SECTOR MAP-BASED RAPID DATA ENCRYPTION POLICY COMPLIANCE

摘要

To comply with a policy for a computing device indicating that data written by the computing device to the storage volume after activation of the policy be encrypted, a sector map is accessed. The sector map identifies one or more sectors of a storage volume and also identifies, for each of the one or more sectors of the storage volume, a signature of the content of the sector. In response to a request to read the content of a sector, the content of the sector is returned without decrypting the content if the sector is one of the one or more sectors and the signature of the content of the sector matches the signature of the sector identified in the sector map. Otherwise, the content of the sector is decrypted and the decrypted content is returned.

主权项

1. A method comprising:
receiving, by a computing device, a request to activate a policy for the computing device, the policy indicating that data written by the computing device to a storage volume after activation of the policy be encrypted; activating, in response to the request, the policy for the computing device, including:
encrypting data written to the storage volume after returning an indication of compliance with the policy,using a sector map to identify one or more sectors of the storage volume that are not encrypted, the sector map identifying one or more sectors of the storage volume written to prior to the sector map being locked to prohibit changes to the sector map and the sector map including signatures of sectors that were written to the storage volume prior to the sector map being locked, data written to the storage volume after the sector map is locked being encrypted but at least some data written to the storage volume before the sector map is locked not being encrypted, andusing the sector map to determine whether to decrypt content of a sector of the storage volume in response to a request to read the content of the sector; and returning, in response to the request to activate the policy, the indication of compliance with the policy despite one or more sectors of the storage volume being unencrypted.