WO2015116204A1 - Encrypted in-place operating system migration - Google Patents

Encrypted in-place operating system migration Download PDF

Info

Publication number
WO2015116204A1
WO2015116204A1 PCT/US2014/014275 US2014014275W WO2015116204A1 WO 2015116204 A1 WO2015116204 A1 WO 2015116204A1 US 2014014275 W US2014014275 W US 2014014275W WO 2015116204 A1 WO2015116204 A1 WO 2015116204A1
Authority
WO
WIPO (PCT)
Prior art keywords
operating system
encrypted
target operating
encrypted partition
drivers
Prior art date
Application number
PCT/US2014/014275
Other languages
French (fr)
Inventor
Bill R MCWHORTER
Original Assignee
Hewlett-Packard Development Company, L.P.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett-Packard Development Company, L.P. filed Critical Hewlett-Packard Development Company, L.P.
Priority to PCT/US2014/014275 priority Critical patent/WO2015116204A1/en
Publication of WO2015116204A1 publication Critical patent/WO2015116204A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • Full Disk Encryption provides excellent security but has historically required time consuming decryption when an upgraded or new operating system is to be installed.
  • hard-linking can be used to maintain data in-place on a disk and protected from a disk wipe operation.
  • duplicate symbolic links to every file and directory may be created and placed in a protected area on the disk to preserve the data.
  • traditional unattended, automated migrations cannot be used with hard drives that are encrypted with FDE.
  • FIG. 1 is a block diagram of an example computing device for providing encrypted in-place operating system migration
  • FIG. 2 is a block diagram of an example computing device for providing encrypted in-place operating system migration that provides additional details for the example shown in FIG. 1 ;
  • FIG. 3 is a flowchart of an example method for execution by a computing device for providing encrypted in-place operating system migration
  • FIG. 4 is a flowchart of an example method for execution by a computing device for using a pre-installation environment to provide an automated encrypted in-place operating system migration.
  • Disk encryption protects information by converting the disk into unreadable code that cannot be interpreted without proper authorization. Disk encryption may be achieved by using software or hardware to encrypt the data stored on a disk.
  • FDE corresponds to encryption that applies to an entire disk or partition, which also includes applications for booting encrypted operating system partitions on the disk.
  • Example embodiments disclosed herein provide encrypted in-place operating system migration.
  • an encrypted storage device can be made accessible from the pre-instaliation environment by storing authentication keys in an authentication area of the storage device, in this example, data recovery drivers may then be loaded in the pre-instaliation environment with the authentication keys so that an installation image may be installed to the encrypted storage device. Further, data recovery drivers may be dynamically added to and then configured in the installation image so that the operating system installed from the image can access the encrypted storage device.
  • authentication keys are stored to an authentication area of a storage device, where the authentication area is designated for protection from data wipes.
  • a pre-installation environment that is configured to install an image of a target operating system is booted, where the pre-installation environment includes data recovery drivers for accessing an encrypted partition of the storage device.
  • the authentication keys are used to authenticate access by the data recover drivers to the encrypted partition.
  • the image of the target operating system is installed to the encrypted partition by using the data recovery drivers.
  • example embodiments disclosed herein allow encrypted in-place operating system migration. Specifically, by providing a pre-installation environment with access to data recovery drivers and authentication keys, installation images may be deployed to encrypted partitions without decrypting o copying user data stored in the encrypted partitions.
  • FIG. 1 is a block diagram of an example computing device 100 for providing encrypted in-place operating system migration.
  • the example computing device 100 may be implemented as a server, a notebook computer, a desktop computer, an all-in-one system, a tablet computing device, or any othe electronic device suitable for encrypted in-place operating system migration.
  • computing device 100 includes a processor 102, storage device 1 10, and pre-installation environment 120.
  • Processor 102 may be one or more central processing units (CPUs), microprocessors, and/or other hardware devices suitable for retrieval and execution of instructions. For example, processor 102 may fetch, decode, and execute instructions stored on a machine-readable storage medium to enable encrypted in-place operating system migration. As an alternative or in addition to retrieving and executing instructions, processor 102 may include one or more electronic circuits comprising a numbe of electronic components for performing the functionality described below. [0014] Machine-readable storage medium may be any electronic, magnetic, optical, or other physical storage device that stores executable instructions.
  • machine-readable storage medium may be, for example, Random Access Memory (RAM), an Electrically-Erasable Programmable Read-Only Memory (EEPROM), a storage drive, an optical disc, and the like.
  • Machine-readable storage medium 120 may be encoded with executable instructions for providing encrypted in-place operating system migration as described below.
  • Storage device 1 10 may be any hardware storage device for maintaining data accessible to computing device 100.
  • storage device 1 10 may include one or more hard disk drives, solid state drives, tape drives, and/or any other storage devices.
  • the storage devices may be located in computing device 100 as shown and/or in another device in communication with computing device 100.
  • storage device 1 10 includes encrypted partition 1 12 and authentication area 1 14.
