General purpose distributed encrypted file system

US 8,751,789 B2
Filed: 09/17/2010
Issued: 06/10/2014
Est. Priority Date: 09/17/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A system, which comprises:

a computer, said computer including at least one processor and memory coupled to said at least one processor, said memory storing instructions, which when executed on said at least one processor, causes said at least one processor to perform operations including;

generating an initialization vector;

generating a file key, wherein the file key is new and unique;

generating a first block key by combining said initialization vector with said file key;

encrypting a first data block with said first block key;

encrypting said first block key with a public key associated with a user;

associating said first encrypted block key with said encrypted first data block as crypto metadata;

caching said encrypted first data block and said crypto metadata in a local encryption cache;

sending said encrypted first data block and said crypto metadata to a network file system server wherein said cached encrypted data block and said crypto metadata remain on one of a client or said network file system server until receipt of a return code indicating successful writes of said encrypted first data block and said crypto metadata by said network file system server; and

,generating a second block key by combining said encrypted first data block with said file key and clearing said cached encrypted data block and said crypto metadata upon receipt of the return code indicating successful writes of said encrypted first data block and said crypto metadata by said network file system server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A general purpose distributed encrypted file system generates a block key on a client machine. The client machine encrypts a file using the block key. Then, the client encrypts the block key on the first client machine with a public key of a keystore associated with a user and associates the encrypted block key with the encrypted data block as crypto metadata. The client machine caches the encrypted data block and the crypto metadata and sends the encrypted data block and the crypto metadata to a network file system server. When the client machine receives a return code from the network file system server indicating successful writes of the encrypted data block and the crypto metadata, the client machine clears the cached encrypted data block and the crypto metadata.

33 Citations

View as Search Results

11 Claims

1. A system, which comprises:
- a computer, said computer including at least one processor and memory coupled to said at least one processor, said memory storing instructions, which when executed on said at least one processor, causes said at least one processor to perform operations including;
  
  generating an initialization vector;
  
  generating a file key, wherein the file key is new and unique;
  
  generating a first block key by combining said initialization vector with said file key;
  
  encrypting a first data block with said first block key;
  
  encrypting said first block key with a public key associated with a user;
  
  associating said first encrypted block key with said encrypted first data block as crypto metadata;
  
  caching said encrypted first data block and said crypto metadata in a local encryption cache;
  
  sending said encrypted first data block and said crypto metadata to a network file system server wherein said cached encrypted data block and said crypto metadata remain on one of a client or said network file system server until receipt of a return code indicating successful writes of said encrypted first data block and said crypto metadata by said network file system server; and
  
  ,generating a second block key by combining said encrypted first data block with said file key and clearing said cached encrypted data block and said crypto metadata upon receipt of the return code indicating successful writes of said encrypted first data block and said crypto metadata by said network file system server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system as claimed in claim 1, wherein said public key is part of a keystore associated with said user.
  - 3. The system as claimed in claim 2, wherein said keystore is stored on a remote server.
  - 4. The system as claimed in claim 3, wherein said remote server comprises a lightweight directory access protocol (LDAP) server.
  - 5. The system as claimed in claim 1, wherein said crypto metadata is associated with said encrypted first data block as extended attributes.
  - 6. The system as claimed in claim 1, wherein said memory further stores instructions, which when executed on said at least one processor, causes said at least one processor to perform operations including:
    - receiving said encrypted first data block and said crypto metadata from said network file system server;
      
      decrypting said crypto metadata using a private key to obtain said first block key; and
      
      ,decrypting said encrypted first data block with said first block key.
  - 7. The system as claimed in claim 6, wherein said private key is part of a keystore associated with said user.
  - 8. The system as claimed in claim 7, wherein said keystore is stored on a remote server.
  - 9. The system as claimed in claim 8, wherein said remote server comprises a lightweight directory access protocol (LDAP) server.

10. A computer program product having instructions stored in a computer readable storage device, for execution by a computer, said computer program product comprising:
- instructions stored in said computer readable storage device for generating an initialization vector;
  
  instructions stored in said computer readable storage device for generating a file key, wherein the file key is new and unique;
  
  instructions stored in said computer readable storage device for generating a first block key by combining said initialization vector with said file key;
  
  instructions stored in said computer readable storage device for encrypting a first data block with said first block key;
  
  instructions stored in said computer readable storage device for encrypting said first block key with a public key associated with a user;
  
  instructions stored in said computer readable storage device for associating said encrypted first block key with said encrypted first data block as crypto metadata;
  
  instructions stored in said computer readable storage device for caching said encrypted first data block and said crypto metadata in a local encryption cache;
  
  instructions stored in said computer readable storage device for sending said encrypted first data block and said crypto metadata to a network file system server wherein said cached encrypted data block and said crypto metadata remain on one of a client or said network file system server until receipt of a return code indicating successful writes of said encrypted first data block and said crypto metadata by said network file system server; and
  
  ,instructions stored in said computer readable storage device for generating a second block key by combining said encrypted first data block with said file key and clearing said cached encrypted first data block and said crypto metadata upon receipt of the return code indicating successful writes of said encrypted first data block and said crypto metadata by said network file system server.
- View Dependent Claims (11)
- - 11. The computer program product as claimed in claim 10, further comprising:
    - instructions stored in said computer readable storage device for receiving said encrypted first data block and said crypto metadata from said network file system server;
      
      instructions stored in said computer readable storage device for decrypting said crypto metadata using a private key to obtain said first block key; and
      
      ,instructions stored in said computer readable storage device for decrypting said encrypted first data block with said first block key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Mullen, Shawn Patrick, Pattanshetti, Manjunath A., Begum, Hussaina Nandyala
Primary Examiner(s)
Gee, Jason K.
Assistant Examiner(s)
SARKER, SANCHIT K

Application Number

US12/884,488
Publication Number

US 20120072713A1
Time in Patent Office

1,362 Days
Field of Search

713/156, 713/160, 713/153, 380/277, 370/331
US Class Current

713/153
CPC Class Codes

H04L 2463/062   applying encryption of the ...

H04L 63/0442   wherein the sending and rec...

H04L 9/0822   using key encryption key

H04L 9/0894   Escrow, recovery or storing...

General purpose distributed encrypted file system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

33 Citations

11 Claims

Specification

Use Cases

Quick Links

Others

General purpose distributed encrypted file system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

11 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others