Clustered virtual trusted platform module domain services system
US-2023344646-A1 · Oct 26, 2023 · US
Distributed trusted platform module key management protection for roaming data
US12158980B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12158980-B2 |
| Application number | US-202117459445-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 27, 2021 |
| Priority date | Aug 27, 2021 |
| Publication date | Dec 3, 2024 |
| Grant date | Dec 3, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Distributed security key management for protecting roaming data via a trusted platform module is performed by systems that include first and second processors, and first and second respective hardware security modules. The first security module encrypts a security key using a public key from the second security module, and the encrypted security key is provided to the second security module. A virtual machine (VM) executed by the first processor has a first virtual security module instance having state data that includes a storage key encrypting VM virtual disk data and that is encrypted with the security key. When a transfer condition is determined, the VM is transferred and executed by the second processor, using a second virtual security module instance, based on decrypting the security key by the second security module using a private key and decrypting the state data for the second virtual security module using the security key.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, performed by a computing system that includes first processing circuitry, a first hardware security module corresponding to the first processing circuitry, second processing circuitry, and a second hardware security module corresponding to the second processing circuitry, the method comprising: encrypting, by the first hardware security module using a public transfer key received from the second hardware security module, a cryptographic security key stored by the first hardware security module, wherein a private transfer key corresponding to the public transfer key is stored by the second hardware security module; providing the encrypted cryptographic security key to the second hardware security module; determining that a transfer condition has been met for transferring a virtual machine (VM) to be executed by the second processing circuitry, wherein the VM is associated with a first virtual security module that is an instance of the first hardware security module, the first virtual security module having state data associated with the VM that includes a cryptographic storage key that encrypts data of a virtual disk of the VM, the state data describing a current execution of the first virtual security module and being encrypted with the cryptographic security key; decrypting, by the second hardware security module and using the private transfer key, the encrypted cryptographic security key; decrypting the state data for the second virtual security module using the cryptographic security key; and executing the VM at the second processing circuitry using a second virtual security module that is an instance of the second hardware security module. 2. The method of claim 1 , wherein the computing system comprises a processing cluster; the method further comprising: prior to said encrypting the cryptographic security key and responsive to the second processing circuitry and the second hardware security module being added to the processing cluster, providing the public transfer key from the second hardware security module to the first hardware security module; and receiving, by the second hardware security module, the encrypted cryptographic security key. 3. The method of claim 1 , wherein the computing system comprises a processing cluster; the method further comprising: receiving, by the first hardware security module, the public transfer key from the second hardware security module and at least one other public transfer key from at least one other hardware security module included in the processing cluster, respectively; wherein said encrypting the cryptographic security key also includes separately encrypting the cryptographic security key by the first hardware security module using the at least one other public transfer key for each of the at least one other hardware security module, respectively, and wherein said providing the encrypted cryptographic security key to the second hardware security module also includes providing each of the separately encrypted cryptographic security key for each of the at least one other hardware security module to corresponding ones of the at least one other hardware security module. 4. The method of claim 3 , wherein each of the public transfer key and the at least one other public transfer key are associated with a respective registered certificate, and wherein said providing is based at least on respective validation conditions; the method further comprising: receiving each respective registered certificate; and determining the respective validation conditions based at least on each respective registered certificate being valid or invalid. 5. The method of claim 3 , wherein the cryptographic security key is the only security key for the first hardware security module utilized in the computing system for encrypting and decrypting the state data; or wherein the method comprises executing the VM by the first processing circuitry prior to said determining. 6. The method of claim 1 , further comprising: generating the cryptographic security key by the first hardware security module prior to said encrypting the cryptographic security key; wherein the first hardware security module and the second hardware security module comprise respective trusted platform modules (TPMs); or the method further comprises generating the cryptographic storage key, via a hypervisor of the computing system, based at least on the cryptographic security key. 7. The method of claim 1 , wherein the transfer condition is associated with a migration of the VM to the second processing circuitry based at least on one or more of: a balancing of processing resources, a balancing of memory resources, or a servicing associated with the first processing circuitry; or wherein the transfer condition is based at least on a fail-over process associated with the first processing circuitry executing the VM. 8. A system, comprising first processing circuitry, a first hardware security module corresponding to the first processing circuitry, second processing circuitry, and a second hardware security module corresponding to the second processing circuitry; the first processing circuitry configured to execute a virtual machine (VM) with a first virtual security module that is associated therewith and that is an instance of the first hardware security module, the first virtual security module having state data associated with the VM that includes a cryptographic storage key that encrypts data of a virtual disk of the VM, the state data describing a current execution of the first virtual security module and being encrypted with the cryptographic security key; the first hardware security module storing a cryptographic security key; the second hardware security module storing: a public transfer key and a private transfer key linked thereto; the first hardware security module configured to: encrypt the cryptographic security key using the public transfer key received from the second hardware security module, wherein a private transfer key corresponding to the public transfer key is stored by the second hardware security module; and provide the encrypted cryptographic security key to the second hardware security module; the second hardware security module configured to: decrypt, using the private transfer key, the encrypted cryptographic security key; and the second processing circuitry configured to: execute the VM, subsequent to a transfer thereof from the first processing circuitry, with a second virtual security module that is an instance of the second hardware security module and based at least on the state data being decrypted for the second virtual security module using the cryptographic security key. 9. The system of claim 8 , wherein the system comprises a processing cluster; the second hardware security module being configured to: provide the public transfer key to the first hardware security module prior to said encrypting the cryptographic security key and responsive to the second processing circuitry and the second hardware security module being added to the processing cluster; and receive the encrypted cryptographic security key. 10. The system of claim 8 , wherein the system comprises a processing cluster; the first hardware security module being configured to: receive the public transfer key from the second hardware security module and at least one other public transfer key from at least one other hardware security module included in the processing cluster, respectively; separately encrypt the cryptographic security key using the at least one other public transfer key for each of the at least one other
Assignees
Inventors
Classifications
involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements (network architectures or network communication protocols for supporting authentication of entities using certificates in a packet data network H04L63/0823) · CPC title
involving distinctive intermediate devices or communication paths (network architectures or network communication protocols using different networks H04L63/18) · CPC title
Isolation or security of virtual machine instances · CPC title
Distribution of virtual machine instances; Migration and load balancing · CPC title
Hypervisor-specific management and integration aspects · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12158980B2 cover?
- Distributed security key management for protecting roaming data via a trusted platform module is performed by systems that include first and second processors, and first and second respective hardware security modules. The first security module encrypts a security key using a public key from the second security module, and the encrypted security key is provided to the second security module. A …
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/78. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Dec 03 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).