  • Encrypted partition 1 12 may be a protected partition of storage device 1 10 that is encrypted with FDE or other encryption technology. As described above, encrypted partition 1 12 may be inaccessible unless the proper authentication key is provided. For example when booting the main operating system, pre-boot authentication may be used to load a specialized, highly secure operating system that verifies the integrity of the main operating system before it is loaded. In this example, the authentication to verify the main operating system is not decrypted until credentials (e.g., username and password, smartcard and personal identification number (PIN), etc.) are provided to computing device 100.
  • credentials e.g., username and password, smartcard and personal identification number (PIN), etc.
  • Authentication area 114 may be a specialized area of storage device 1 10 for storing authentication keys.
  • the authentication keys may be an unencrypted area of storage device 1 10 that is protected from data wipe operations by using hard-linking.
  • a hard link may a directory entry that associates a name with a file on a file system, where a directory is a special kind of file that contains a list of entries.
  • Hard links allow multiple names to be created for the same file. In some cases, hard-linking is also used to preserve user data on encrypted partition 1 12. Hard links may be placed in a protected area of storage 0
  • linked data e.g., authentication keys, user data
  • symboiic links may be used to preserve data if authentication area 1 14 is on a different storage volume than encrypted partition.
  • a symbolic link may be a special file that includes a reference to another file or directory, where the reference is formatted as an absolute or relative path. In some cases, a user account with access rights is used to gain access to authentication area 1 14.
  • Pre-instailation environment 120 is a lightweight operating system configured for installing or troubleshooting operating systems.
  • pre- instailation environment 120 may be used to preinstal! operating systems on manufactured personal computers (PCs).
  • pre-instailation environment 120 is booted off of removable media such as an optical disk or a flash drive.
  • pre-instailation environment 120 includes data recovery drivers 122 and recovery module 124.
  • Data recovery drivers 122 are configured to provide access to encrypted partition 1 12.
  • Data recovery drivers 122 may use authentication keys stored in authentication area 1 14 to access encrypted partition 1 12.
  • recovery module 124 may authorize access to encrypted partition 1 12 using the authentications keys and then use data recovery drivers 122 to perform operations on encrypted partition 1 12.
  • data recovery drivers 122 may use the authentication keys to decrypt data stored in encrypted partition 1 12 for a read operation.
  • Recovery module 124 is configured to deploy a target operating system. Recovery module 124 may initially determine if a target partition is encrypted and, if the target partition is encrypted, use data recovery drivers 122 to install an image of the target operating system. Recovery module 124 may also be configured to dynamically modify the image of the target operating system. For example when the target partition is encrypted, data recovery drivers 122 may be added and configured in the image of the target operating system. In this example, the modified image allows the target operating system to be installed and preconfigured with the components for accessing encrypted partition 1 12.
  • FIG. 2 is a block diagram of the example computing device 100 for providing encrypted in-place operating system migration of FIG. 1 with additional details. The components shown in FIG. 2 are similar to the corresponding components of FIG. 1 except as described below.
  • encrypted partition 1 12 includes operating system 212 and user data 214.
  • Operating system 212 is a collection of software that manages hardware of computing device 100 and provides common functionality for software applications executing on computing device 100. Because operating system 212 is installed in encrypted partition 1 12, operating system 212 may support a pre-boot authentication module that requests authentication before anything, including operating system 212, is allowed to access encrypted partition 1 12. As described with respect to recovery 124, operating system 212 may be replaced with a target operating system during an installation operation.
  • User data 214 may include non-system files that are specific to users of operating system 212 such as documents, configurations, media, etc.
  • User data 214 is encrypted because it is stored in encrypted partition 1 12. Similar to operating system 212, user data 214 may be inaccessible until a pre-boot authentication module has authorized access to encrypted partition 1 12.
  • User data 214 may be migrated to a target operating system after installation by recover module 124. Specifically, once operating system 212 is replaced with the target operating system, user data 214 may be modified to be compatible with the target operating system during its initial boot.
  • Authentication area 1 14 includes authentication keys 222.
  • Authentication area 1 14 may be a designated area of storage device 1 10 that is known to appropriate modules such as recovery module 124.
  • authentication area 1 14 may be a reserved area of storage device 1 10 that recovery module 124 accesses to obtain authentication keys 222.
  • recovery module 124 Includes credentials module 232, install image module 234, and installation module 238.
  • Credentials module 232 may process credentials to authorize access to encrypted partition 1 12.
  • credentials module 232 may obtain a username and password from a user for initially authenticating access to authentication area 1 14 to obtain the authentication keys 222. in this example, the authentication keys 222 can then be used with data recovery drivers 122 to access encrypted partition 1 12.
