Secure Transport of Encrypted Virtual Machines with Continuous Owner Access
US-2015318986-A1 · Nov 5, 2015 · US
Maintaing encryption keys to provide encryption on top of data deduplication
US9652634B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9652634-B2 |
| Application number | US-201514716768-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 19, 2015 |
| Priority date | May 19, 2015 |
| Publication date | May 16, 2017 |
| Grant date | May 16, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Exemplary methods, apparatuses, and systems generate an encryption key based upon data content of a portion of data to be encrypted by the encryption key. The encryption key is stored as one of a plurality of encryption keys within a subset of storage. Each of the plurality of encryption keys is generated based upon corresponding data content. A checksum representing the plurality of encryption keys is calculated. In response to receiving an input/output (I/O) request for data encrypted by the encryption key, a verification checksum representing the plurality of encryption keys is calculated. The requested data is decrypted using the encryption key in response to verifying the checksum and verification checksum match.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method, comprising: generating an encryption key based upon data content of a portion of data to be encrypted by the encryption key; storing the encryption key as one of a plurality of encryption keys within a subset of storage, each of the plurality of encryption keys generated based upon corresponding data content; calculating a checksum representing the plurality of encryption keys; calculating, in response to receiving an input/output (I/O) request for data encrypted by the encryption key, a verification checksum representing the plurality of encryption keys; modifying the checksum to a reserved value in response to determining the checksum and the verification checksum do not match due to a corruption of the plurality of encryption keys; repairing the plurality of encryption keys; and recalculating the checksum in response to the repairing of the plurality of encryption keys. 2. The computer-implemented method of claim 1 , further comprising: determining, when calculating the checksum, that the checksum equals a reserved value; and modifying the checksum to no longer equal the reserved value. 3. The computer-implemented method of claim 1 , further comprising: determining the verification checksum equals a reserved value; and modifying the verification checksum to no longer equal the reserved value. 4. The computer-implemented method of claim 1 , wherein generating the encryption key is based upon a secret key and the data content. 5. The computer-implemented method of claim 1 , wherein the plurality of stored encryption keys are wrapped using a secret key. 6. The computer-implemented method of claim 5 , wherein the portion of data is stored within a datacenter on behalf of one of a plurality of tenant groups of the datacenter, and wherein the secret key is used to wrap a plurality of encryption keys for a plurality of users within the tenant group. 7. A non-transitory computer-readable medium storing instructions, which when executed by a processing device, cause the processing device to perform a method comprising: generating an encryption key based upon data content of a portion of data to be encrypted by the encryption key; storing the encryption key as one of a plurality of encryption keys within a subset of storage, each of the plurality of encryption keys generated based upon corresponding data content; calculating a checksum representing the plurality of encryption keys; calculating, in response to receiving an input/output (I/O) request for data encrypted by the encryption key, a verification checksum representing the plurality of encryption keys; modifying the checksum to a reserved value in response to determining the checksum and the verification checksum do not match due to a corruption of the plurality of encryption keys; repairing the plurality of encryption keys; and recalculating the checksum in response to the repairing of the plurality of encryption keys. 8. The non-transitory computer-readable medium of claim 7 , the method further comprising: determining, when calculating the checksum, that the checksum equals a reserved value; and modifying the checksum to no longer equal the reserved value. 9. The non-transitory computer-readable medium of claim 7 , the method further comprising: determining the verification checksum equals a reserved value; and modifying the verification checksum to no longer equal the reserved value. 10. The non-transitory computer-readable medium of claim 7 , wherein generating the encryption key is based upon a secret key and the data content. 11. The non-transitory computer-readable medium of claim 7 , wherein the plurality of stored encryption keys are wrapped using a secret key. 12. The non-transitory computer-readable medium of claim 11 , wherein the portion of data is stored within a datacenter on behalf of one of a plurality of tenant groups of the datacenter, and wherein the secret key is used to wrap a plurality of encryption keys for a plurality of users within the tenant group. 13. An apparatus comprising: a processing device; and a memory coupled to the processing device, the memory storing instructions which, when executed by the processing device, cause the apparatus to: generate an encryption key based upon data content of a portion of data to be encrypted by the encryption key; store the encryption key as one of a plurality of encryption keys within a subset of storage, each of the plurality of encryption keys generated based upon corresponding data content; calculate a checksum representing the plurality of encryption keys; calculate, in response to receiving an input/output (I/O) request for data encrypted by the encryption key, a verification checksum representing the plurality of encryption keys; modify the checksum to a reserved value in response to determining the checksum and the verification checksum do not match due to a corruption of the plurality of encryption keys; repair the plurality of encryption keys; and recalculate the checksum in response to the repairing of the plurality of encryption keys. 14. The apparatus of claim 13 , wherein the instructions further cause the host computer to: determine, when calculating the checksum, that the checksum equals a reserved value; and modify the checksum to no longer equal the reserved value. 15. The apparatus of claim 13 , wherein the instructions further cause the host computer to: determine the verification checksum equals a reserved value; and modify the verification checksum to no longer equal the reserved value. 16. The apparatus of claim 13 , wherein generating the encryption key is based upon a secret key and the data content. 17. The apparatus of claim 13 , wherein the plurality of stored encryption keys are wrapped using a secret key, wherein the portion of data is stored within a datacenter on behalf of one of a plurality of tenant groups of the datacenter, and wherein the secret key is used to wrap a plurality of encryption keys for a plurality of users within the tenant group.
Assignees
Inventors
Classifications
Generation of secret information including derivation or calculation of cryptographic keys or passwords · CPC title
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD · CPC title
Error detection; Error correction; Monitoring (error detection, correction or monitoring in information storage based on relative movement between record carrier and transducer G11B20/18; monitoring, i.e. supervising the progress of recording or reproducing G11B27/36; in static stores G11C29/00) · CPC title
- G06F21/64Primary
Protecting data integrity, e.g. using checksums, certificates or signatures · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9652634B2 cover?
- Exemplary methods, apparatuses, and systems generate an encryption key based upon data content of a portion of data to be encrypted by the encryption key. The encryption key is stored as one of a plurality of encryption keys within a subset of storage. Each of the plurality of encryption keys is generated based upon corresponding data content. A checksum representing the plurality of encryption…
- Who is the assignee on this patent?
- Vmware Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/64. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue May 16 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).