, the method causing a computing device to perform steps comprising:
- sending a backup secret from a first device to a second device having a credential keychain system encrypted on a per credential and on a per class basis;
  
  receiving at the first device from the second device a backup ticket containing encryption keys, wherein the second device creates the backup ticket based on the backup secret; and
  
  storing the backup ticket on the first device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
McNeil, Kenneth Buffalo, Freedman, Gordon, De Atley, Dallas Blake, Duffy, Thomas Brogan JR., Rahardja, David

Granted Patent

US 8,412,934 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/165
CPC Class Codes

G06F 11/1458   Management of the backup or...

G06F 11/1469   Backup restoration techniques

G06F 21/6218   to a system of files or obj...

H04L 9/0822   using key encryption key

H04L 9/0894   Escrow, recovery or storing...

SYSTEM AND METHOD FOR BACKING UP AND RESTORING FILES ENCRYPTED WITH FILE-LEVEL CONTENT PROTECTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

64 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

SYSTEM AND METHOD FOR BACKING UP AND RESTORING FILES ENCRYPTED WITH FILE-LEVEL CONTENT PROTECTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others