  • Install image module 234 may manage install images of operating systems to be deployed by recovery module 124. Specifically, install image module 234 may modify the images based on the configuration of a target partition where the images is to be installed. For example, if the target partition is encrypted (i.e., encrypted partition), the image for the target operating system may be preloaded with data recovery drivers 122 that are configured to provide access to encrypted partition 1 12.
  • the target partition is encrypted (i.e., encrypted partition)
  • the image for the target operating system may be preloaded with data recovery drivers 122 that are configured to provide access to encrypted partition 1 12.
  • Installation module 238 may perform the installation of the images of operating systems. Initially, installation module 236 may use install image module 234 to dynamically modify an image of the target operating system to be installed on computing device. After the image is prepared, installation module 236 may use the credentials module 232 to gain access to encrypted partition 112 as described above and then install the prepared image.
  • FIG. 3 is a flowchart of an example method 300 for execution by a computing device 100 for providing encrypted in-piace operating system migration. Although execution of method 300 is described below with reference to computing device 100 of FIG. 1 , other suitable devices for execution of method 300 may be used, such as computing device 100 of FIG. 2. Method 300 may be implemented in the form of executable instructions stored on a machine-readable storage medium and/or in the form of electronic circuitry.
  • Method 300 may start in block 305 and continue to block 310, where computing device 100 stores authentication keys in an authentication area of a storage device.
  • the authentication keys may be stored from a originally loaded operating system of computing device 100.
  • the user of computing device 100 may initiate an upgrade of the original operating system, where the authentication keys are stored to the authentication area in response to the initiated upgrade.
  • the authentication keys for accessing the encrypted partition may already be accessible for storing to the authentication area.
  • a pre-installation environment fo installing a target operating system is loaded.
  • computing device 100 may reboot into the pre-installation environment that is configured to deploy the target operating system.
  • the pre- installation environment may be loaded from an external storage device (e.g., flash drive, optical disk, etc.), the network, or a specialized partition of a storage device in computing device 100.
  • the stored authentications keys are used to access the encrypted partition of computing device 100.
  • data recover drivers may be loaded with the authentication keys so that the encrypted partition is accessible.
  • the original operating system is replaced with the target operating system in the encrypted partition.
  • an image of the target operating system may be installed in the encrypted partition, in this example, the installation of the original operating system may be deleted or archived so that the installation of the target operating system may be completed.
  • Method 300 may subsequently proceed to block 330, where method 300 may stop.
  • FIG. 4 is a flowchart of an example method 400 for execution by a computing device 100 for using a pre-installation environment to provide encrypted in-place operating system migration.
  • execution of method 400 is described below with reference to computing device 100 of FIG. 1 , other suitable devices for execution of method 400 may be used, such as computing device 100 of FIG. 2.
  • Method 400 may be implemented in the form of executable instructions stored on a machine-readable storage medium and/or in the form of electronic circuitry.
  • Method 400 may start in block 405 and continue to block 410, where computing device 100 determines if a target partition for deployment of a target operating system is encrypted. If the target partition is not encrypted, an unencrypted installation of the target operating system may be performed in block 415.
  • computing device 100 determines if the target operating system supports the encryption of the target partition. If the target operating system does not support the encryption used by the target partition, the encryption of the target partition is migrated to a target encryption that is supported by the target operating system in block 425. For example, the target partition may be decrypted and then re-encrypted using encryption that is supported by the target operating system.
  • user data in the encrypted partition is hard linked.
  • the hard linking preserves the user data in the encrypted partition through data wipes that may occur during the following installation of the target operating system.
  • authentication keys for accessing the encrypted partition are stored in an authentication area.
  • the authentication area is a designated area that is unencrypted and accessible by the pre-insta!!ation environment.
  • computing device 100 is rebooted into the pre-instaliation environment.
  • data recovery drivers for accessing the encrypted partition are loaded with the authentication keys.
  • the data recovery drivers are added to an image of the target operating system.
  • the data recovery drivers configured with the authentication keys can be injected into the image such that the drivers are deployed with the image is installed.
  • the original operating system on the encrypted partition is replaced with the target operating system.
  • the user data is configured for the installed target operating system.
  • the hard links created in block 430 may be used to locate the user data and then prepare the user data (e.g., copy documents to new user profile, migrate application configurations, etc.) for use with the target operating system.
  • Method 400 may subsequently proceed to block 485, where method 400 may stop.
  • the foregoing disclosure describes a number of example embodiments for providing encrypted in-piace operating system migration.
  • the embodiments disclosed herein allow for in-p!ace operating system migration of encrypted partitions by providing authentication keys to a pre-insta!lation environment that dynamically modifies an installation image to support the encryption of the encrypted partition.

