SYSTEM AND METHOD FOR BACKING UP AND RESTORING FILES ENCRYPTED WITH FILE-LEVEL CONTENT PROTECTION
First Claim
1. A computer-implemented method of generating a backup ticket associated with a backup event, the method causing a computing device to perform steps comprising:
- sending a backup secret from a first device to a second device having a file system encrypted on a per file and on a per class basis;
receiving at the first device from the second device a backup ticket containing encryption keys, wherein the second device creates the backup ticket based on the backup secret; and
storing the backup ticket on the first device.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed herein are systems, methods, and non-transitory computer-readable storage media for initiating a backup, backing up encrypted data, and restoring backed up encrypted data. The method for initiating a backup includes sending a backup secret to a backup device having an encrypted file system, receiving from the backup device a backup ticket created based on the backup secret, and storing the backup ticket. The method for backing up encrypted data includes receiving a backup ticket and a backup secret, retrieving an escrow key bag containing protection class keys, decrypting the protection class keys with the backup ticket, generating a backup key bag containing new protection class keys, selecting a set of encrypted files to back up, decrypting the file encryption keys with corresponding decrypted protection class keys, re-encrypting the file encryption keys with new protection class keys, and transferring the selected encrypted files, the backup key bag, and metadata.
64 Citations
26 Claims
-
1. A computer-implemented method of generating a backup ticket associated with a backup event, the method causing a computing device to perform steps comprising:
-
sending a backup secret from a first device to a second device having a file system encrypted on a per file and on a per class basis; receiving at the first device from the second device a backup ticket containing encryption keys, wherein the second device creates the backup ticket based on the backup secret; and storing the backup ticket on the first device. - View Dependent Claims (2, 3, 4)
-
-
5. A system for generating a backup ticket associated with a backup event, the system comprising:
-
a processor; a first module controlling the processor to receive at a first device having a file system encrypted on a per file and on a per class basis a backup secret from a second device; a second module controlling the processor to create a backup ticket containing encryption keys based on the backup secret; and a third module controlling the processor to send the backup ticket from the first device to the second device. - View Dependent Claims (6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory computer-readable storage medium storing instructions which, when executed by a computing device, cause the computing device to back up a computing device, the instructions comprising:
-
receiving, from a second device, a backup ticket containing encryption keys encrypted with a backup secret at a first device having a file system encrypted on a per file and on a per class basis for a plurality of classes, and the backup secret; retrieving an escrow key bag on the first device, wherein the escrow key bag contains protection class keys for the plurality of classes; decrypting the protection class keys on the first device with the backup ticket; generating a backup key bag containing new protection class keys on the first device; selecting a set of encrypted files on the first device to back up; decrypting file encryption keys on the first device with the corresponding decrypted protection class keys; re-encrypting the file encryption keys corresponding to the selected set of encrypted files with the new protection class keys on the first device; and transferring from the first device to the second device the selected set of encrypted files, the backup key bag and metadata associated with the selected set of encrypted files. - View Dependent Claims (13, 14, 15)
-
-
16. A computer-implemented method of backing up a computing device, the method causing a computing device to perform steps comprising:
-
sending from a second device a backup ticket containing encryption keys encrypted with a backup secret and the backup secret to a first device having a file system encrypted on a per file and on a per class basis, wherein the first device retrieves an escrow key bag containing protection class keys, decrypts protection class keys with the backup ticket and backup secret, generates a backup key bag containing new protection class keys, selects a set of encrypted files to back up, decrypts file encryption keys on the first device with the corresponding decrypted protection class keys, and re-encrypts the file encryption keys corresponding to the selected set of encrypted files with the new protection class keys on the first device; and receiving at the second device the selected set of encrypted files, the backup key bag and metadata associated with the selected set of encrypted files from the first device. - View Dependent Claims (17, 18, 19)
-
-
20. A system for restoring backup files, the system comprising:
-
a processor; a first module controlling the processor to send a backup ticket, a backup secret, and a host identifier to a first device having a file system encrypted on a per file and on a per class basis for a plurality of classes; a second module controlling the processor to send to the first device encrypted backup files, a backup key bag and associated metadata; a third module controlling the processor to decrypt the protection class keys in the backup key bag on the first device with a backup ticket; a fourth module controlling the processor to decrypt file encryption keys on the first device with the corresponding decrypted protection class keys from the backup key bag; a fifth module controlling the processor to retrieve an escrow key bag containing original protection class keys on the first device; a sixth module controlling the processor to re-encrypt the decrypted file encryption keys with the original protection class keys on the first device; and a seventh module controlling the processor to restore the re-encrypted backup files based on the encrypted file keys on the first device. - View Dependent Claims (21, 22)
-
-
23. A computer-implemented method of restoring backup files, the method causing a computing device to perform steps comprising:
-
receiving, at a first device having a file system encrypted on a per file and on a per class basis, a backup ticket, a backup secret, and a host identifier from a second device; receiving from the second device encrypted backup files, a backup key bag and associated metadata comprising encrypted file keys; decrypting the protection class keys in the backup key bag on the first device with a backup ticket; decrypting file encryption keys on the first device with the corresponding decrypted protection class keys from the backup key bag; retrieving an escrow key bag containing original protection class keys on the first device; re-encrypting the file encryption keys with the original protection class keys on the first device; and restoring the re-encrypted backup files based on the encrypted file keys on the first device. - View Dependent Claims (24, 25)
-
-
26. A computer-implemented method of generating a backup ticket associated with a backup event, the method causing a computing device to perform steps comprising:
-
sending a backup secret from a first device to a second device having a credential keychain system encrypted on a per credential and on a per class basis; receiving at the first device from the second device a backup ticket containing encryption keys, wherein the second device creates the backup ticket based on the backup secret; and storing the backup ticket on the first device.
-
Specification