Patent Grant
9323956
The present invention relates generally to Full Disk Encryption Drives (FDEs) and to methods and arrangements for managing the same.
As known, Full Disk Encryption Drives (FDEs) encrypt all data that comes into them and, once the data is authorized, decrypts all data that goes out. This “blanket” encryption process helps reassure users that everything will be encrypted. As can be expected, however, such a comprehensive process can slow down, a system considerably, meaning that measures have conventionally been sought to speed the process up.
In one solution, external flash memory (or NVRAM, non-volatile random access memory) is used to provide a non-volatile cache for the hard disk (the terms “hard disk” and “hard drive” should be understood to be interchangeable herein), thus helping promote system speed (since a flash memory will not be tied up with “seek time”). However, in this context, it is possible that critical files may be cached without being written to the hard drive, thereby opening up a vulnerable attack point against such files if the machine is stolen, since an unencrypted file may well reside inside the flash.
Accordingly, a compelling need has been recognized in connection with providing full disk encryption in a manner that ensures reasonable system speed while maintaining at the same time a reasonable level of system security.
In accordance with at least one presently preferred embodiment of the present invention, there are broadly contemplated herein methods and arrangements for managing a flash drive, hard disk, or connection between the two, in a manner to ensure that sensitive data is not decrypted at any time when it would be vulnerable. Accordingly, in a first implementation, the data may preferably be encrypted as it first goes into a flash drive and decrypted when it comes out of the flash drive. In another implementation, the flash drive may be logically bound to the hard disk, so that they would both use the same encryption key. In yet another implementation, if a hard disk is moved to another system, then the flash drive may also preferably be simultaneously moved.
In summary, one aspect of the invention provides a system comprising: a main memory; a full disk encryption hard drive; a non-volatile cache memory which stores data not stored on the hard drive; an encryption module which encrypts data for the non-volatile cache memory.
Another aspect of the invention provides a method comprising: providing a full disk encryption hard drive; storing in a non-volatile cache memory data which is not stored on the hard drive; and encrypting data for the non-volatile cache memory.
Furthermore, an additional aspect of the invention provides a program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform a method comprising the steps of: providing a full disk encryption hard drive; storing in a non-volatile cache memory data which is not stored on the hard drive; and encrypting data for the non-volatile cache memory.
For a better understanding of the present invention, together with other and further features and advantages thereof, reference is made to the following description, taken in conjunction with the accompanying drawings, and the scope of the invention will be pointed out in the appended claims.
For a better understanding of the present invention, together with other and further features and advantages thereof, reference is made to the following description, taken in conjunction with the accompanying drawings, and the scope of the invention will be pointed out in the appended claims.
It will be readily understood that the components of the present invention, as generally described and illustrated in the Figures herein, may be arranged and designed in a wide variety of different configurations. Thus, the following more detailed description of the embodiments of the apparatus, system, and method of the present invention, as represented in
One or more functional units described in this specification may be labeled as a “module”, in order to more particularly emphasize their implementation independence. For example, a module may be implemented as a hardware circuit comprising custom VLSI circuits or gate arrays, off-the-shelf semiconductors such as logic chips, transistors, or other discrete components. A module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices or the like.
Modules may also be implemented in software for execution by various types of processors. An identified module of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions which may, for instance, be organized as an object, procedure, or function. Nevertheless, the executables of an identified module need not be physically located together, but may comprise disparate instructions stored in different locations which, when joined logically together, comprise the module and achieve the stated purpose for the module.
Indeed, a module of executable code could be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and across several memory devices. Similarly, operational data may be identified and illustrated herein within modules, and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different storage devices, and may exist, at least partially, merely as electronic signals on a system or network.
Reference throughout this specification to “one embodiment” or “an embodiment” (or the like) means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrases “in one embodiment” or “in an embodiment” in various places throughout this specification are not necessarily all referring to the same embodiment.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided, such as examples of programming, software modules, user selections, network transactions, database queries, database structures, hardware modules, hardware circuits, hardware chips, etc., to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art will recognize, however, that the invention can be practiced without one or more of the specific details, or with other methods, components, materials, etc. In other instances, well-known structures, materials, or operations are not shown or described in detail to avoid obscuring aspects of the invention.