Abstract

Example embodiments relate to providing encrypted in-place operating system migration. In example embodiments, authentication keys are stored to an authentication area of a storage device, where the authentication area is designated for protection from data wipes. Next, a pre-installation environment that is configured to install an image of a target operating system is booted, where the pre-installation environment includes data recovery drivers for accessing an encrypted partition of the storage device. The authentication keys are used to authenticate access by the data recover drivers to the encrypted partition. At this stage, the image of the target operating system is installed to the encrypted partition by using the data recovery drivers.

Description

ENCRYPTED IN-PLACE OPERATING SYSTEM MIG ATION
BACKGROUND
[0001 ] Security concerns have encouraged many companies to use encryption to secure user data on persona! computers. Full Disk Encryption (FDE) provides excellent security but has historically required time consuming decryption when an upgraded or new operating system is to be installed. In contrast, during a typical upgrade of an unencrypted disk, hard-linking can be used to maintain data in-place on a disk and protected from a disk wipe operation. Further, duplicate symbolic links to every file and directory may be created and placed in a protected area on the disk to preserve the data. However, traditional unattended, automated migrations cannot be used with hard drives that are encrypted with FDE.
B !EF DESCRIPTION OF THE DRAWINGS
[0002] The following detailed description references the drawings, wherein:
[0003] FIG. 1 is a block diagram of an example computing device for providing encrypted in-place operating system migration;
[0004] FIG. 2 is a block diagram of an example computing device for providing encrypted in-place operating system migration that provides additional details for the example shown in FIG. 1 ;
[0005] FIG. 3 is a flowchart of an example method for execution by a computing device for providing encrypted in-place operating system migration; and
[0006] FIG. 4 is a flowchart of an example method for execution by a computing device for using a pre-installation environment to provide an automated encrypted in-place operating system migration. DETAILED DESCRIPTION
[0007] As discussed above, traditional unattended automated migration techniques are not compatible with hard drives that are encrypted with FDE. Typically, if a drive is encrypted, the user data is first decrypted and saved before the drive is wiped for installation of an image. At this stage, the image may be written to an unencrypted drive using a pre-instaliation environment and then the user data may be restored. Such a process fails when applied to an encrypted disk because the disk cannot be read or written to from a pre-instaliation environment that does not include technology to enable the passing of security credentials. Decrypting the drive and/or copying the user data from the encrypted machine to a temporary location extends the time required for a migration significantly and exposes the user data to additional risk.
[0008] Disk encryption protects information by converting the disk into unreadable code that cannot be interpreted without proper authorization. Disk encryption may be achieved by using software or hardware to encrypt the data stored on a disk. FDE corresponds to encryption that applies to an entire disk or partition, which also includes applications for booting encrypted operating system partitions on the disk.
[0009] Example embodiments disclosed herein provide encrypted in-place operating system migration. For example, an encrypted storage device can be made accessible from the pre-instaliation environment by storing authentication keys in an authentication area of the storage device, in this example, data recovery drivers may then be loaded in the pre-instaliation environment with the authentication keys so that an installation image may be installed to the encrypted storage device. Further, data recovery drivers may be dynamically added to and then configured in the installation image so that the operating system installed from the image can access the encrypted storage device. Because the pre-instaliation environment supports data recovery drivers for the encryption, preexisting user data on the encrypted user device can be migrated to the installed operating system while remaining in-piace on the encrypted storage device (i.e., the user data is not copied or decrypted during the migration process). [0010] In some embodiments, authentication keys are stored to an authentication area of a storage device, where the authentication area is designated for protection from data wipes. Next, a pre-installation environment that is configured to install an image of a target operating system is booted, where the pre-installation environment includes data recovery drivers for accessing an encrypted partition of the storage device. The authentication keys are used to authenticate access by the data recover drivers to the encrypted partition. At this stage, the image of the target operating system is installed to the encrypted partition by using the data recovery drivers.
[001 1 ] In this manner, example embodiments disclosed herein allow encrypted in-place operating system migration. Specifically, by providing a pre-installation environment with access to data recovery drivers and authentication keys, installation images may be deployed to encrypted partitions without decrypting o copying user data stored in the encrypted partitions.
[0012] Referring now to the drawings, FIG. 1 is a block diagram of an example computing device 100 for providing encrypted in-place operating system migration. The example computing device 100 may be implemented as a server, a notebook computer, a desktop computer, an all-in-one system, a tablet computing device, or any othe electronic device suitable for encrypted in-place operating system migration. In the embodiment of FIG. 1 , computing device 100 includes a processor 102, storage device 1 10, and pre-installation environment 120.
[0013] Processor 102 may be one or more central processing units (CPUs), microprocessors, and/or other hardware devices suitable for retrieval and execution of instructions. For example, processor 102 may fetch, decode, and execute instructions stored on a machine-readable storage medium to enable encrypted in-place operating system migration. As an alternative or in addition to retrieving and executing instructions, processor 102 may include one or more electronic circuits comprising a numbe of electronic components for performing the functionality described below. [0014] Machine-readable storage medium may be any electronic, magnetic, optical, or other physical storage device that stores executable instructions. Thus, machine-readable storage medium may be, for example, Random Access Memory (RAM), an Electrically-Erasable Programmable Read-Only Memory (EEPROM), a storage drive, an optical disc, and the like. Machine-readable storage medium 120 may be encoded with executable instructions for providing encrypted in-place operating system migration as described below.
