Securing Encrypted Virtual Hard Disks

摘要

Securing encrypted virtual hard disks may include a variety of processes. In one example, a virtual hard disk is created for a user and encrypted with a volume key, and the volume key placed in an administrator header. The administrator header may be encrypted with a protection key, the protection key created from a user identifier corresponding to the user, a volume identifier corresponding to the virtual hard disk, and two cryptographic secrets. The protection key may then destroyed after encrypting the administrator header and therefore, might never leave the encryption engine. The two cryptographic secrets may be stored in separate storage locations, one accessible to the user and the other accessible to administrators. Accordingly, the protection key might never transmitted or can be intercepted, and no single entity may be compromised to gain access to all of the information needed to recreate the protection key.

主权项

1. A method comprising:
generating, by a computing device, a first encryption key using a first encryption secret and a second encryption secret; encrypting, by the computing device, a first portion of a data storage using the encryption key, wherein the encrypted first portion of the data storage stores a second key used to encrypt at least a second portion of the data storage, different from the first portion of the data storage, wherein the first encryption key is distinct from the second encryption key; deleting the first encryption key after encrypting the first portion of the data storage; and storing the first encryption secret to a first storage location and the second encryption secret to a second storage location, wherein the first storage location and the second storage location are different.