摘要:
Disclosed herein are systems, methods, and non-transitory computer-readable storage media for erasing user data stored in a file system. The method includes destroying all key bags containing encryption keys on a device having a file system encrypted on a per file and per class basis, erasing and rebuilding at least part of the file system associated with user data, and creating a new default key bag containing encryption keys. Also disclosed herein is a method of erasing user data stored in a remote file system encrypted on a per file and per class basis. The method includes transmitting obliteration instructions to a remote device, which cause the remote device to destroy all key bags containing encryption keys on the remote device, erase and rebuild at least part of the file system associated with user data, and create on the remote device a new default key bag containing encryption keys.
摘要:
Disclosed herein are systems, methods, and non-transitory computer-readable storage media for initiating a backup, backing up encrypted data, and restoring backed up encrypted data. The method for initiating a backup includes sending a backup secret to a backup device having an encrypted file system, receiving from the backup device a backup ticket created based on the backup secret, and storing the backup ticket. The method for backing up encrypted data includes receiving a backup ticket and a backup secret, retrieving an escrow key bag containing protection class keys, decrypting the protection class keys with the backup ticket, generating a backup key bag containing new protection class keys, selecting a set of encrypted files to back up, decrypting the file encryption keys with corresponding decrypted protection class keys, re-encrypting the file encryption keys with new protection class keys, and transferring the selected encrypted files, the backup key bag, and metadata.
摘要:
Disclosed herein are systems, methods, and non-transitory computer-readable storage media for initiating data synchronization between devices. The method includes sending a host identifier and pairing record to a second device having a file system encrypted on a per file and on a per class basis for a set of classes, receiving from the second device a sync ticket containing encryption keys for the set of classes, and storing the sync ticket. Also disclosed is a method for synchronizing encrypted data between devices. This method includes receiving, at a first device having a file system encrypted on a per file and on a per class basis, a sync ticket containing encryption keys from a second device, retrieving an escrow key bag containing protection class keys, decrypting protection class keys based on the sync ticket, and synchronizing data with the second device based on the decrypted protection class keys.
摘要:
Disclosed herein are systems, methods, and non-transitory computer-readable storage media for initiating a backup, backing up encrypted data, and restoring backed up encrypted data. The method for initiating a backup includes sending a backup secret to a backup device having an encrypted file system, receiving from the backup device a backup ticket created based on the backup secret, and storing the backup ticket. The method for backing up encrypted data includes receiving a backup ticket and a backup secret, retrieving an escrow key bag containing protection class keys, decrypting the protection class keys with the backup ticket, generating a backup key bag containing new protection class keys, selecting a set of encrypted files to back up, decrypting the file encryption keys with corresponding decrypted protection class keys, re-encrypting the file encryption keys with new protection class keys, and transferring the selected encrypted files, the backup key bag, and metadata.
摘要:
Disclosed herein are systems, methods, and non-transitory computer-readable storage media for encryption and key management. The method includes encrypting each file on a computing device with a unique file encryption key, encrypting each unique file encryption key with a corresponding class encryption key, and encrypting each class encryption key with an additional encryption key. Further disclosed are systems, methods, and non-transitory computer-readable storage media for encrypting a credential key chain. The method includes encrypting each credential on a computing device with a unique credential encryption key, encrypting each unique credential encryption key with a corresponding credential class encryption key, and encrypting each class encryption key with an additional encryption key. Also disclosed is a method of verifying a password by decrypting a key bag, retrieving data from an encrypted file using an encryption key from the decrypted key bag, and verifying the password by comparing retrieved data with expected data.
摘要:
Disclosed herein are systems, methods, and non-transitory computer-readable storage media for encryption and key management. The method includes encrypting each file on a computing device with a unique file encryption key, encrypting each unique file encryption key with a corresponding class encryption key, and encrypting each class encryption key with an additional encryption key. Further disclosed are systems, methods, and non-transitory computer-readable storage media for encrypting a credential key chain. The method includes encrypting each credential on a computing device with a unique credential encryption key, encrypting each unique credential encryption key with a corresponding credential class encryption key, and encrypting each class encryption key with an additional encryption key. Also disclosed is a method of verifying a password by decrypting a key bag, retrieving data from an encrypted file using an encryption key from the decrypted key bag, and verifying the password by comparing retrieved data with expected data.
摘要:
Disclosed herein are systems, methods, and non-transitory computer-readable storage media for initiating data synchronization between devices. The method includes sending a host identifier and pairing record to a second device having a file system encrypted on a per file and on a per class basis for a set of classes, receiving from the second device a sync ticket containing encryption keys for the set of classes, and storing the sync ticket. Also disclosed is a method for synchronizing encrypted data between devices. This method includes receiving, at a first device having a file system encrypted on a per file and on a per class basis, a sync ticket containing encryption keys from a second device, retrieving an escrow key bag containing protection class keys, decrypting protection class keys based on the sync ticket, and synchronizing data with the second device based on the decrypted protection class keys.
摘要:
Disclosed herein are systems, methods, and non-transitory computer-readable storage media for erasing user data stored in a file system. The method includes destroying all key bags containing encryption keys on a device having a file system encrypted on a per file and per class basis, erasing and rebuilding at least part of the file system associated with user data, and creating a new default key bag containing encryption keys. Also disclosed herein is a method of erasing user data stored in a remote file system encrypted on a per file and per class basis. The method includes transmitting obliteration instructions to a remote device, which cause the remote device to destroy all key bags containing encryption keys on the remote device, erase and rebuild at least part of the file system associated with user data, and create on the remote device a new default key bag containing encryption keys.
摘要:
Disclosed herein are systems, methods, and non-transitory computer-readable storage media for wireless data protection utilizing cryptographic key management on a primary device and a backup device. A system encrypts a file with a file key and encrypts the file key twice, resulting in two encrypted file keys. The system encrypts each file key differently and stores a first file key on the primary device and transmits one of the encrypted file keys in addition to the encrypted file to a backup device for storage. On the backup device, the system associates the encrypted file key with a set of backup keys protected by a user password. In one embodiment, the system generates an initialization vector for use in cryptographic operations based on a file key. In another embodiment, the system manages cryptographic keys on a backup device during a user password change.