[0015] Storage device 1 10 may be any hardware storage device for maintaining data accessible to computing device 100. For example, storage device 1 10 may include one or more hard disk drives, solid state drives, tape drives, and/or any other storage devices. The storage devices may be located in computing device 100 as shown and/or in another device in communication with computing device 100. As shown, storage device 1 10 includes encrypted partition 1 12 and authentication area 1 14.
[0016] Encrypted partition 1 12 may be a protected partition of storage device 1 10 that is encrypted with FDE or other encryption technology. As described above, encrypted partition 1 12 may be inaccessible unless the proper authentication key is provided. For example when booting the main operating system, pre-boot authentication may be used to load a specialized, highly secure operating system that verifies the integrity of the main operating system before it is loaded. In this example, the authentication to verify the main operating system is not decrypted until credentials (e.g., username and password, smartcard and personal identification number (PIN), etc.) are provided to computing device 100.
[0017] Authentication area 114 may be a specialized area of storage device 1 10 for storing authentication keys. The authentication keys may be an unencrypted area of storage device 1 10 that is protected from data wipe operations by using hard-linking. A hard link may a directory entry that associates a name with a file on a file system, where a directory is a special kind of file that contains a list of entries. Hard links allow multiple names to be created for the same file. In some cases, hard-linking is also used to preserve user data on encrypted partition 1 12. Hard links may be placed in a protected area of storage 0
device 1 10 so that the linked data (e.g., authentication keys, user data) is protected from a data wipe. Further, symboiic links may be used to preserve data if authentication area 1 14 is on a different storage volume than encrypted partition. A symbolic link may be a special file that includes a reference to another file or directory, where the reference is formatted as an absolute or relative path. In some cases, a user account with access rights is used to gain access to authentication area 1 14.
[0018] Pre-instailation environment 120 is a lightweight operating system configured for installing or troubleshooting operating systems. For example, pre- instailation environment 120 may be used to preinstal! operating systems on manufactured personal computers (PCs). In some cases, pre-instailation environment 120 is booted off of removable media such as an optical disk or a flash drive. As shown, pre-instailation environment 120 includes data recovery drivers 122 and recovery module 124.
[0019] Data recovery drivers 122 are configured to provide access to encrypted partition 1 12. Data recovery drivers 122 may use authentication keys stored in authentication area 1 14 to access encrypted partition 1 12. Specifically, recovery module 124 may authorize access to encrypted partition 1 12 using the authentications keys and then use data recovery drivers 122 to perform operations on encrypted partition 1 12. For example, data recovery drivers 122 may use the authentication keys to decrypt data stored in encrypted partition 1 12 for a read operation.
[0020] Recovery module 124 is configured to deploy a target operating system. Recovery module 124 may initially determine if a target partition is encrypted and, if the target partition is encrypted, use data recovery drivers 122 to install an image of the target operating system. Recovery module 124 may also be configured to dynamically modify the image of the target operating system. For example when the target partition is encrypted, data recovery drivers 122 may be added and configured in the image of the target operating system. In this example, the modified image allows the target operating system to be installed and preconfigured with the components for accessing encrypted partition 1 12. [0021 ] FIG. 2 is a block diagram of the example computing device 100 for providing encrypted in-place operating system migration of FIG. 1 with additional details. The components shown in FIG. 2 are similar to the corresponding components of FIG. 1 except as described below.
[0022] As shown in FIG. 2, encrypted partition 1 12 includes operating system 212 and user data 214. Operating system 212 is a collection of software that manages hardware of computing device 100 and provides common functionality for software applications executing on computing device 100. Because operating system 212 is installed in encrypted partition 1 12, operating system 212 may support a pre-boot authentication module that requests authentication before anything, including operating system 212, is allowed to access encrypted partition 1 12. As described with respect to recovery 124, operating system 212 may be replaced with a target operating system during an installation operation.
[0023] User data 214 may include non-system files that are specific to users of operating system 212 such as documents, configurations, media, etc. User data 214 is encrypted because it is stored in encrypted partition 1 12. Similar to operating system 212, user data 214 may be inaccessible until a pre-boot authentication module has authorized access to encrypted partition 1 12. User data 214 may be migrated to a target operating system after installation by recover module 124. Specifically, once operating system 212 is replaced with the target operating system, user data 214 may be modified to be compatible with the target operating system during its initial boot.
[0024] Authentication area 1 14 includes authentication keys 222. Authentication area 1 14 may be a designated area of storage device 1 10 that is known to appropriate modules such as recovery module 124. For example, authentication area 1 14 may be a reserved area of storage device 1 10 that recovery module 124 accesses to obtain authentication keys 222. As discussed above, although authentication area may be unencrypted, user authorization may still be required to access authentication area 1 14 so that the encrypted partition 1 12 cannot be compromised by unauthorized users. [0025] In FIG. 2, recovery module 124 Includes credentials module 232, install image module 234, and installation module 238. Credentials module 232 may process credentials to authorize access to encrypted partition 1 12. Fo example, credentials module 232 may obtain a username and password from a user for initially authenticating access to authentication area 1 14 to obtain the authentication keys 222. in this example, the authentication keys 222 can then be used with data recovery drivers 122 to access encrypted partition 1 12.