The illustrated embodiments of the invention will be best understood by reference to the drawings, wherein like parts are designated by like numerals or other labels throughout. The following description is intended only by way of example, and simply illustrates certain selected embodiments of devices, systems, and processes that are consistent with the invention as claimed herein.
Referring now to
As shown in
PCI local bus 50 supports the attachment of a number of devices, including adapters and bridges. Among these devices is network adapter 66, which interfaces computer system 12 to a LAN, and graphics adapter 68, which interfaces computer system 12 to display 69. Communication on PCI local bus 50 is governed by local PCI controller 52, which is in turn coupled to non-volatile random access memory (NVRAM) 56 via memory bus 54. Local PCI controller 52 can be coupled to additional buses and devices via a second host bridge 60.
Computer system 12 further includes Industry Standard Architecture (ISA) bus 62, which is coupled to PCI local bus 50 by ISA bridge 64. Coupled to ISA bus 62 is an input/output (I/O) controller 70, which controls communication between computer system 12 and attached peripheral devices such as a keyboard, mouse, and disk drive. In addition, I/O controller 70 supports external communication by computer system 12 via serial and parallel ports. Of course, it should be appreciated that the system 12 may be built with different chip sets and a different bus structure, as well as with any other suitable substitute components, while providing comparable or analogous functions to those discussed above.
Reference may now continue to be made to
In accordance with at least one preferred embodiment of the present invention, an encryption module 72 may preferably be provided which carries out additional functions as described herebelow with reference to
In a preferred embodiment of the present invention, data (upon authorization) is preferably decrypted via encryption module 72 as it comes out of NVRAM (e.g., as embodied by a flash drive at 56 in
In a variant embodiment in accordance with the present invention, and with simultaneous reference to
In this embodiment, should the hard disk at 46 be moved, or should there otherwise come to be a physical and/or communicative separation between the hard disk at 46 and flash drive at 56, the flash drive at 56 now will not match a “new” hard disk (i.e., the two will not be logically connected as described above). Thus, data now entering the flash drive at 56 will likely be decrypted (i.e., needing authorization). Preferably, then, the flash drive and hard disk key may be synchronized as soon as is viable, at which point the flash drive at 56 will take over encryption/decryption functions as described just above.
Finally, in another embodiment in accordance with the present invention, if the hard disk at 46 is moved to another system, then the flash drive at 56 may also preferably be simultaneously moved. This would preserve any data not yet written to the hard drive, and permits the encryption arrangement (of any type) to continue to work.
It is to be understood that the present invention, in accordance with at least one presently preferred embodiment, includes elements that may be implemented on at least one general-purpose computer running suitable software programs. These may also be implemented on at least one Integrated Circuit or part of at least one Integrated Circuit. Thus, it is to be understood that the invention may be implemented in hardware, software, or a combination of both.
If not otherwise stated herein, it is to be assumed that all patents, patent applications, patent publications and other publications (including web-based publications) mentioned and cited herein are hereby fully incorporated by reference herein as if set forth in their entirety herein.
Although illustrative embodiments of the present invention have been described herein with reference to the accompanying drawings, it is to be understood that the invention is not limited to those precise embodiments, and that various other changes and modifications may be affected therein by one skilled in the art without departing from the scope or spirit of the invention.
| Number | Name | Date | Kind |
|---|---|---|---|
| 20040054914 | Sullivan | Mar 2004 | A1 |
| 20070014403 | Loo et al. | Jan 2007 | A1 |
| 20080072071 | Forehand et al. | Mar 2008 | A1 |
| 20080077807 | Hicks | Mar 2008 | A1 |
| 20080080022 | Gogulapati | Apr 2008 | A1 |
| 20080294914 | Lee et al. | Nov 2008 | A1 |
| 20090076849 | Diller | Mar 2009 | A1 |
| 20090313416 | Nation | Dec 2009 | A1 |
| Number | Date | Country |
|---|---|---|
| 526431 | Apr 2003 | TW |
| 1229294 | Mar 2005 | TW |
| Number | Date | Country | |
|---|---|---|---|
| 20090089590 A1 | Apr 2009 | US |
