FILE SYSTEM SUPPORT FOR ROLLING KEYS

US 20160321460A1
Filed: 04/29/2015
Published: 11/03/2016
Est. Priority Date: 04/29/2015
Status: Active Grant

First Claim

Patent Images

1. A method for implementing a background process that re-encrypts a file on a computing device, the method comprising:

by a processor of the computing device;

decrypting a first portion of a file using a first key, wherein the first portion of the file and a second portion of the file are encrypted with the first key;

encrypting the first portion of the file using a second key that is different than the first key; and

updating metadata associated with the file to indicate that the first portion of the file is encrypted with the second key and the second portion of the file is encrypted with the first key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This application relates to a key rolling process for a file system of a computing device. The key rolling process allows for files to be transparently re-encrypted in a background process while still allowing applications to access files being re-encrypted. During re-encryption, a portion of the file is decrypted using a current key for the file and re-encrypted using a new key for the file. During re-encryption, the portion of the file can be relocated to another location in memory. Metadata associated with the file can be updated to include information pertaining to the location of the re-encrypted portion. The metadata can also be updated include information pertaining to how much of the file has been re-encrypted with the new key and how much of the file remains encrypted with the current key.

Citations

24 Claims

1. A method for implementing a background process that re-encrypts a file on a computing device, the method comprising:
- by a processor of the computing device;
  
  decrypting a first portion of a file using a first key, wherein the first portion of the file and a second portion of the file are encrypted with the first key;
  
  encrypting the first portion of the file using a second key that is different than the first key; and
  
  updating metadata associated with the file to indicate that the first portion of the file is encrypted with the second key and the second portion of the file is encrypted with the first key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - writing the first portion of the file encrypted with the second key to a memory location that is different than a memory location of the file.
  - 3. The method of claim 1, wherein encrypting the first portion of the file comprises locking the first portion of the file from being accessed by a component separate from the processor.
  - 4. The method of claim 1, further comprising:
    - permitting, while encrypting the first portion of the file using the second key, an application of the computing device to access the second portion of the file.
  - 5. The method of claim 1, wherein updating the metadata includes modifying an offset value that indicates a difference between the first portion of the file and the second portion of the file.
  - 6. The method of claim 1, wherein updating the metadata includes modifying a bitmap that indicates a difference between the first portion of the file and the second portion of the file.
  - 7. The method of claim 1, wherein the file is completely relocated to an auxiliary memory location when all portions of the file are encrypted using the second key.
  - 8. The method of claim 7, wherein the auxiliary memory location is reserved before encrypting the first portion of the file using the second key.

9. A computing device, comprising:
- a memory configured to store a file;
  
  a key storage configured to store keys for encrypting the file, wherein a first portion of the file is encrypted with a first key and a second portion of the file is encrypted with a second key; and
  
  a processor configured to modify metadata associated with the file to include a first location of the first portion of the file in the memory and a second location of the second portion of the file in the memory.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The computing device of claim 9, wherein the first portion of the file is re-encrypted with the second key simultaneous to an application accessing the file.
  - 11. The computing device of claim 10, wherein the first portion of the file is re-encrypted with the second key in response to the computing device being connected to an external power supply.
  - 12. The computing device of claim 9, wherein the processor is configured to modify the metadata to identify a size of each of the first portion of the file and the second portion of the file.
  - 13. The computing device of claim 9, wherein modifying the metadata includes updating a bitmap included in the metadata.
  - 14. The computing device of claim 9, wherein the file is encrypted using more than two keys.
  - 15. The computing device of claim 9, wherein the first key and the second key each have different times of origination.

16. A machine-readable non-transitory storage medium configured to store instructions that, when executed by a processor included in a computing device, cause the computing device to carry out steps that include:
- decrypting a first portion of a file using a first key, wherein each of the first portion of the file and a second portion of the file are encrypted with the first key and are stored in a first location in a memory of the computing device;
  
  encrypting the first portion of the file using a second key;
  
  storing the first portion of the file in a second location that is different than the first location; and
  
  updating metadata associated with the file to indicate that the first portion of the file is encrypted with the second key and the second portion of the file is encrypted with the first key.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The machine-readable non-transitory storage medium of claim 16, wherein the steps further include:
    - updating the metadata associated with the file to include data representative of the first location and the second location.
  - 18. The machine-readable non-transitory storage medium of claim 16, wherein updating the metadata comprises generating an offset value corresponding to a progress of re-encrypting the file using the second key.
  - 19. The machine-readable non-transitory storage medium of claim 16, wherein the steps further include:
    - permitting the first portion of the file and the second portion of the file to be accessed by an application on the computing device.
  - 20. The machine-readable non-transitory storage medium of claim 19, wherein the steps further include:
    - designating, as free space, a portion of the memory previously occupied by the first portion of the file.

21. A method for implementing a background process that re-encrypts a file on a computing device, the method comprising:
- by a processor of the computing device;
  
  decrypting a first portion of a file using a first key, wherein the first portion of the file and a second portion of the file are encrypted with the first key;
  
  encrypting the first portion of the file using a second key that is different than the first key; and
  
  permitting, while encrypting the first portion of the file using the second key, an application of the computing device to access the second portion of the file.
- View Dependent Claims (22, 23, 24)
- - 22. The method of claim 21, further comprising:
    - updating metadata associated with the file to indicate that the first portion of the file is encrypted with the second key and the second portion of the file is encrypted with the first key.
  - 23. The method of claim 21, wherein the file is associated with a group of users and encrypting the first portion of the file using the second key is in response to a user leaving the group.
  - 24. The method of claim 21, wherein the first key and the second key each have different times of origination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
SUTER, Christopher J., TAMURA, Eric B., COLLEY, George K., DAY, Mark S.

Granted Patent

US 10,032,038 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6209   to a single file or object,...

H04L 9/14   using a plurality of keys o...

FILE SYSTEM SUPPORT FOR ROLLING KEYS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

FILE SYSTEM SUPPORT FOR ROLLING KEYS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links