[0026] Install image module 234 may manage install images of operating systems to be deployed by recovery module 124. Specifically, install image module 234 may modify the images based on the configuration of a target partition where the images is to be installed. For example, if the target partition is encrypted (i.e., encrypted partition), the image for the target operating system may be preloaded with data recovery drivers 122 that are configured to provide access to encrypted partition 1 12.
[0027] Installation module 238 may perform the installation of the images of operating systems. Initially, installation module 236 may use install image module 234 to dynamically modify an image of the target operating system to be installed on computing device. After the image is prepared, installation module 236 may use the credentials module 232 to gain access to encrypted partition 112 as described above and then install the prepared image.
[0028] FIG. 3 is a flowchart of an example method 300 for execution by a computing device 100 for providing encrypted in-piace operating system migration. Although execution of method 300 is described below with reference to computing device 100 of FIG. 1 , other suitable devices for execution of method 300 may be used, such as computing device 100 of FIG. 2. Method 300 may be implemented in the form of executable instructions stored on a machine-readable storage medium and/or in the form of electronic circuitry.
[0029] Method 300 may start in block 305 and continue to block 310, where computing device 100 stores authentication keys in an authentication area of a storage device. The authentication keys may be stored from a originally loaded operating system of computing device 100. For example, the user of computing device 100 may initiate an upgrade of the original operating system, where the authentication keys are stored to the authentication area in response to the initiated upgrade. In this example, because the original operating system is loaded, the authentication keys for accessing the encrypted partition may already be accessible for storing to the authentication area.
[0030] In block 315, a pre-installation environment fo installing a target operating system is loaded. For example, after an upgrade of computing device 100 is initiated, computing device 100 may reboot into the pre-installation environment that is configured to deploy the target operating system. The pre- installation environment may be loaded from an external storage device (e.g., flash drive, optical disk, etc.), the network, or a specialized partition of a storage device in computing device 100. In block 320, the stored authentications keys are used to access the encrypted partition of computing device 100. Specifically, data recover drivers may be loaded with the authentication keys so that the encrypted partition is accessible. In block 325, the original operating system is replaced with the target operating system in the encrypted partition. For example, an image of the target operating system may be installed in the encrypted partition, in this example, the installation of the original operating system may be deleted or archived so that the installation of the target operating system may be completed. Method 300 may subsequently proceed to block 330, where method 300 may stop.
[0031 ] FIG. 4 is a flowchart of an example method 400 for execution by a computing device 100 for using a pre-installation environment to provide encrypted in-place operating system migration. Although execution of method 400 is described below with reference to computing device 100 of FIG. 1 , other suitable devices for execution of method 400 may be used, such as computing device 100 of FIG. 2. Method 400 may be implemented in the form of executable instructions stored on a machine-readable storage medium and/or in the form of electronic circuitry.
[0032] Method 400 may start in block 405 and continue to block 410, where computing device 100 determines if a target partition for deployment of a target operating system is encrypted. If the target partition is not encrypted, an unencrypted installation of the target operating system may be performed in block 415.
[0033] If the target partition is encrypted, computing device 100 determines if the target operating system supports the encryption of the target partition. If the target operating system does not support the encryption used by the target partition, the encryption of the target partition is migrated to a target encryption that is supported by the target operating system in block 425. For example, the target partition may be decrypted and then re-encrypted using encryption that is supported by the target operating system.
[0034] In block 430, user data in the encrypted partition is hard linked. The hard linking preserves the user data in the encrypted partition through data wipes that may occur during the following installation of the target operating system. In block 435, authentication keys for accessing the encrypted partition are stored in an authentication area. The authentication area is a designated area that is unencrypted and accessible by the pre-insta!!ation environment. In block 440, computing device 100 is rebooted into the pre-instaliation environment.
[0035] In block 445, data recovery drivers for accessing the encrypted partition are loaded with the authentication keys. In block 450, the data recovery drivers are added to an image of the target operating system. For example, the data recovery drivers configured with the authentication keys can be injected into the image such that the drivers are deployed with the image is installed. In block 455, the original operating system on the encrypted partition is replaced with the target operating system. In block 460, the user data is configured for the installed target operating system. For example, after the target operating system is booted, the hard links created in block 430 may be used to locate the user data and then prepare the user data (e.g., copy documents to new user profile, migrate application configurations, etc.) for use with the target operating system. Method 400 may subsequently proceed to block 485, where method 400 may stop.
[0036] The foregoing disclosure describes a number of example embodiments for providing encrypted in-piace operating system migration. In this manner, the embodiments disclosed herein allow for in-p!ace operating system migration of encrypted partitions by providing authentication keys to a pre-insta!lation environment that dynamically modifies an installation image to support the encryption of the encrypted partition.

Claims

CLASMS
1 . A system for encrypted in-p!ace operating system migration, comprising: an encrypted partition of a storage device comprising an original operating system;
an authentication area of the storage device comprising authentication keys fo accessing the encrypted storage device; and
a processor that is operatively connected to the storage device, the processor to:
store the authentication keys to the authentication area, wherein the authentication area is designated for protection from data wipes; boot a pre-installation environment that is configured to install an image of a target operating system, wherein the pre-instailation environment comprises data recovery drivers for accessing the encrypted partition;
use the authentication keys to authenticate access by the data recover drivers to the encrypted partition; and
replace the original operating system with the target operating system on the encrypted partition by using the data recovery drivers to install the image.
2. The system of claim 1 , wherein the processor is further to:
add the data recovery drivers to the image of the target operating system, wherein the data recovery drivers are preconfigured to access the encrypted partition.
3. The system of claim 2, wherein the data recovery drivers are added to the image in response to determine that the original operating system is encrypted.
4. The system of claim 1 , wherein the processor is further to:
create a plurality of hard links for user data that is stored in the encrypted partition prior to booting the pre-insfallation environment; and
use the plurality of hard links to configure the user data for the target operating system.
5. The system of claim 1 , wherein the processor is furthe to:
in response to determining that the encrypted partition is no compatible with the target operating system, update the encrypted partition to an encryption that is compatible with the target operating system,
6. The system of claim 1 , wherein the processor is further to:
obtain user credentials for authorizing access to the authentication keys stored in the authentication area,
7. A method for encrypted in-piace operating system migration, comprising: storing authentication keys to an authentication area of a storage device, wherein the authentication area is designated for protection from data wipes; booting a pre-instaliation environment that is configured to install an image of a target operating system, wherein the pre-installation environment comprises data recovery drivers fo accessing an encrypted partition of the storage device;
using the authentication keys to authenticate access by the data recover drivers to the encrypted partition;
adding the data recovery drivers to the image of the target operating system, wherein the data recovery drivers are preconfigured to access the encrypted partition; and
installing the image of the target operating system to the encrypted partition by using the data recovery drivers.
8. The method of claim 7, wherein the data recovery drivers are added to the image in response to determine that the original operating system is encrypted,
9. The method of claim 7, further comprising:
creating a plurality of hard links for user data that is stored in the encrypted partition prior to booting the pre-installation environment; and
using the plurality of hard links to configure the user data for the target operating system.
10. The method of claim 7, further comprising:
in response to determining that the encrypted partition is no compatible with the target operating system, updating the encrypted partition to an encryption that is compatible with the target operating system.
1 1. The method of claim 7, further comprising:
obtaining user credentials for authorizing access to the authentication keys stored in the authentication area.
12. A non-transitory machine-readable storage medium encoded with instructions executable by a processor for encrypted in-place operating system migration, the machine-readable storage medium comprising instructions to: store authentication keys to an authentication area of a storage device, wherein the authentication area is designated for protection from data wipes; boot a pre-installation environment that is configured to install an image of a target operating system, wherein the pre-installation environment comprises data recovery drivers for accessing an encrypted partition of the storage device;
use the authentication keys to authenticate access by the data recover drivers to the encrypted partition;
in response to determine that the original operating system is encrypted, add the data recovery drivers to the image of the target operating system, wherein the data recovery drivers are preconfigured to access the encrypted partition; and
install the image of the target operating system to the encrypted partition by using the data recovery drivers.
13. The machine-readable storage medium of claim 12, further comprising instructions to:
create a plurality of hard links for user data that is stored in the encrypted partition prior to booting the pre-instaliation environment; and
use the plurality of hard links to configure the user data for the target operating system.
14. The machine-readable storage medium of claim 12, further comprising instructions to:
in response to determining that the encrypted partition is no compatible with the target operating system, update the encrypted partition to an encryption that is compatible with the target operating system.
15. The machine-readable storage medium of claim 12, further comprising instructions to:
obtain use credentials for authorizing access to the authentication keys stored in the authentication area.
PCT/US2014/014275 2014-01-31 2014-01-31 Encrypted in-place operating system migration WO2015116204A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2014/014275 WO2015116204A1 (en) 2014-01-31 2014-01-31 Encrypted in-place operating system migration

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2014/014275 WO2015116204A1 (en) 2014-01-31 2014-01-31 Encrypted in-place operating system migration

Publications (1)

Publication Number Publication Date
WO2015116204A1 true WO2015116204A1 (en) 2015-08-06

Family

ID=53757584

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2014/014275 WO2015116204A1 (en) 2014-01-31 2014-01-31 Encrypted in-place operating system migration

Country Status (1)

Country Link
WO (1) WO2015116204A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107169378A (en) * 2017-05-05 2017-09-15 天津市英贝特航天科技有限公司 Method and equipment for encrypting computer during startup
US10425229B2 (en) 2016-02-12 2019-09-24 Microsoft Technology Licensing, Llc Secure provisioning of operating systems
WO2020168545A1 (en) * 2019-02-22 2020-08-27 云图有限公司 Key migration method and apparatus
US10909248B2 (en) 2017-06-29 2021-02-02 Microsoft Technology Licensing, Llc Executing encrypted boot loaders

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050278432A1 (en) * 2004-06-14 2005-12-15 Feinleib David A System and method for automated migration from windows to linux
US20080294914A1 (en) * 2007-02-02 2008-11-27 Lee Lane W Trusted storage
US20100180281A1 (en) * 2009-01-13 2010-07-15 Microsoft Corporation Offline migration from prior operating system installation
US20110087890A1 (en) * 2009-10-09 2011-04-14 Lsi Corporation Interlocking plain text passwords to data encryption keys
US20120179915A1 (en) * 2011-01-07 2012-07-12 Apple Inc. System and method for full disk encryption authentication

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050278432A1 (en) * 2004-06-14 2005-12-15 Feinleib David A System and method for automated migration from windows to linux
US20080294914A1 (en) * 2007-02-02 2008-11-27 Lee Lane W Trusted storage
US20100180281A1 (en) * 2009-01-13 2010-07-15 Microsoft Corporation Offline migration from prior operating system installation
US20110087890A1 (en) * 2009-10-09 2011-04-14 Lsi Corporation Interlocking plain text passwords to data encryption keys
US20120179915A1 (en) * 2011-01-07 2012-07-12 Apple Inc. System and method for full disk encryption authentication

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10425229B2 (en) 2016-02-12 2019-09-24 Microsoft Technology Licensing, Llc Secure provisioning of operating systems
CN107169378A (en) * 2017-05-05 2017-09-15 天津市英贝特航天科技有限公司 Method and equipment for encrypting computer during startup
CN107169378B (en) * 2017-05-05 2020-08-04 天津市英贝特航天科技有限公司 Method and equipment for encrypting computer during startup
US10909248B2 (en) 2017-06-29 2021-02-02 Microsoft Technology Licensing, Llc Executing encrypted boot loaders
WO2020168545A1 (en) * 2019-02-22 2020-08-27 云图有限公司 Key migration method and apparatus

Similar Documents

Publication Publication Date Title
US9871787B2 (en) Authentication processing for a plurality of self-encrypting storage devices
US10169589B2 (en) Securely booting a computer from a user trusted device
JP5565040B2 (en) Storage device, data processing device, registration method, and computer program
US20130275973A1 (en) Virtualisation system
US20110202765A1 (en) Securely move virtual machines between host servers
US8266449B2 (en) Security for storage devices
US9910791B1 (en) Managing system-wide encryption keys for data storage systems
JP6201049B2 (en) System and method for updating system level services in a read-only system image
US20220398321A1 (en) Data management
US9690944B2 (en) System and method updating disk encryption software and performing pre-boot compatibility verification
US10482278B2 (en) Remote provisioning and authenticated writes to secure storage devices
US9384353B2 (en) System and method for encryption of disk based on pre-boot compatibility testing
Scarfone et al. Guide to storage encryption technologies for end user devices
US10642984B2 (en) Secure drive and method for booting to known good-state
US9372760B1 (en) Systems and methods for securely storing backup data while facilitating fast failovers
WO2015116204A1 (en) Encrypted in-place operating system migration
US10855451B1 (en) Removable circuit for unlocking self-encrypting data storage devices
WO2021188716A1 (en) Systems and methods for protecting a folder from unauthorized file modification
US9887979B1 (en) Systems and methods for enabling users to launch applications without entering authentication credentials
RU2623887C2 (en) Full-disk encryption module update installation method
US20230009355A1 (en) Method and Apparatus for Securely Backing Up and Restoring a Computer System
RU2571724C2 (en) System and method of full disk coding with check of loading disk compatibility
EP3185165A1 (en) An electronic device comprising a mecanism to store securely data associated to an application
Scarfone et al. SP 800-111. Guide to Storage Encryption Technologies for End User Devices

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14881339

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14881339

Country of ref document: EP

Kind code of ref document: A1